Run vulnserver as an admin. Then run immunity debugger as an admin we do this so when we get the shell we will already be root. Attach vulnserver to immunity and run.

After you run the debugger go to your kali machine and set up the netcat connectiion to begin the spiking process.

We will use generic_send_tcp to start the spike process
The screenshot above shows the syntax

This is the spiking script we will use we got the STATS from the vulnserver

we aren’t generating any errors

Also in the debugger we aren’t generating any errors/ nothing crashed

But when we do the same for TRUN we immediately see that it crashed we can also check in debugger as well

Couple things to note would be the registers section we see it crashed with a bunch of A’s Also we see the TRUN/…/

414141 IS HEX FOR A BUNCH OF A’s In this screenshot we successfully overwritten the buffer space and written to the EIP

So now we know which program is vulnerable (TRUN ) WE NEED TO FIND OUT WHERE in the program the vulnerability is located. We can do that by instead of generating 3000 A’s we can generate a cyclic pattern to send instead.

Copy and paste this inside the script and rerun the script. This will tell you exactly where the break is

Once we were able to change the EIP with the cyclic pattern we can find the offset

With this information we know that the breaking point is 2002. This means everything after the 2002 mark is the breaking point. Lets test this theory by sending 2002 A’s and then sending 4 B’s

Remove the cyclic pattern and replace with 2002 A’s and 4 Bs.

We can confirm that our script works because the EIP is now 424242 which is Hex for 4 B’s. This is just proof of concept

Next google badchars and you can just copy and paste the bad chars variable in the github link

After you run the script follow the “ESP to dump” and u will see the Hex A’s you sent (41 ) and you will see the Hex B’s u sent as well (42) Then you will see the badchars 01-FF

We expect a pattern from 01–09 then 0A-0F
Basically this list is in order so if anything is mussing from 01-ff that is a bad character and we would have to remove it in order for the script to work
This list only has x00 as a badchar

When finding the right module we are looking for something that doesn’t have memory protection.

use !mona jmp -r esp to find a return address with no memory protection
We chose the first module 625011af

Go to debugger and set the breakpoint by pressing f2

We successfully were able to turn the EIP into the jmp address from the mona module

Now generate the shellcode and add to the python script

Here we added the shellcode from msfvenom
We added the padding as well

Earlier in my first payload I used the wrong IP address make sure to use the IP address of the “attacking” machine. IN my case the cprrect IP address is the VM Ip address

eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.