CVE-2006-2961

CesarFTP <= 0.99g - Stack-Based Buffer Overflow via MKD Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-2961. PoCs published by Irving Aguilar, Metasploit, h07, including Metasploit module exploits/windows/ftp/cesarftp_mkd.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in CesarFTP 0.99g via the XCWD command. It sends a malformed buffer to trigger a Denial of Service (DoS) condition.

Description

Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MKD command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Irving Aguilar · pythondoswindows
https://www.exploit-db.com/exploits/39274

This exploit targets a buffer overflow vulnerability in CesarFTP 0.99g via the XCWD command. It sends a malformed buffer to trigger a Denial of Service (DoS) condition.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: CesarFTP 0.99g
Auth required
Prerequisites: Network access to the target FTP server · Valid FTP credentials (USER/PASS)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16713

This exploit targets a stack buffer overflow in CesarFTP 0.99g via the MKD command, allowing remote code execution. It includes multiple return addresses for different Windows versions and requires valid credentials.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CesarFTP 0.99g
Auth required
Prerequisites: Valid FTP credentials · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by h07 · pythonremotewindows
https://www.exploit-db.com/exploits/1906

This exploit targets a buffer overflow vulnerability in CesarFTP 0.99g by sending a maliciously crafted MKD command with a NOP sled and shellcode to execute calc.exe. It leverages a JMP ESP instruction in shell32.dll on Windows XP SP2 Polish.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CesarFTP 0.99g
Auth required
Prerequisites: Network access to the FTP server · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/cesarftp_mkd.rb

This Metasploit module exploits a stack buffer overflow in CesarFTP 0.99g via the MKD command, allowing remote code execution. It includes multiple return addresses for different Windows versions and requires valid credentials.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CesarFTP 0.99g
Auth required
Prerequisites: Valid FTP credentials · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27071
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18586
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/26364
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20574
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2287

Scores

EPSS 0.6194
EPSS Percentile 99.1%

Details

Status published
Products (1)
aclogic/cesarftp < 0.99g
Published Jun 12, 2006
Tracked Since Feb 18, 2026