cbcvebase.
CVE-2015-7768
published 2015-10-09

CVE-2015-7768: Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command.

PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.21%
99.1th percentile
Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command.

Affected

1 ranges
VendorProductVersion rangeFixed in
konicaminoltaftp_utility

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
commandCWD <overflow buffer>
registry0x12206d9d
pathC:\Program Files (x86)\KONICA MINOLTA\FTP Utility
bytes
\xeb\x0a\x90\x90 (nSEH jump) + \x9D\x6D\x20\x12 (SEH handler, KMFtpCM.dll PPR)
  • Detect oversized FTP CWD commands (>1037 bytes) sent to port 21, indicative of SEH overflow exploitation against Konica Minolta FTP Utility 1.00.
  • Match FTP banner string 'FTP Utility FTP server (Version 1.00)' to identify vulnerable Konica Minolta FTP instances.
  • Alert on anonymous FTP login followed immediately by a CWD command with a payload exceeding ~1037 bytes, as the exploit uses anonymous credentials by default.
  • Look for the SEH overwrite byte sequence \xeb\x0a\x90\x90 (short jump nSEH) followed by \x9d\x6d\x20\x12 (PPR gadget in KMFtpCM.dll) within FTP CWD command payloads.
  • Monitor for outbound reverse shell connections on port 4444 originating from the FTP Utility process (KMFtpCM.dll / FTP Utility host) post-exploitation.
  • ·The SEH return address (PPR gadget 0x12206d9d) is hardcoded to KMFtpCM.dll and is only valid for the Windows 7 SP1 x86 target; different OS/patch levels will require a different gadget address.
  • ·The exploit offset of 1037 bytes before the SEH record is specific to Konica Minolta FTP Utility version 1.00 on Windows 7 SP1 x86; other versions or platforms may differ.
  • ·Bad characters \x00, \x0a, \x2f, \x5c must be avoided in shellcode; the PoC also excludes \x0d, \x3d in its encoder invocation.
  • ·Payload space is limited to 1500 bytes within the CWD overflow buffer for this exploit configuration.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.