CVE-2006-2407

freeFTPd 1.0.10 - Stack-Based Buffer Overflow via Long Key Exchange Algorithm String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-2407. PoCs published by Metasploit, Tauqeer Ahmad, including Metasploit module exploits/windows/ssh/freesshd_key_exchange.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in FreeSSHd 1.0.9 by sending a maliciously crafted key exchange algorithm string during the SSH handshake. It includes a payload for remote code execution and is designed for specific Windows targets.

Description

Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3) freeFTPd 1.0.10, allows remote attackers to execute arbitrary code via a long key exchange algorithm string.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16461

This exploit targets a stack buffer overflow in FreeSSHd 1.0.9 by sending a maliciously crafted key exchange algorithm string during the SSH handshake. It includes a payload for remote code execution and is designed for specific Windows targets.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeSSHd 1.0.9
No auth needed
Prerequisites: Network access to the target on port 22 · Target running FreeSSHd 1.0.9
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16462

This exploit targets a stack buffer overflow in FreeFTPd 1.0.10 via a malformed SSH key exchange algorithm string. It sends a crafted payload to trigger the vulnerability and execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeFTPd 1.0.10
No auth needed
Prerequisites: Network access to the target's SSH port (22)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Tauqeer Ahmad · pythonremotewindows
https://www.exploit-db.com/exploits/1787

This exploit targets a buffer overflow vulnerability in freeSSHd 1.0.9, leveraging a JMP ESP instruction in USER32.dll to execute a bind shell on port 1977. The payload is a Metasploit-generated shellcode for Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: freeSSHd 1.0.9
No auth needed
Prerequisites: Network access to the target system · Target running freeSSHd 1.0.9
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ssh/freesshd_key_exchange.rb

This Metasploit module exploits a stack buffer overflow in FreeSSHd 1.0.9 by sending a maliciously crafted key exchange algorithm string, leading to remote code execution. The exploit targets specific return addresses for Windows 2000 and XP systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeSSHd 1.0.9
No auth needed
Prerequisites: Network access to the target on port 22 · Vulnerable FreeSSHd version running
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ssh/freeftpd_key_exchange.rb

This Metasploit module exploits a stack buffer overflow in FreeFTPd 1.0.10 by sending a maliciously crafted key exchange algorithm string during SSH handshake. It targets multiple Windows versions with specific return addresses to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeFTPd 1.0.10
No auth needed
Prerequisites: Network access to target's SSH port (22) · Vulnerable FreeFTPd version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19846
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25569
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434007/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434402/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1786
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/901
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26442
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434415/100/0/threaded
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19845
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/477960
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434415/30/4920/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/25463
Mailing List mailing-list x_refsource_fulldisc
http://marc.info/?l=full-disclosure&m=114764338702488&w=2
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20136
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1842
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1785
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17958
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/434038/100/0/threaded

Scores

EPSS 0.7137
EPSS Percentile 99.3%

Details

CWE
CWE-119
Status published
Products (4)
freeftpd/freeftpd 1.0.10
freesshd/freesshd 1.0.9
weonlydo/wodsshserver 1.2.7
weonlydo/wodsshserver 1.3.3_demo
Published May 16, 2006
Tracked Since Feb 18, 2026