CVE-2011-5164
published 2012-09-15CVE-2011-5164: Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 through 2.2.10 allows remote FTP servers to execute arbitrary code via a crafted file name in…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.58%
97.9th percentile
Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 through 2.2.10 allows remote FTP servers to execute arbitrary code via a crafted file name in a LIST command response.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
| vandyke | absoluteftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherMalicious FTP LIST response pattern: "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <oversized_buffer>.txt"↗
bytes↗
BadChars: \x00\x0d\x5c\x2f\x0a
- →Detect oversized filenames (>3336 bytes) in FTP LIST command responses directed at AbsoluteFTP clients; the exploit requires a buffer of at least 3336 bytes before the ROP chain begins. ↗
- →Look for FTP LIST response lines containing filenames with embedded binary/non-printable bytes (especially null \x00, carriage-return \x0d, backslash \x5c, forward-slash \x2f, newline \x0a are avoided by the exploit, so their absence in an otherwise malformed oversized name is notable). ↗
- →Detect FTP LIST responses where a single filename entry exceeds normal length limits (hundreds to thousands of bytes), consistent with a ROP-NOP sled of 848 repetitions of 0x5f479005 followed by a ROP chain. ↗
- →Flag FTP data-channel traffic containing the MFC42.DLL ROP gadget byte sequences (e.g., repeated little-endian 0x5f479005 = \x05\x90\x47\x5f) within a LIST response payload. ↗
- →The exploit uses EXITFUNC=process and targets Windows XP SP2 through Windows 7 SP1; correlate AbsoluteFTP crashes (process exit) on those OS versions after an FTP LIST operation as a post-exploitation indicator. ↗
- →The rogue FTP server sends a 150 status followed immediately by a 226 status with no actual data transfer delay, then delivers the oversized LIST payload over the data connection — anomalous sequencing detectable in FTP session analysis. ↗
- ·The single exploit target covers a wide OS range (WinXP SP2 – Win7 SP1) with one fixed Ret address from MFC42.DLL; the ROP chain is only reliable against unpatched MFC42.DLL builds where gadget addresses match exactly. ↗
- ·The exploit references placeholder CVE/OSVDB/URL values ('---'), indicating the public PoC was released before formal CVE assignment; correlate with CVE-2011-5164 manually. ↗
- ·The lpOldProtect RW pointer (0x5F4D1115) used in the VirtualProtect ROP call is hardcoded and version-specific to the MFC42.DLL present on the targeted systems; detection signatures based on this address will not generalise to other DLL versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AbsoluteFTP 1.9.6 < 2.2.10 - 'LIST' Remote Buffer Overflow (Metasploit)
exploitdb·2011-11-09
CVE-2011-5164 AbsoluteFTP 1.9.6 < 2.2.10 - 'LIST' Remote Buffer Overflow (Metasploit)
AbsoluteFTP 1.9.6 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'Version' => '$Revision:$',
'References' =>
[
[ 'OSVDB', '---' ],
[ 'CVE', '---' ],
[ 'URL', '---' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[ 'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'MONTH DAY YEAR',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_
Metasploit
AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow
metasploit
AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow
AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow
This module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command.
http://secunia.com/advisories/46781http://www.exploit-db.com/exploits/18102http://www.osvdb.org/77105http://www.saintcorporation.com/cgi-bin/exploit_info/vandyke_absoluteftp_list_client_overflowhttp://www.securityfocus.com/bid/50614http://secunia.com/advisories/46781http://www.exploit-db.com/exploits/18102http://www.osvdb.org/77105http://www.saintcorporation.com/cgi-bin/exploit_info/vandyke_absoluteftp_list_client_overflowhttp://www.securityfocus.com/bid/50614
2012-09-15
Published