| Kura | PCMan FTP Server 2.0.7 Buffer Overflow |
|---|
| Gaskiya | This exploitation technique was successfully applied to Windows XP Professional Service Pack 2 and 3 systems.
This exploitation test was performed on a 32-bit PCMan FTP server version 2.0.7.
Testing Environment
The target of the exploitation was the PCMan FTP Server version 2.0.7, a 32-bit application. This software is known for containing multiple vulnerabilities, making it a good choice for studying and practicing Buffer Overflow exploitation techniques.
Objective
The main goal was to develop a reliable Proof of Concept (PoC) to demonstrate the possibility of exploiting a Buffer Overflow vulnerability found in the "PLS" command of the FTP server.
Exploitation Steps
1. Triggering the Buffer Overflow
It was observed that sending an excessive amount of data via the "PLS" command caused the application to crash. This indicated a Buffer Overflow condition.
2. Identifying the Offset
To determine the exact number of bytes needed to overwrite the EIP (Extended Instruction Pointer), the following Metasploit Framework tools were used:
"msf-pattern_create -l 3000": generated a unique 3000-byte cyclic pattern.
After the crash, the overwritten EIP value was extracted from the debugger.
Using "msf-pattern_offset -q <EIP_value>", the precise offset between the start of the buffer and the EIP was determined. This offset is essential for positioning the redirect address correctly within the exploit.
The value offset: 2007
3. Stack Preparation and JMP ESP Discovery
After identifying the correct offset, it was necessary to locate a reliable JMP ESP instruction in memory to redirect execution to the shellcode.
The Mona plugin for Immunity Debugger was used with the following command:
!mona jmp -r esp -n
The address found was 0x74e32fd9, located in an unprotected system DLL, ideal for redirecting code execution.
4. Handling Bad Characters (Badchars)
During payload preparation, the main bad characters that could break shellcode execution were removed:
0x00 (null byte)
0x0a (newline)
0x0d (carriage return)
Since the environment was already known, a full bad character analysis using a bytearray was not necessary.
5. Shellcode Creation
To ensure smooth shellcode execution:
20 NOP instructions (\x90) were added before the shellcode, forming a NOP sled to improve reliability.
The shellcode itself was generated using msfvenom, which allows for the creation of custom payloads, such as reverse shells, bind shells, sending remote messages, and opening Windows programs like Calculator, Notepad, etc.
Final Result
With all data correctly set (accurate offset, reliable JMP ESP, clean shellcode), it was possible to successfully exploit the Buffer Overflow vulnerability.
This successful exploitation resulted in obtaining a remote shell on the target system, allowing the attacker to execute commands remotely with the privileges of the vulnerable process.
Link to the exploit: https://fitoxs.com/exploit/exploit-67a2e172844905e3e09735d62ac7a925e8492f78c789c2995a1f2474c539ed8f95.txt |
|---|
| Manga | ⚠️ https://fitoxs.com/exploit/exploit-67a2e172844905e3e09735d62ac7a925e8492f78c789c2995a1f2474c539ed8f95.txt |
|---|
| Màdùmga | Fernando Mengali (UID 83791) |
|---|
| Furta | 05/29/2025 21:38 (9 Wurɗi 전) |
|---|
| Gargajiya | 06/04/2025 13:36 (6 days later) |
|---|
| Halitta | Shingilam |
|---|
| VulDB gite | 311122 [PCMan FTP Server 2.0.7 PLS Command Pufferüberlauf] |
|---|
| Nganji | 20 |
|---|