cbcvebase.
CVE-2013-4730
published 2014-05-15

CVE-2013-4730: Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.23%
99.2th percentile
Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.

Affected

1 ranges
VendorProductVersion rangeFixed in
pcman_s_ftp_server_projectpcman_s_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandPASS <2005+ byte overflow buffer>
commandUSER <2005+ byte overflow buffer>
commandSTOR /../<overflow buffer>
commandPASS <overflow buffer>
commandMKD <2007+ byte overflow buffer>
port4444
commandCWD <2012+ byte overflow buffer>
port4444
bytes
\x53\x02\x67\x75
bytes
0x7e429353
bytes
220 PCMan's FTP Server 2.0 Ready.
bytes
0x7C91FCD8
bytes
\x83\xc4\x9c
bytes
220 PCMan's FTP Server 2.0
bytes
\xDB\xFC\x1C\x75
bytes
\x65\x82\xA5\x7C
bytes
\x59\x06\xbb\x76
  • Detect FTP USER command with payload exceeding 2005 bytes — characteristic of PCMan FTP USER overflow exploitation
  • Detect FTP PASS command with payload exceeding 6102 bytes — characteristic of PCMan FTP PASS overflow exploitation
  • Detect FTP STOR command containing '/../' followed by a large buffer — characteristic of PCMan FTP STOR overflow exploitation
  • Detect FTP MKD command with payload exceeding 2007 bytes — characteristic of PCMan FTP MKD overflow exploitation
  • Detect FTP CWD command with payload exceeding 2012 bytes — characteristic of PCMan FTP CWD overflow exploitation
  • Flag FTP server banners matching '220 PCMan's FTP Server 2.0' as vulnerable to multiple buffer overflow commands (USER, PASS, STOR, MKD, CWD)
  • Bad characters for payload crafting against PCMan FTP USER command are \x53\x93\x42\x7E — filter/alert on FTP USER payloads avoiding these bytes
  • Bad characters for STOR command exploit are \x00\xff\x0a\x0d\x20\x40 — useful for distinguishing crafted payloads in FTP traffic
  • ·The CALL ESP ROP gadget address (0x75670253 / Kernel32.dll) used in the PASS exploit is Windows 7 SP1 French-specific and will differ on other OS versions/languages
  • ·The USER exploit RET address (0x7e429353, push esp/ret) targets Windows XP SP3 English only; the NVD entry notes RET needs adjustment for other targets
  • ·The STOR exploit RET address (0x7C91FCD8, jmp esp from kernel32.dll) and offset (2002) are specific to Windows XP SP3
  • ·The MKD exploit RET address (0x7CA58265, jmp esp from shell32.dll) is specific to Windows XP SP3; will not apply to other platforms
  • ·The CWD exploit ESP address (0x76BB0659) is specific to Windows 7 SP1 x64 English; offsets and gadget addresses will differ on other targets
  • ·Multiple FTP commands are vulnerable (USER, PASS, STOR, MKD, CWD); CVE-2013-4730 is formally attributed to USER but exploitation extends to other commands
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.