cbcvebase.
CVE-2017-6465
published 2017-03-10

CVE-2017-6465: Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it…

PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.31%
98.8th percentile
Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.

Affected

2 ranges
VendorProductVersion rangeFixed in
ftpshellftpshell_client
ftpshellftpshell_client

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit works by standing up a rogue FTP server on port 21 that sends an oversized PWD (257) response. Detect FTP clients receiving anomalously long 257 reply lines (hundreds of bytes) from servers, especially containing NOP sleds (0x90 sequences) followed by shellcode.
  • The malicious server sends a crafted 220/257 banner containing a 400-byte buffer (8 NOPs + shellcode + junk + EIP overwrite \xdc\x95\x4b). Monitor for FTP 220/257 responses exceeding normal length thresholds from untrusted servers.
  • The overflow overwrites the saved EIP and structured exception handler (SEH) in ftpshell.exe. Look for access violations or SEH chain corruption in ftpshell.exe process memory following an FTP PWD response.
  • ·The shellcode and EIP gadget address (0x004b95dc) are specific to FTPShell Client 6.53 on Windows Server 2008 R2 x64. The gadget offset will differ across other versions or OS builds.
  • ·The Metasploit module referenced targets FTPShell 5.1, not 6.53; offsets and gadgets will differ between versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.