CVE-2006-6563

ProFTPD <1.3.1rc1 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2006-6563. PoCs published by Revenge, Core Security, pi3.

AI-analyzed exploit summary This exploit targets a buffer overflow in ProFTPD 1.3.0/1.3.0a via the Controls feature, binding a root shell on port 31337. It requires ProFTPD to be compiled with --enable-ctrls and local user access to the Unix socket.

Description

Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute arbitrary code via a large reqarglen length value.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Revenge · perllocallinux
https://www.exploit-db.com/exploits/3333

This exploit targets a buffer overflow in ProFTPD 1.3.0/1.3.0a via the Controls feature, binding a root shell on port 31337. It requires ProFTPD to be compiled with --enable-ctrls and local user access to the Unix socket.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.0/1.3.0a
Auth required
Prerequisites: ProFTPD compiled with --enable-ctrls · Local user access to Unix socket · Target OS (Ubuntu 6.10 or Debian Etch)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Revenge · perllocallinux
https://www.exploit-db.com/exploits/3330

This exploit targets a buffer overflow in ProFTPD v1.3.0/1.3.0a via the controls feature, binding a root shell on port 31337. It requires the server to be compiled with --enable-ctrls and local user access to the Unix socket.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD v1.3.0/1.3.0a
Auth required
Prerequisites: ProFTPD compiled with --enable-ctrls · Local user access to Unix socket · Slackware 11.0 or similar environment with gcc 3.x and Linux kernel 2.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Core Security · pythondoslinux
https://www.exploit-db.com/exploits/2928

This exploit targets a buffer overflow in ProFTPD 1.3.0a via a maliciously crafted payload sent over a Unix domain socket. It leverages a known stack layout and a trampoline to execute shellcode, though the shellcode itself is benign (int 3 instructions).

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ProFTPD 1.3.0a
No auth needed
Prerequisites: ProFTPD 1.3.0a compiled with gcc 4.1.2 · Access to the target system's Unix domain socket (/tmp/ctrls.sock)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by pi3 · clocallinux
https://www.exploit-db.com/exploits/394

This exploit targets a buffer overflow vulnerability in ProFTPd's ftpdctl utility due to an unsafe strncpy call in the pr_ctrls_connect function. It provides two exploitation methods: environment-based and ret-to-libc, both leading to local privilege escalation via shellcode execution.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: ProFTPd (with --enable-ctrls configured)
No auth needed
Prerequisites: ProFTPd compiled with --enable-ctrls · Local access to the system · ftpdctl binary present
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Various Sources x_refsource_confirm
http://www.proftpd.org/docs/NEWS-1.3.1rc1
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21587
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2006:232
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/454320/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460648/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_openpkg
http://www.openpkg.com/security/advisories/OpenPKG-SA-2006.039.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/3330
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24163
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23473
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200702-02.xml
Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23371
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4998
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23392
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/460756/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30906
Vendor Advisory vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2006/0074/

Scores

EPSS 0.0230
EPSS Percentile 81.0%

Details

Status published
Products (2)
proftpd_project/proftpd 1.3.0
proftpd_project/proftpd 1.3.0a
Published Dec 15, 2006
Tracked Since Feb 18, 2026