CVE-2017-6465
published 2017-03-10CVE-2017-6465: Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.31%
98.8th percentile
Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ftpshell | ftpshell_client | — | — |
| ftpshell | ftpshell_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit works by standing up a rogue FTP server on port 21 that sends an oversized PWD (257) response. Detect FTP clients receiving anomalously long 257 reply lines (hundreds of bytes) from servers, especially containing NOP sleds (0x90 sequences) followed by shellcode. ↗
- →The malicious server sends a crafted 220/257 banner containing a 400-byte buffer (8 NOPs + shellcode + junk + EIP overwrite \xdc\x95\x4b). Monitor for FTP 220/257 responses exceeding normal length thresholds from untrusted servers. ↗
- →The overflow overwrites the saved EIP and structured exception handler (SEH) in ftpshell.exe. Look for access violations or SEH chain corruption in ftpshell.exe process memory following an FTP PWD response. ↗
- ·The shellcode and EIP gadget address (0x004b95dc) are specific to FTPShell Client 6.53 on Windows Server 2008 R2 x64. The gadget offset will differ across other versions or OS builds. ↗
- ·The Metasploit module referenced targets FTPShell 5.1, not 6.53; offsets and gadgets will differ between versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mq94-vm4p-fh7g: Remote Code Execution was discovered in FTPShell Client 6
ghsa_unreviewed·2022-05-17
CVE-2017-6465 [CRITICAL] CWE-119 GHSA-mq94-vm4p-fh7g: Remote Code Execution was discovered in FTPShell Client 6
Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.
GHSA
GHSA-v9q9-9c5j-v225: An issue was discovered in FTPShell Client 6
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2018-7573 [CRITICAL] CWE-119 GHSA-v9q9-9c5j-v225: An issue was discovered in FTPShell Client 6
An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the application; after this overflow, one can run arbitrary code on the victim machine. This is similar to CVE-2009-3364 and CVE-2017-6465.
No detection rules found.
Exploit-DB
FTPShell Client 6.53 - Remote Buffer Overflow
exploitdb·2017-03-04·CVSS 9.8
CVE-2017-6465 [CRITICAL] FTPShell Client 6.53 - Remote Buffer Overflow
FTPShell Client 6.53 - Remote Buffer Overflow
---
# Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
# Date: 2017-03-04
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Version: Windows Server 2008 R2 x64
# Tested on: Windows Server 2008 R2 Standard x64
# CVE: CVE-2017-6465
# 2017-03-04: Software vendor notified
# 2017-03-06: No reply
# 2017-03-06: Publishing
import socket
import sys
shell=("\xdb\xce\xbf\xaa\xcc\x44\xc9\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xd0\xdf\xa6\x3c\xd8\x08\xa4"
"\xbf\x20\xc9\xc9\x36\xc5\xf8\xc9\x2d\x8e\xab\xf9\x26\xc2\x47"
"\x71\x6a\xf6\xdc\xf7\xa3\xf9\x55\xbd\x95\x34\x65\xee\xe6\x57"
"\xe5\xed\x3a\xb7\xd4\x3d
Metasploit
FTPShell 5.1 Stack Buffer Overflow
metasploit
FTPShell 5.1 Stack Buffer Overflow
FTPShell 5.1 Stack Buffer Overflow
This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets triggered when the ftp client tries to process an overly long response to a PWD command. This will overwrite the saved EIP and structured exception handler.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/141456/FTPShell-Client-6.53-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/96570https://www.exploit-db.com/exploits/41511/http://packetstormsecurity.com/files/141456/FTPShell-Client-6.53-Buffer-Overflow.htmlhttp://www.securityfocus.com/bid/96570https://www.exploit-db.com/exploits/41511/
2017-03-10
Published