cbcvebase.
CVE-2017-15222
published 2017-10-24

CVE-2017-15222: Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
60.33%
99.0th percentile
Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
nftp_projectnftp<= 2.0

Detection & IOCsextracted from sources · hover to see the quote

commandSYST
other0x77f31d2f
urlftp://ftp.ayukov.com/pub/src/nftp-1.72.zip
urlftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
bytes
\x20*4116 + [ret].pack('V') + nops(10) + payload
bytes
\xdd\xfc\x40\x00
bytes
\x10\xb3\x45\x7e
bytes
\x95\x3A\x92\x7c
bytes
\x43\x75\x92\x7C
bytes
\xc7\x41\xe6\x77
bytes
\xf3\x67\xe6\x77
  • The exploit is triggered by a malicious FTP server responding to the client's SYST request with an oversized buffer (>4116 bytes). Detect FTP SYST responses exceeding normal length (e.g., >256 bytes) from servers to clients.
  • The EIP overwrite offset is exactly 4116 bytes into the SYST response buffer. A SYST response containing 4116+ bytes of padding followed by a return address is a strong exploit indicator.
  • The Metasploit module uses 0x20 (space) characters as the initial padding in the overflow buffer. A SYST response beginning with thousands of space characters (0x20) is suspicious.
  • Bad characters for shellcode encoding are \x00\x0A\x0D (and \x40 in some variants). Shellcode in the SYST response will avoid these bytes.
  • The malicious FTP server sends a crafted 220 banner, accepts USER/PASS, then delivers the overflow payload in the SYST response followed by a 257 response. Monitor for rogue FTP servers on port 21 exhibiting this sequence.
  • NOP sled patterns (\x90 repeated) appear immediately after the return address in all exploit variants. Detect NOP sleds in FTP SYST response payloads.
  • The exploit spawns a bind shell (windows/shell_bind_tcp) on the victim. Monitor for unexpected listening TCP ports (4444, 5150) on FTP client machines after FTP connections.
  • ·Return addresses are OS/SP-specific and hardcoded to non-ASLR DLLs on Windows XP. The exploit does not work against systems with ASLR enabled.
  • ·The Metasploit module only targets Windows XP Pro SP3 English with GDI32.dll ret address 0x77f31d2f; other targets require different return addresses.
  • ·The null byte (\x00) in the call esp address from nftpc.exe terminates the overflow string, limiting reliability of that specific gadget.
  • ·The Metasploit module requires a StackAdjustment of -3500 for reliable payload execution.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.