| タイトル | PCman FTP Client 2.0.7 Buffer Overflow |
|---|
| 説明 | Vulnerability Exploitation on PCMan FTP Server 2.0.7
This exploitation technique was successfully tested on Windows XP Professional Service Pack 2 and 3 systems. The target was a PCMan FTP Server version 2.0.7 (32-bit), known for having multiple vulnerabilities, making it ideal for studying and practicing buffer overflow exploitation techniques.
Note: This study is based on the source code available at https://github.com/moEbrahimi/pcmanftpd/blob/master/FtpCmdCon.cpp from the PCMan FTPD GitHub repository.
Test Environment
The PCMan FTP Server 2.0.7, a 32-bit application, served as the exploitation target. Its vulnerability in the "RESET" command allows practicing buffer overflow techniques, providing a controlled scenario for developing proof-of-concept exploits.
Objective
The main objective of this test was to create a functional Proof of Concept (PoC) demonstrating the possibility of exploiting the buffer overflow vulnerability in the "RESET" command, enabling remote code execution on the target system.
Exploitation Steps
1. Triggering the buffer overflow
Sending an excessive amount of data via the "RESET" command caused the application to crash, confirming the presence of a buffer overflow.
2. Determining the offset
To determine the exact number of bytes required to overwrite the EIP (Extended Instruction Pointer), tools from the Metasploit Framework were used:
msf-pattern_create -l 3000: generated a unique cyclic pattern of 3000 bytes.
After the crash, the overwritten EIP value was obtained using the debugger.
msf-pattern_offset -q <EIP_value>: determined the precise offset to the EIP, essential for correctly positioning the redirection address in the exploit.
Offset found: 2004 bytes
3. Stack preparation and JMP ESP discovery
After identifying the offset, it was necessary to locate a reliable JMP ESP instruction in memory to redirect execution to the shellcode:
Used the Mona plugin in Immunity Debugger:
!mona jmp -r esp -n
The memory address found was located in an unprotected system DLL, suitable for redirection.
4. Handling bad characters
During payload creation, key characters that could interrupt shellcode execution were removed:
0x00 – null byte
0x0a – newline
0x0d – carriage return
Since the environment was already known, a full bad characters analysis using a bytearray was not necessary.
5. Shellcode creation
To ensure reliable shellcode execution:
32 NOP instructions (\x90) were added before the shellcode, forming a NOP sled.
The shellcode was generated using msfvenom, allowing customized payloads such as reverse shells, bind shells, remote execution of Windows programs (Calculator, Notepad), or sending messages.
Final Result
With the correct offset, reliable JMP ESP, and clean shellcode, the exploitation was successfully executed. The test resulted in obtaining a remote shell, allowing command execution with the privileges of the vulnerable process.
exploit link: https://github.com/Gustavo-Redol/exploit-1/blob/main/Exploit |
|---|
| ソース | ⚠️ https://github.com/Gustavo-Redol/exploit-1/blob/main/Exploit |
|---|
| ユーザー | R3d0lx01 (UID 89277) |
|---|
| 送信 | 2025年09月05日 17:27 (8 月 ago) |
|---|
| モデレーション | 2025年09月17日 18:15 (12 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 309413 [PCMan FTP Server 2.0.7 REST Command メモリ破損] |
|---|
| 理由 | RESET command not supported according to CFtpCmd::CFtpCmdMapEnt in FtpCmd.cpp |
|---|
| ポイント | 0 |
|---|