CVE-2012-5106
published 2014-06-20CVE-2012-5106: Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote authenticated users to execute arbitrary code via a long string in a PUT command.
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
14.11%
96.1th percentile
Stack-based buffer overflow in FreeFloat FTP Server 1.0 allows remote authenticated users to execute arbitrary code via a long string in a PUT command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freefloat | freefloat_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xED\x1E\x94\x7C
bytes↗
\xdb\xc3\xd9\x74\x24\xf4\xbd\x06\xbd\x1f\xaa\x5f\x33\xc9\xb1\x49\x31\x6f\x19\x83\xef\xfc\x03\x6f\x15\xe4\x48\xe3\x42\x61\xb2\x1c\x93\x11\x3a\xf9\xa2\x03\x58\x89\x97\x93\x2a\xdf\x1b\x58\x7e\xf4\xa8\x2c\x57\xfb\x19\x9a\x81\x32\x99\x2b\x0e\x98\x59\x2a\xf2\xe3\x8d\x8c\xcb\x2b\xc0\xcd\x0c\x51\x2b\x9f\xc5\x1d\x9e\x0f\x61\x63\x23\x2e\xa5\xef\x1b\x48\xc0\x30\xef\xe2\xcb\x60\x40\x79\x83\x98\xea\x25\x34\x98\x3f\x36\x08\xd3\x34\x8c\xfa\xe2\x9c\xdd\x03\xd5\xe0\xb1\x3d\xd9\xec\xc8\x7a\xde\x0e\xbf\x70\x1c\xb2\xc7\x42\x5e\x68\x42\x57\xf8\xfb\xf4\xb3\xf8\x28\x62\x37\xf6\x85\xe1\x1f\x1b\x1b\x26\x14\x27\x90\xc9\xfb\xa1\xe2\xed\xdf\xea\xb1\x8c\x46\x57\x17\xb1\x99\x3f\xc8\x17\xd1\xd2\x1d\x21\xb8\xba\xd2\x1f\x43\x3b\x7d\x28\x30\x09\x22\x82\xde\x21\xab\x0c\x18\x45\x86\xe8\xb6\xb8\x29\x08\x9e\x7e\x7d\x58\x88\x57\xfe\x33\x48\x57\x2b\x93\x18\xf7\x84\x53\xc9\xb7\x74\x3b\x03\x38\xaa\x5b\x2c\x92\xc3\xf1\xd6\x75\x2c\xad\xd8\xf0\xc4\xaf\xda\xf2\x2f\x26\x3c\x68\x40\x6e\x96\x05\xf9\x2b\x6c\xb7\x06\xe6\x08\xf7\x8d\x04\xec\xb6\x65\x61\xfe\x2f\x86\x3c\x5c\xf9\x99\xeb\xcb\x06\x0c\x17\x5a\x50\xb8\x15\xbb\x96\x67\xe6\xee\xac\xae\x72\x51\xdb\xce\x92\x51\x1b\x99\xf8\x51\x73\x7d\x58\x02\x66\x82\x75\x36\x3b\x17\x75\x6f\xef\xb0\x1d\x8d\xd6\xf7\x82\x6e\x3d\x06\xff\xb8\x78\x8c\x09\xcf\x68\x4c
- →Detect oversized FTP PUT commands on port 21 — the exploit sends a PUT command with a total buffer of ~720 bytes (247 NOP junk + 4-byte ret addr + 32-byte NOP sled + shellcode + 65 NOP junk), far exceeding normal PUT argument length. ↗
- →Alert on FTP PUT commands containing a long NOP sled (\x90 repeated) followed by shellcode bytes on port 21 targeting FreeFloat FTP Server 1.0. ↗
- →The exploit requires authenticated FTP access; monitor for FTP authentication followed immediately by an anomalously large PUT command argument (>300 bytes) as a strong exploitation indicator. ↗
- →The return address \xED\x1E\x94\x7C (JMP ESP gadget at 0x7C941EED) is hardcoded in the exploit for Windows XP SP2; presence of this 4-byte sequence within an FTP PUT payload is a high-fidelity indicator. ↗
- →Bad characters for shellcode encoding are \x00\x0a\x0d\x20\x7b; these bytes should NOT appear in the malicious PUT payload — use their absence as a filter bypass indicator when scanning FTP traffic. ↗
- ·The hardcoded return address (JMP ESP gadget 0x7C941EED) is specific to Windows XP Professional SP2; exploitation against other OS versions or service packs will require a different gadget address. ↗
- ·The exploit targets FreeFloat FTP Server Version 1.0 exclusively; the vendor declared end-of-life for the software effective October 1st, meaning no patch will be issued. ↗
- ·Exploitation requires valid FTP credentials; unauthenticated exploitation is not possible with this vulnerability as documented. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://infosec42.blogspot.com/2012/09/freefloatftp-10-put-buffer-overflow.htmlhttp://www.exploit-db.com/exploits/22351http://www.osvdb.org/88358https://exchange.xforce.ibmcloud.com/vulnerabilities/79810http://infosec42.blogspot.com/2012/09/freefloatftp-10-put-buffer-overflow.htmlhttp://www.exploit-db.com/exploits/22351http://www.osvdb.org/88358https://exchange.xforce.ibmcloud.com/vulnerabilities/79810
2014-06-20
Published