cbcvebase.
CVE-2011-5164
published 2012-09-15

CVE-2011-5164: Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 through 2.2.10 allows remote FTP servers to execute arbitrary code via a crafted file name in…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.58%
97.9th percentile
Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 through 2.2.10 allows remote FTP servers to execute arbitrary code via a crafted file name in a LIST command response.

Affected

14 ranges
VendorProductVersion rangeFixed in
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp
vandykeabsoluteftp

Detection & IOCsextracted from sources · hover to see the quote

commandLIST
otherExploit offset: 3336 bytes
otherMalicious FTP LIST response pattern: "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <oversized_buffer>.txt"
versionAbsoluteFTP 1.9.6 through 2.2.10
bytes
BadChars: \x00\x0d\x5c\x2f\x0a
  • Detect oversized filenames (>3336 bytes) in FTP LIST command responses directed at AbsoluteFTP clients; the exploit requires a buffer of at least 3336 bytes before the ROP chain begins.
  • Look for FTP LIST response lines containing filenames with embedded binary/non-printable bytes (especially null \x00, carriage-return \x0d, backslash \x5c, forward-slash \x2f, newline \x0a are avoided by the exploit, so their absence in an otherwise malformed oversized name is notable).
  • Detect FTP LIST responses where a single filename entry exceeds normal length limits (hundreds to thousands of bytes), consistent with a ROP-NOP sled of 848 repetitions of 0x5f479005 followed by a ROP chain.
  • Flag FTP data-channel traffic containing the MFC42.DLL ROP gadget byte sequences (e.g., repeated little-endian 0x5f479005 = \x05\x90\x47\x5f) within a LIST response payload.
  • The exploit uses EXITFUNC=process and targets Windows XP SP2 through Windows 7 SP1; correlate AbsoluteFTP crashes (process exit) on those OS versions after an FTP LIST operation as a post-exploitation indicator.
  • The rogue FTP server sends a 150 status followed immediately by a 226 status with no actual data transfer delay, then delivers the oversized LIST payload over the data connection — anomalous sequencing detectable in FTP session analysis.
  • ·The single exploit target covers a wide OS range (WinXP SP2 – Win7 SP1) with one fixed Ret address from MFC42.DLL; the ROP chain is only reliable against unpatched MFC42.DLL builds where gadget addresses match exactly.
  • ·The exploit references placeholder CVE/OSVDB/URL values ('---'), indicating the public PoC was released before formal CVE assignment; correlate with CVE-2011-5164 manually.
  • ·The lpOldProtect RW pointer (0x5F4D1115) used in the VirtualProtect ROP call is hardcoded and version-specific to the MFC42.DLL present on the targeted systems; detection signatures based on this address will not generalise to other DLL versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.