CVE-2009-3023

Exploitation Summary

CVE-2009-3023 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Metasploit, muts, kingcope, including a Metasploit module exploits/windows/ftp/ms09_053_ftpd_nlst.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in Microsoft IIS FTP Server via a malformed NLST command. It uses an egg hunter to locate shellcode stored on the stack, achieving remote code execution.

Description

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16740

View Code ZIP pw:eip

This exploit targets a stack buffer overflow in Microsoft IIS FTP Server via a malformed NLST command. It uses an egg hunter to locate shellcode stored on the stack, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft IIS FTP Server (IIS 5.0 on Windows 2000)

Auth required

Prerequisites: FTP server with write access · Valid credentials or anonymous write access

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by muts · perlremotewindows

https://www.exploit-db.com/exploits/9559

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in IIS 5.0 FTP Server on Windows 2000 SP4. It uses a combination of shellcode, an egghunter, and a bind shell payload to achieve remote code execution as SYSTEM.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IIS 5.0 FTP Server on Windows 2000 SP4

No auth needed

Prerequisites: Network access to the target FTP server · IIS 5.0 FTP Server running on Windows 2000 SP4

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by kingcope · perlremotewindows

https://www.exploit-db.com/exploits/9541

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in IIS 5.0 FTPd on Windows 2000 SP4. It uses a crafted SITE command to overwrite the stack and execute shellcode, resulting in remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: IIS 5.0 FTPd on Windows 2000 SP4

No auth needed

Prerequisites: Network access to the target FTP server · IIS 5.0 FTPd running on Windows 2000 SP4

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb

View Code ZIP pw:eip

This exploit targets a stack buffer overflow in Microsoft IIS FTP Server (CVE-2009-3023) via a malformed NLST command. It uses an egg hunter to locate and execute shellcode stored on the stack, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft IIS FTP Server (IIS 5.0)

Auth required

Prerequisites: FTP server with write access · Target running vulnerable IIS version

MITRE ATT&CK