CVE-2019-16724 - File Sharing Wizard Remote Unauthenticated SEH Overflow Writeup

When sending a remote HTTP POST request to the web-servers application, an attacker can obtain arbitrary code execution by sending to much data and exploiting a SEH based buffer overflow.

# Exploit Title: File sharing wizard remote SEH overflow
# Date: 9/23/2019
# Exploit Author: x00pwn
# Vendor Homepage: http://www.sharing-file.com
# Software Link: https://file-sharing-wizard.soft112.com/
# Version: 1.5.0	
# Tested on: Windows 7
# CVE : CVE-2019-16724

Exploit-db page: https://www.exploit-db.com/exploits/47412

Assigned CVE ID: CVE-2019-16724

Metasploit module: https://www.rapid7.com/db/modules/exploit/windows/http/file_sharing_wizard_seh


This remote SEH based buffer overflow exploit takes advantage of the HTTP POST header within the webserver not properly handling input, via the buffer overflow and attack can overwrite and take control of the SEH & nSEH handlers, and use a standard POP/POP/RET sequence + a short JMP over the SEH handler to execute arbitrary code against a remote system. This exploit uses a calc.exe shellcode payload generated by msfvenom.

Since a few other exploit exist for the same application just abusing other HTTP parameters, this was added to exploit-db without contacting the original company since they wouldn’t respond. Also since the software application is now deprecated and was changed. Which a newer version of this product was not listed as being vulnerable to this exploit, meaning the authors fixed it.

After disclosing this on exploit-db this was added as a Metasploit module to the MSF project.


Popping calculator:

proof of calc

Updated: