CVE-2019-9760
published 2019-03-14CVE-2019-9760: FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.09%
98.8th percentile
FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted responses. Long responses can also crash the FTP client with memory corruption.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ftpgetter | ftpgetter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x7e\x06\x90\x90
bytes↗
\x31\x20\x77\x00
- →The exploit operates as a rogue FTP server on port 21. It sends a crafted FTP 230 response (login success) containing a ~493-byte overflow payload to crash/exploit the FTPGetter client. Detection should focus on abnormally long FTP 2xx response lines (>493 bytes) from server to client. ↗
- →The overflow is triggered specifically in the FTP PWD command response handler. A stack-based buffer overflow occurs when processing the server's reply to PWD, overwriting a structured exception handler (SEH). Monitor for oversized FTP PWD responses. ↗
- →The exploit uses an alphanumeric/mixed x86 shellcode encoder (x86/alpha_mixed) to bypass bad character restrictions. Presence of the alpha-mixed stub bytes in FTP traffic is a strong indicator of exploitation. ↗
- →The attack requires the victim FTPGetter client to initiate a connection to an attacker-controlled FTP server. Outbound FTP connections from endpoints running FTPGetter to untrusted external IPs should be alerted on. ↗
- ·The exploit was tested only on Windows 7 x64. Behavior on other Windows versions may differ. ↗
- ·The Metasploit module targets FTPGetter Standard v3.55.0.05 (PWD reply overflow), while the Exploit-DB PoC targets v5.97.0.177 (230 login reply overflow). These are distinct versions and the overflow trigger point may differ between them. ↗
- ·Long FTP responses can also trigger a crash via memory corruption without achieving code execution, so not all oversized-response events indicate successful RCE. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FTPGetter Standard 5.97.0.177 - Remote Code Execution
exploitdb·2019-03-14·CVSS 9.8
CVE-2019-9760 [CRITICAL] FTPGetter Standard 5.97.0.177 - Remote Code Execution
FTPGetter Standard 5.97.0.177 - Remote Code Execution
---
# Exploit Title: FTPGetter Standard - v.5.97.0.177 Remote Code Execution
# Date: 05/03/2019
# Exploit Author: https://github.com/w4fz5uck5 | @w4fz5uck5
# Vendor Homepage: https://www.ftpgetter.com
# Software Link: https://www.ftpgetter.com/ftpgetter_setup.exe
# Version: v.5.97.0.177
# Tested on: Windows 7 x64
# CVE : CVE-2019-9760
import socket
import struct
import time
import sys
# badchars = (
# "\x59\x5a\x5b\x5c\x00\x0a\x0d\x20\x40\x1a\x80\x82\x83\x84\x85\x86\x87"
# "\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b"
# "\x9c\x9e\x9f\xc0\xc1" .....
# )
# x86/alpha_mixed simple fixer -> bytes "\x89\xe3\xd9\xe1\xd9\x73\xf4"
calc = ""
calc += "\x54" # push esp
calc += "\x58" # pop eax
calc += "\x05\x43\x06\x0
Metasploit
FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
metasploit
FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client. When processing the response on a PWD command, a stack based buffer overflow occurs. This leads to arbitrary code execution when a structured exception handler gets overwritten.
2019-03-14
Published