CVE-2018-9059
published 2018-04-20CVE-2018-9059: Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to…
PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.32%
99.5th percentile
Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 allows remote attackers to execute arbitrary code via a malicious login request to forum.ghp. NOTE: this may overlap CVE-2014-3791.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sharing-file | easy_file_sharing_web_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets HTTP POST to /forum.ghp with an oversized UserID cookie value (4071+ bytes) to trigger stack-based buffer overflow; monitor for abnormally large UserID cookie values in requests to /forum.ghp ↗
- →The overflow offset to nSEH is 4059 bytes; a UserID cookie value exceeding ~4059 bytes sent to /forum.ghp is a strong indicator of exploitation attempt ↗
- →Exploit uses a ROP chain leveraging ImageLoad.dll and sqlite3.dll gadgets to bypass DEP via VirtualProtect(); presence of ROP gadget addresses from these modules in network traffic targeting EFS Web Server is suspicious ↗
- →The Metasploit module exploits a SEH overflow in Easy File Sharing HTTP Server 7.2; detect SEH-based overflow patterns in HTTP traffic to this service ↗
- →Bad characters for payload construction are known: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — these are filtered by the server and should not appear in a valid overflow payload ↗
- ·The exploit was tested against specific OS versions; ROP gadget addresses are tied to specific versions of ImageLoad.dll and sqlite3.dll shipped with EFS Web Server 7.2 and may not be reliable across all installations ↗
- ·CVE-2018-9059 may overlap with CVE-2014-3791; detections should account for both CVE identifiers when triaging alerts against Easy File Sharing Web Server 7.2 ↗
- ·The original exploit (EDB-44485) was tested on Windows XP Professional SP3, while the DEP bypass variant (EDB-44522) targets Windows 7 x86 SP1; detection logic should cover both environments ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)
exploitdb·2018-04-24
CVE-2018-9059 Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)
Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass)
---
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------#
# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
# Date : 04/24/2018 #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sharing-file.com/ #
# Software Link : http://www.sharing-file.com/efssetup.exe #
# Original Exploit: https://www.exploit-db.com/exploits/44485/ #
# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 #
#---------------------------------------------------------------------------------------------------#
import requests
import s
Exploit-DB
Easy File Sharing Web Server 7.2 - Stack Buffer Overflow
exploitdb·2018-04-18·CVSS 9.8
CVE-2018-9059 [CRITICAL] Easy File Sharing Web Server 7.2 - Stack Buffer Overflow
Easy File Sharing Web Server 7.2 - Stack Buffer Overflow
---
# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
# Date: 03/24/2018
# Exploit Author: rebeyond - http://www.rebeyond.net
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# CVE: CVE-2018-9059
# Tested on: Windows XP Professional SP3
#
# Description:
# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned
#
#
# The stack trace is as follows:
# (40d8.2980): Access violation - code c0000005 (first chance)
# r
# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0
# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc
# cs=0023 s
Metasploit
Easy File Sharing HTTP Server 7.2 SEH Overflow
metasploit
Easy File Sharing HTTP Server 7.2 SEH Overflow
Easy File Sharing HTTP Server 7.2 SEH Overflow
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/147246/Easy-File-Sharing-Web-Server-7.2-Buffer-Overflow.htmlhttps://www.exploit-db.com/exploits/44485/https://www.exploit-db.com/exploits/44522/http://packetstormsecurity.com/files/147246/Easy-File-Sharing-Web-Server-7.2-Buffer-Overflow.htmlhttps://www.exploit-db.com/exploits/44485/https://www.exploit-db.com/exploits/44522/
2018-04-20
Published