cbcvebase.
CVE-2019-16724
published 2019-09-24

CVE-2019-16724: File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.16%
99.4th percentile
File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.

Affected

1 ranges
VendorProductVersion rangeFixed in
upredsunfile_sharing_wizard

Detection & IOCsextracted from sources · hover to see the quote

commandPOST <1040*A><NSEH><SEH><NOP*100><shellcode> HTTP/1.0
pathC:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll
bytes
|eb 32 90 90 7f a6 38 7c|
snort
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:3; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • The exploit triggers a SEH-based buffer overflow via an HTTP POST request. The NSEH value (short JMP forward 32 bytes: 0x909032EB / bytes EB 32 90 90) and SEH overwrite (POP POP RET gadget at 0x7c38a67f / bytes 7F A6 38 7C from MSVCR71.dll) appear contiguously in the payload. The Snort/ET rule fast-pattern byte sequence |eb 32 90 90 7f a6 38 7c| is the primary network detection anchor.
  • The SEH overwrite occurs at a fixed offset of 1044 bytes into the POST request body ('overflowed SEH handler - 42386942 : [*] Exact match at offset 1044'). Network sensors should flag POST requests to HTTP servers where the body contains this offset pattern.
  • The gadget used for SEH overwrite (POP ECX # POP ECX # RET) resides in MSVCR71.dll, which is loaded without ASLR, Rebase, or SafeSEH protections. Presence of this DLL in the File Sharing Wizard process without those mitigations is a prerequisite for exploitation.
  • A similar exploit vector exists via the HTTP DELETE method (CVE-2019-17415), so detection rules should also cover DELETE requests with the same SEH byte pattern to the same target application.
  • ·The Snort/ET rule (sid:2034092) targets inbound traffic to $HOME_NET and $HTTP_SERVERS. Ensure these variables are correctly scoped to include hosts running File Sharing Wizard 1.5.0 to avoid missed detections.
  • ·The only bad character for the shellcode is \x00 (null byte). Payload variants may encode differently but must avoid null bytes; detection signatures relying solely on shellcode bytes may be evaded by re-encoding.
  • ·The exploit was tested on Windows 7 only. Behavior on other Windows versions may differ, and the fixed ROP gadget address (0x7c38a67f in MSVCR71.dll) is version-specific (v7.10.6030.0).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.