cbcvebase.
CVE-2018-7573
published 2018-03-01

CVE-2018-7573: An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.21%
99.3th percentile
An issue was discovered in FTPShell Client 6.7. A remote FTP server can send 400 characters of 'F' in conjunction with the FTP 220 response code to crash the application; after this overflow, one can run arbitrary code on the victim machine. This is similar to CVE-2009-3364 and CVE-2017-6465.

Affected

1 ranges
VendorProductVersion rangeFixed in
ftpshellftpshell_client

Detection & IOCsextracted from sources · hover to see the quote

command220 "<400-byte payload>" is current directory\r\n
snort
alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,to_client; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, cve CVE_2018_8734, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_07;)
bytes
ed 2e 45 (CALL ESI return address in FTPShell.exe @ 0x00452eed)
  • Detect the exploit by looking for an FTP 220 response containing a quoted string of at least 400 bytes with the return address bytes \xed\x2e\x45 (CALL ESI @ 0x00452eed in FTPShell.exe) appearing at offset 400+ within the banner.
  • The overflow payload space is exactly 400 bytes; bad characters excluded from shellcode are \x00, \x22, \x0d, \x0a, \x0b — use these constraints to tune detection or shellcode scanning.
  • The exploit is delivered server-to-client (rogue FTP server scenario): the victim FTP client connects to the attacker-controlled server on port 21, which then sends the malicious 220 banner after completing the USER/PASS handshake.
  • ·The return address \xed\x2e\x45 (0x00452eed, CALL ESI) is specific to FTPShell.exe in version 6.70 Enterprise Edition; it will not apply to other versions or builds.
  • ·The Metasploit module sets EXITFUNC to 'thread' by default, meaning the host process survives after exploitation — post-exploitation detection should not rely solely on process crash.
  • ·The exploit was tested on Windows Server 2008 R2 x64, Windows 7 SP1 x64, and Windows XP SP3 x86; detection confidence may vary on other platforms.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.