FreeFloat FTP Server 1.0
Standard buffer overflow practice.
Setup
Standard VM setup:
Kali Linux
Windows 7 x86 Ultimate
Immunity debugger
Mona
x64dbg
Download Freefloat FTP server from here (https://www.exploit-db.com/exploits/17546). Make sure you run this in the VM itself, the file may or may not harm your computer. Be careful.
The application is a standalone binary file which once run, exposes the port 21
on all interfaces and minimizes as an application in the doc. Ensure that your firewall is turned off, all the way down, else port 21 may not be exposed.
Finding EIP offset
I am referring to the exploit here (https://www.exploit-db.com/exploits/17546), so we'll be exploiting the REST command after the successful login.
We can test the workings using the following python script.
And we have the following output in our debugger.
Now we'll try and find the exact offset value of the EIP
using pwntools'
cyclic function.
We get 0x616D6361
as our EIP
value and on inspection with pwn cyclic
we know that the offset value is 246.
Jumping to Shell-code
Now we have to find a way to jump to the shell-code as evident in the screenshot below that after 246 + EIP + Garbage
, our ESP
points to the garbage.
So now using x64dbg
we'll find a JMP ESP
instruction, however, using mona.py
I noticed that all the modules/dlls
loaded by the application have ASLR
and re-base
enabled, this means that I may have a tough time getting any hits on any dependable address. However, it turns out, that the addresses of the modules do not change even if the application restarts.
Now I picked the first address out of all the results, however, choose to pick any that you feel comfortable with.
Now we'll verify if we actually jumped to the ESP
section or not using the following python script with JMP ESP
instruction.
So we have successfully jumped to the ESP
shell-code section, all we have to do now is generate the shell-code pad it a little with a NOP sled
to ensure that it definitely gets hit and we are good to go.
Shell-code generation
We'll use msfvenom
to generate the shell-code. We removed the few obvious bad characters to ensure that the exploit is not collapsed to bad characters.
Final payload development
After running this, we have our reverse TCP
shell on the machine. However, it is a local user shell as the application is running as a user rather than the system.
Last updated