Vulnserver BOF

Run vulnserver as an admin. Then run immunity debugger as an admin we do this so when we get the shell we will already be root. Attach vulnserver to immunity and run.

After you run the debugger go to your kali machine and set up the netcat connectiion to begin the spiking process.

We will use generic_send_tcp to start the spike process
The screenshot above shows the syntax

This is the spiking script we will use we got the STATS from the vulnserver

we aren’t generating any errors

Also in the debugger we aren’t generating any errors/ nothing crashed

But when we do the same for TRUN we immediately see that it crashed we can also check in debugger as well

Couple things to note would be the registers section we see it crashed with a bunch of A’s Also we see the TRUN/…/

414141 IS HEX FOR A BUNCH OF A’s In this screenshot we successfully overwritten the buffer space and written to the EIP

So now we know which program is vulnerable (TRUN ) WE NEED TO FIND OUT WHERE in the program the vulnerability is located. We can do that by instead of generating 3000 A’s we can generate a cyclic pattern to send instead.

Copy and paste this inside the script and rerun the script. This will tell you exactly where the break is

Once we were able to change the EIP with the cyclic pattern we can find the offset

With this information we know that the breaking point is 2002. This means everything after the 2002 mark is the breaking point. Lets test this theory by sending 2002 A’s and then sending 4 B’s

Remove the cyclic pattern and replace with 2002 A’s and 4 Bs.

We can confirm that our script works because the EIP is now 424242 which is Hex for 4 B’s. This is just proof of concept

Next google badchars and you can just copy and paste the bad chars variable in the github link

After you run the script follow the “ESP to dump” and u will see the Hex A’s you sent (41 ) and you will see the Hex B’s u sent as well (42) Then you will see the badchars 01-FF

We expect a pattern from 01–09 then 0A-0F
Basically this list is in order so if anything is mussing from 01-ff that is a bad character and we would have to remove it in order for the script to work
This list only has x00 as a badchar

When finding the right module we are looking for something that doesn’t have memory protection.

use !mona jmp -r esp to find a return address with no memory protection
We chose the first module 625011af

Go to debugger and set the breakpoint by pressing f2

We successfully were able to turn the EIP into the jmp address from the mona module

Now generate the shellcode and add to the python script

Here we added the shellcode from msfvenom
We added the padding as well

Earlier in my first payload I used the wrong IP address make sure to use the IP address of the “attacking” machine. IN my case the cprrect IP address is the VM Ip address




eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Brute it - TryHackMe

Another Major Cyberattack! Here’s Why Security is More Important Than Ever

Another Major Cyberattack! Here's Why Security is More Important Than Ever

Multiarrary incident occurs on Diablo II -26 years of friends

RoboMars Seed Sale Whitelist is LIVE

Without This, Your Online Business Could Be Gone in Seconds!

How to Unban Your Banned Whatsapp Number in 2022

I Have a Lot to be Thankful for in 2020

SPC 2008 Session — RMS and SharePoint

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.

More from Medium

Aunty Alphabetty and the Alphabet Kids

What on earth is Soul’s “social metaverse”?

Soul app

Introducing VirtuComics

The Sole Mate 22.4 “Fourteen Days”