CVE-2004-2111

Serv-U FTP Server <4.2 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2004-2111. PoCs published by Metasploit, Skylined, lion, including Metasploit module exploits/windows/ftp/servu_chmod.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in Serv-U FTP Server's SITE CHMOD command, allowing remote code execution via an egghunter technique. It targets specific Windows versions and requires valid credentials.

Description

Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/18190

This Metasploit module exploits a stack buffer overflow in Serv-U FTP Server's SITE CHMOD command, allowing remote code execution via an egghunter technique. It targets specific Windows versions and requires valid credentials.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Serv-U FTP Server <4.2
Auth required
Prerequisites: Valid FTP credentials · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Skylined · cremotewindows
https://www.exploit-db.com/exploits/822

This exploit targets a buffer overflow vulnerability in Serv-U FTP Server v4.x via the 'SITE CHMOD' command. It uses a combination of NOP sleds, SEH overwrites, and shellcode to achieve remote code execution, binding a shell on port 28876.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Serv-U FTP Server v4.0.0.4, v4.1.0.0, v4.1.0.3
Auth required
Prerequisites: Network access to the target FTP server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by lion · cremotewindows
https://www.exploit-db.com/exploits/149

This exploit targets a stack-based buffer overflow in Serv-U FTPD 3.x/4.x via the 'SITE CHMOD' command. It includes shellcode for both bind and connect-back shells, leveraging SEH overwrites for reliable exploitation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Serv-U FTPD 3.0.0.20 to 4.1.0.11
Auth required
Prerequisites: Valid FTP account credentials · Writable directory on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by [email protected] · cremotewindows
https://www.exploit-db.com/exploits/23592

This exploit targets a buffer overflow vulnerability in RhinoSoft Serv-U FTP Server via a maliciously crafted 'SITE CHMOD' command with an excessively long filename. It includes a bind shell payload to achieve remote code execution on vulnerable versions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RhinoSoft Serv-U FTP Server 4.1.0.7, 4.1.0.11, 4.2
Auth required
Prerequisites: Network access to the FTP server · Valid FTP credentials · Target running a vulnerable version of Serv-U FTP Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by mandragore · cremotewindows
https://www.exploit-db.com/exploits/23591

This exploit targets a buffer overflow vulnerability in RhinoSoft Serv-U FTP Server 4.1.0.0 via the 'SITE CHMOD' command. It sends a crafted payload with a reverse bindshell to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RhinoSoft Serv-U FTP Server 4.1.0.0
Auth required
Prerequisites: Network access to the FTP server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/servu_chmod.rb

This Metasploit module exploits a stack buffer overflow in Serv-U FTP Server's SITE CHMOD command, leveraging an egghunter to achieve remote code execution. It targets specific Windows versions and requires valid credentials.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Serv-U FTP Server prior to 4.2
Auth required
Prerequisites: Valid FTP credentials · Target running vulnerable Serv-U FTP Server version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/14931
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9483
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9675
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=107513654005840&w=2
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2004-01/0249.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1008841

Scores

EPSS 0.8687
EPSS Percentile 99.7%

Details

CWE
CWE-119
Status published
Products (8)
solarwinds/serv-u_file_server 3.0.0.16
solarwinds/serv-u_file_server 3.0.0.17
solarwinds/serv-u_file_server 3.1.0.0
solarwinds/serv-u_file_server 3.1.0.1
solarwinds/serv-u_file_server 3.1.0.3
solarwinds/serv-u_file_server 4.0.0.4
solarwinds/serv-u_file_server 4.1.0.0
solarwinds/serv-u_file_server < 4.1.0.3
Published Dec 31, 2004
Tracked Since Feb 18, 2026