cbcvebase.
CVE-2019-9760
published 2019-03-14

CVE-2019-9760: FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.09%
98.8th percentile
FTPGetter Standard v.5.97.0.177 allows remote code execution when a user initiates an FTP connection to an attacker-controlled machine that sends crafted responses. Long responses can also crash the FTP client with memory corruption.

Affected

1 ranges
VendorProductVersion rangeFixed in
ftpgetterftpgetter

Detection & IOCsextracted from sources · hover to see the quote

versionFTPGetter Standard v.5.97.0.177
command230 <payload>
bytes
\x7e\x06\x90\x90
bytes
\x31\x20\x77\x00
  • The exploit operates as a rogue FTP server on port 21. It sends a crafted FTP 230 response (login success) containing a ~493-byte overflow payload to crash/exploit the FTPGetter client. Detection should focus on abnormally long FTP 2xx response lines (>493 bytes) from server to client.
  • The overflow is triggered specifically in the FTP PWD command response handler. A stack-based buffer overflow occurs when processing the server's reply to PWD, overwriting a structured exception handler (SEH). Monitor for oversized FTP PWD responses.
  • The exploit uses an alphanumeric/mixed x86 shellcode encoder (x86/alpha_mixed) to bypass bad character restrictions. Presence of the alpha-mixed stub bytes in FTP traffic is a strong indicator of exploitation.
  • The attack requires the victim FTPGetter client to initiate a connection to an attacker-controlled FTP server. Outbound FTP connections from endpoints running FTPGetter to untrusted external IPs should be alerted on.
  • ·The exploit was tested only on Windows 7 x64. Behavior on other Windows versions may differ.
  • ·The Metasploit module targets FTPGetter Standard v3.55.0.05 (PWD reply overflow), while the Exploit-DB PoC targets v5.97.0.177 (230 login reply overflow). These are distinct versions and the overflow trigger point may differ between them.
  • ·Long FTP responses can also trigger a crash via memory corruption without achieving code execution, so not all oversized-response events indicate successful RCE.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.