CVE-2011-5166
KnFTP 1.0.0 - Remote Code Execution via Multiple Stack-Based Buffer Overflows
Title source: llmExploitation Summary
EIP tracks 4 public exploits for CVE-2011-5166. PoCs published by mr.pr0n, loneferret, blake.
AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in KnFTP 1.0.0 Server via the 'USER' command. It uses an egghunter and shellcode to execute calc.exe, leveraging a JMP ESP instruction in kernel32.dll.
Description
Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN, (4) QUIT, (5) PORT, (6) PASV, (7) TYPE, (8) STRU, (9) MODE, (10) RETR, (11) STOR, (12) APPE, (13) ALLO, (14) REST, (15) RNFR, (16) RNTO, (17) ABOR, (18) DELE, (19) CWD, (20) LIST, (21) NLST, (22) SITE, (23) STST, (24) HELP, (25) NOOP, (26) MKD, (27) RMD, (28) PWD, (29) CDUP, (30) STOU, (31) SNMT, (32) SYST, and (33) XPWD commands.
Exploits (4)
This exploit targets a buffer overflow vulnerability in KnFTP 1.0.0 Server via the 'USER' command. It uses an egghunter and shellcode to execute calc.exe, leveraging a JMP ESP instruction in kernel32.dll.
This exploit demonstrates a buffer overflow vulnerability in KnFTP Server by sending an overly long string (9000 'A' characters) via the PWD command, causing a denial-of-service (DoS) condition. The PoC includes register states showing SEH/EIP overwrites, confirming the vulnerability.
This exploit targets a buffer overflow vulnerability in KnFTP server by sending a maliciously crafted PASS command. It uses an egghunter technique to locate and execute shellcode, which spawns calc.exe as a proof of concept.
This Metasploit module exploits a buffer overflow vulnerability in KnFTP FTP Server to achieve remote code execution by bypassing DEP via ROP chains. It targets specific Windows versions (XP SP2/SP3 and Windows 7 SP1) with tailored ROP gadgets.