Skip to main content

Exploiting EasyCafe Server <= 2.2.14 Remote File Read

All the information described here should not be used for malicious purposes. The author of the post does not keep responsibility for any illegal action you  do. This posts are written only for education purposes and understanding of vulnerabilities to prevent similar vulnerabilities in the future.If you do not agree  please leave this site 

I decided to do an audit to a software that is used widely among internet cafes here in Albania.
The software is called EasyCafe and the software website  states that is "The best Internet Cafe Management Software". First let me explain how this software works.

The software has a "Star topolgy". It has the server and the clients. From the server we control all the clients. We can upload and execute files, login logout a client etc. and all this things are done without any encryption just plain text data. Apart from the client being totally vulnerable to RCE i found something more interesting. Lets open wireshark and take a look at the transmitted  data when you upload a file to a client.

If we look closely to the data transmitted from the server to the client  we can see clearly that the server is sending an UDP request to client port 804 which contains the path of the file that will be uploaded. After that if the client received it successfully it starts a TCP connection to the server in port 831. Lets look what is being sent.

Anything familiar ?

So the server sends the UDP request to the client which later connects to the server , sends the data of the UDP request that received which is the file location and receives it. But what happens when we connect directly to the server and send a file location. Boom it works.

I have already written an exploit for this vulnerability.

You can find it here :

In the exploit modify the server Ip and the File location and run the exploit.

Badly there is no patch available so consider the risks before running flawed Software.
Got any question feel free to comment.
Thanks, Rio

Popular posts from this blog

SkyTower CTF Walkthrough

VM Author Description

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

Author: Telspace Systems

Download: VulnHub

WordSteal - Stealing Windows Credentials through crafted document

On every external pen-test I do after information gathering  and enumeration phase I prepare some spear-phishing campaigns. My favorite method is using Word Macros because most of the companies use a windows environment and the Microsoft Office pack is used widely.

During a pen-test on of the problems that I faced was the mail gateway was rejecting every email that contained macro. Even if it was encoded,obfuscated, encrypted even empty the email gateway rejected our emails. 
Since I hadn't some l33t 0day for all the version of Microsoft Word ( company used different versions) ,  I had to find a different way to spear-phish the employees.

Then I remembered a post about a Word Exploit generator which used an unusual way to track how many times the document was opened. Microsoft Word had an undocumented function that can load a remote picture. The malware creators used http to map the users who opened the files.

Then I thought why not trying the  'file://' handler.
If you want to…

OSCE - CTP Course Preparation - HeapSpray + SEH + EggHunter

Introduction Hello humans! I have been busy working preparing myself for the CTP Course and wanted to share my experience.
Just a quick disclaimer , i am not an expert exploit developer so maybe i have made some mistakes and certainly there are better ways to do the things but hey we must Try harder. In this post we will combine some exploitation methods to make a reliable vulnerability for RSP Mp3 OCX on Windows XP Sp3 (IE 7).
I know the software are outdated and not anything new but We must learn to walk before we can run. 
Environment Victim MachineWindows XP Sp3 with Internet Explorer 7Vulnerable ApplicationImmunity Attacker  Metasploit Framework Good Editor To register the vulnerable application you must run the register.bat and set the Internet Explorer Security level to LOW for Local Intranet.
Exploitation 101 If you are preparing for OSCE i assume you know basic exploit development so i wont explain in details the exploitation methods. I will focus on the combin…