├── 1 ├── vulnfox.dll └── vulnfox.exe ├── 2 ├── vulnfox.dll └── vulnfox.exe ├── 3 ├── vulnfox.dll └── vulnfox.exe ├── 4 ├── vulnfox.dll └── vulnfox.exe ├── 5 ├── vulnfox.dll └── vulnfox.exe ├── 6 ├── vulnfox.dll └── vulnfox.exe ├── 7 ├── vulnfox.dll └── vulnfox.exe ├── 8 ├── vulnfox.dll └── vulnfox.exe ├── 9 ├── vulnfox.dll └── vulnfox.exe ├── 10 ├── vulnfox.dll └── vulnfox.exe ├── 11 ├── vulnfox.dll └── vulnfox.exe ├── 12 ├── vulnfox.dll └── vulnfox.exe ├── README.md └── src ├── access.c ├── compile.bat └── funcs_access.c /1/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/1/vulnfox.dll -------------------------------------------------------------------------------- /1/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/1/vulnfox.exe -------------------------------------------------------------------------------- /10/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/10/vulnfox.dll -------------------------------------------------------------------------------- /10/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/10/vulnfox.exe -------------------------------------------------------------------------------- /11/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/11/vulnfox.dll -------------------------------------------------------------------------------- /11/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/11/vulnfox.exe -------------------------------------------------------------------------------- /12/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/12/vulnfox.dll -------------------------------------------------------------------------------- /12/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/12/vulnfox.exe -------------------------------------------------------------------------------- /2/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/2/vulnfox.dll -------------------------------------------------------------------------------- /2/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/2/vulnfox.exe -------------------------------------------------------------------------------- /3/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/3/vulnfox.dll -------------------------------------------------------------------------------- /3/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/3/vulnfox.exe -------------------------------------------------------------------------------- /4/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/4/vulnfox.dll -------------------------------------------------------------------------------- /4/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/4/vulnfox.exe -------------------------------------------------------------------------------- /5/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/5/vulnfox.dll -------------------------------------------------------------------------------- /5/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/5/vulnfox.exe -------------------------------------------------------------------------------- /6/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/6/vulnfox.dll -------------------------------------------------------------------------------- /6/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/6/vulnfox.exe -------------------------------------------------------------------------------- /7/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/7/vulnfox.dll -------------------------------------------------------------------------------- /7/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/7/vulnfox.exe -------------------------------------------------------------------------------- /8/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/8/vulnfox.dll -------------------------------------------------------------------------------- /8/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/8/vulnfox.exe -------------------------------------------------------------------------------- /9/vulnfox.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/9/vulnfox.dll -------------------------------------------------------------------------------- /9/vulnfox.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/foxlox/OSCP_Windows_Buffer_Overflow/fbf795c8c8d8f54cf7c5191b83424610465e4508/9/vulnfox.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP_Windows_Buffer_Overflow 2 | Vulnerable Windows 32bit executables for OSCP exam training 3 | 4 | Enjoy these executables to test yourself on Windows Buffer Overflow! 5 | 6 | There are few examples around, and those four we know well always run. Here you will find 12 NEW of them, I will be glad to know that you wrote a writeup to share with others. 7 | 8 | 9 | note: each .exe needs its own dll 10 | 11 | 12 | *fox 13 | 14 | 15 | fox at thebrain dot net 16 | 17 | foxlox#1089 on discord 18 | -------------------------------------------------------------------------------- /src/access.c: -------------------------------------------------------------------------------- 1 | #define _WIN32_WINNT 0x501 2 | 3 | /* 4 | This software is a deliberately vulnerable threaded TCP server application 5 | 6 | This is vulnerable software, don't run it on an important system! The author assumes no responsibility if 7 | you run this software and your system gets compromised, because this software was designed to be exploited! 8 | 9 | Forked and modified by Fortunato Lodari fox@thebrain.net (foxlox) starting by Vulnserver sources, wrote by Stephen Bradsh in 2010. 10 | 11 | Original Copyright (c) 2010, Stephen Bradshaw 12 | All rights reserved. 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #define VERSION "1.00" 22 | #define DEFAULT_BUFLEN 4096 23 | #define DEFAULT_PORT "23" 24 | 25 | 26 | void Function1(char *Input); 27 | void Function2(char *Input); 28 | void Function3(char *Input); 29 | void Function4(char *Input); 30 | DWORD WINAPI ConnectionHandler(LPVOID CSocket); 31 | 32 | 33 | int main( int argc, char *argv[] ) { 34 | char PortNumber[6]; 35 | const char Usage[94] = "Usage: %s [port_number]\n\nIf no port number is provided, the default port of %s will be used.\n"; 36 | if ( argc > 2) { 37 | printf(Usage, argv[0], DEFAULT_PORT); 38 | return 1; 39 | } else if ( argc == 2 ) { 40 | if ( (atoi(argv[1]) > 0) && (atoi(argv[1]) < 65536) && (strlen(argv[1]) < 7) ) { 41 | strncpy(PortNumber, argv[1], 6); 42 | } else { 43 | printf(Usage, argv[0], DEFAULT_PORT); 44 | return 1; 45 | } 46 | } else { 47 | strncpy(PortNumber, DEFAULT_PORT, 6); 48 | } 49 | printf("Starting vulnerable software (BOF)\n", VERSION); 50 | auxfunc1(); // Call function from external dll 51 | printf("\nThis is vulnerable software!\nDo not allow access from untrusted systems or networks!n\n"); 52 | WSADATA wsaData; 53 | SOCKET ListenSocket = INVALID_SOCKET, 54 | ClientSocket = INVALID_SOCKET; 55 | struct addrinfo *result = NULL, hints; 56 | int Result; 57 | struct sockaddr_in res1,ClientAddress; 58 | int ClientAddressL = sizeof(ClientAddress); 59 | 60 | Result = WSAStartup(MAKEWORD(2,2), &wsaData); 61 | if (Result != 0) { 62 | printf("WSAStartup failed with error: %d\n", Result); 63 | return 1; 64 | } 65 | 66 | ZeroMemory(&hints, sizeof(hints)); 67 | hints.ai_family = AF_INET; 68 | hints.ai_socktype = SOCK_STREAM; 69 | hints.ai_protocol = IPPROTO_TCP; 70 | hints.ai_flags = AI_PASSIVE; 71 | 72 | Result = getaddrinfo(NULL, PortNumber, &hints, &result); 73 | if ( Result != 0 ) { 74 | printf("Getaddrinfo failed with error: %d\n", Result); 75 | WSACleanup(); 76 | return 1; 77 | } 78 | 79 | ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); 80 | if (ListenSocket == INVALID_SOCKET) { 81 | printf("Socket failed with error: %ld\n", WSAGetLastError()); 82 | freeaddrinfo(result); 83 | WSACleanup(); 84 | return 1; 85 | } 86 | // res1.sin_family = AF_INET; 87 | // res1.sin_addr.s_addr = inet_addr("127.0.0.1"); 88 | // res1.sin_port=htons(23); 89 | Result = bind( ListenSocket, result->ai_addr, (int)result->ai_addrlen); 90 | // Result = bind( ListenSocket, (struct sockaddr *)&res1, sizeof(res1)); 91 | if (Result == SOCKET_ERROR) { 92 | printf("Bind failed with error: %d\n", WSAGetLastError()); 93 | closesocket(ListenSocket); 94 | WSACleanup(); 95 | return 1; 96 | } 97 | 98 | freeaddrinfo(result); 99 | 100 | Result = listen(ListenSocket, SOMAXCONN); 101 | if (Result == SOCKET_ERROR) { 102 | printf("Listen failed with error: %d\n", WSAGetLastError()); 103 | closesocket(ListenSocket); 104 | WSACleanup(); 105 | return 1; 106 | } 107 | while(ListenSocket) { 108 | printf("Waiting for client connections...\n"); 109 | 110 | ClientSocket = accept(ListenSocket, (SOCKADDR*)&ClientAddress, &ClientAddressL); 111 | if (ClientSocket == INVALID_SOCKET) { 112 | printf("Accept failed with error: %d\n", WSAGetLastError()); 113 | closesocket(ListenSocket); 114 | WSACleanup(); 115 | return 1; 116 | } 117 | 118 | printf("Received a client connection from %s:%u\n", inet_ntoa(ClientAddress.sin_addr), htons(ClientAddress.sin_port)); 119 | CreateThread(0,0,ConnectionHandler, (LPVOID)ClientSocket , 0,0); 120 | 121 | } 122 | 123 | closesocket(ListenSocket); 124 | WSACleanup(); 125 | 126 | return 0; 127 | } 128 | 129 | 130 | void f1(char *Input) { 131 | char Buffer2S[140]; 132 | strcpy(Buffer2S, Input); 133 | } 134 | 135 | void f2(char *Input) { 136 | char Buffer2S[60]; 137 | strcpy(Buffer2S, Input); 138 | } 139 | 140 | void f3(char *Input) { 141 | char Buffer2S[1890]; 142 | strcpy(Buffer2S, Input); 143 | } 144 | 145 | void f4(char *Input) { 146 | char Buffer2S[1000]; 147 | strcpy(Buffer2S, Input); 148 | } 149 | 150 | 151 | DWORD WINAPI ConnectionHandler(LPVOID CSocket) { 152 | int RecvBufLen = DEFAULT_BUFLEN; 153 | char *RecvBuf = malloc(DEFAULT_BUFLEN); 154 | char BigEmpty[1000]; 155 | char *GdogBuf = malloc(1024); 156 | int Result, SendResult, i, k; 157 | memset(BigEmpty, 0, 1000); 158 | memset(RecvBuf, 0, DEFAULT_BUFLEN); 159 | SOCKET Client = (SOCKET)CSocket; 160 | SendResult = send( Client, "Verification Code:\n", 20, 0 ); 161 | if (SendResult == SOCKET_ERROR) { 162 | //printf("Send failed with error: %d\n", WSAGetLastError()); 163 | closesocket(Client); 164 | return 1; 165 | } 166 | while (CSocket) { 167 | Result = recv(Client, RecvBuf, RecvBufLen, 0); 168 | if (Result > 0) { 169 | char *TrunBuf = malloc(2900); 170 | memset(TrunBuf, 0, 2900); 171 | strncpy(TrunBuf, RecvBuf, 2900); 172 | for (int k=0;k 15 | 16 | #define VERSION "1.00" 17 | 18 | void auxfunc1() { 19 | printf ("Called external function dll\n", VERSION); 20 | printf("Made "); 21 | printf("by "); 22 | printf("calipendula\n"); 23 | printf("Commands\n"); 24 | } 25 | 26 | 27 | void auxfunc2() { 28 | __asm__("jmp *%esp\n\t" 29 | "jmp *%eax\n\t" 30 | "pop %eax\n\t" 31 | "pop %eax\n\t" 32 | "ret"); 33 | } 34 | 35 | void auxfunc3() { 36 | __asm__("jmp *%esp\n\t" 37 | "jmp *%ecx\n\t" 38 | "pop %ebx\n\t" 39 | "pop %ebx\n\t" 40 | "ret"); 41 | } 42 | 43 | 44 | /* 45 | void auxfunc5() { 46 | __asm__("jmp *%esp\n\t" 47 | "jmp *%edi\n\t" 48 | "pop %ebx\n\t" 49 | "pop %ebx\n\t" 50 | "ret"); 51 | } 52 | 53 | void auxfunc6() { 54 | __asm__("jmp *%esp\n\t" 55 | "jmp *%edx\n\t" 56 | "pop %ecx\n\t" 57 | "pop %edx\n\t" 58 | "ret"); 59 | } 60 | 61 | void auxfunc7() { 62 | __asm__("jmp *%esp\n\t" 63 | "jmp *%esi\n\t" 64 | "pop %ecx\n\t" 65 | "pop %eax\n\t" 66 | "ret"); 67 | } 68 | 69 | 70 | void auxfunc8() { 71 | __asm__("jmp *%esp\n\t" 72 | "jmp *%ebp\n\t" 73 | "pop %eax\n\t" 74 | "pop %edx\n\t" 75 | "ret"); 76 | } 77 | 78 | 79 | void auxfunc9() { 80 | __asm__("jmp *%esp\n\t" 81 | "jmp *%esp\n\t" 82 | "jmp *-12(%esp)\n\t" 83 | "pop %ecx\n\t" 84 | "pop %ecx\n\t" 85 | "ret"); 86 | } 87 | 88 | 89 | void auxfunc10(char *Input) { 90 | char Buffer2S[140]; 91 | strcpy(Buffer2S, Input); 92 | } 93 | 94 | void auxfunc11(char *Input) { 95 | char Buffer2S[60]; 96 | strcpy(Buffer2S, Input); 97 | } 98 | 99 | 100 | void auxfunc12(char *Status, char *Input) { 101 | char Buffer2S[2000]; 102 | strcpy(Buffer2S, Input); 103 | printf("%s", Status); 104 | } 105 | 106 | void auxfunc13(char *Input) { 107 | char Buffer2S[2000]; 108 | strcpy(Buffer2S, Input); 109 | } 110 | 111 | void auxfunc14(char *Input) { 112 | char Buffer2S[1000]; 113 | strcpy(Buffer2S, Input); 114 | } 115 | */ --------------------------------------------------------------------------------