Vulnserver Walkthrough Part 1| OSCP Hands-on Technique | Done by Ishara Abeythissa

Now we gonna exploit application called vulnserver which will be really helpful for OSCP practical sessions. For this I’m going to use Kali Linux as my attacker machine As application I’m going to use vulnserver Files will be run on windows XP machine. , Spike Fuzzer. Instead of just guessing what will crash our program we’re going to utilize Boofuzz in order to fuzz the program! I’m going to skip over the installation for everything mentioned above, though I may make a post later on for installing Boofuzz if people are having trouble.

beginnings

Once we have everything downloaded and installed, we are going to run the executable on our Windows machine and should see something along these lines. I don’t advocate downloading and running random binaries, I’d recommend doing your due diligence and researching what exactly it is you’re running.

Executing Vulnserver on WINXP

As you can see application waiting for client to establish the connection

In attacker machine now I’m gonna use python socket based script for establish the connection with vulnserver application.

Victim Machine IP address

I was created simple python script for connect with vulnserver

Beginning simple script

After Executing Script We got this output from server

Now I was maintained our script for more inputs to the server

Sending HELP Arguments to server

Argument list got from server

By the way this challange realated to Buffer Overflow attack type. so we need find out next which feature in here vulnerable for BOF attack. For this now I’m launching mu fuzzer called spike for test BOF. In server side now i will use Ollydbg.

Create Spike templates

Spike templates describe the package formats of the communication. We can tell Spike, which parameters should be tested. For example, the following template will try to send various commands to Vulnserver.

s_readline();
s_string("STAT ");
s_string_variable("0");

We have a couple command, so that we can create similar templates for each command.

3. Send packages to Vulnserver with Spike

Spike is capable of sending TCP and UDP packages. For TCP packages, we use the generic_send_tcp command. The proper form is:

generic_send_tcp <IP address> <port number> <template name> <SKIPVAR> <SKIPSTR>

If the template contains more than one variable, we can test each one if we specify different values for SKIPVAR. In our case this is always zero.

Spike sends packages with different strings in place of variables. We can start from a certain point in the test if we specify value for SKIPSTR. If this value is zero, then SPIKE starts from the beginning.

Before we start to send packages, we have to set the environment first.

1. On Windows XP, Start vulnserver.
2. Start OllyDbg and attach to Vulnserver, then press the triangle, so that the debugger is not stopped.
3. On Kali, start Wireshark and start capturing.

Start fuzzer using spk script

Captured Packets during Fuzzer

As you can see in wire-shark shots. Fuzzer sends A’s to server application

Let’s refer Ollydgb outputs now

Output of Registers

As you can see EIP value was 41414141 this mean TRUN feature overwrite buffer with A ascii. :)

We have the format and size of the package that causes buffer overflow. The PoC python script:

Identify the position of EIP

We sent 5050 “A” characters and EIP was overwritten with 41414141, which is the hex code of the “A” character. EIP was overwritten with our buffer. If we find the position of the EIP in our buffer, then we can overwrite it with any value.

There is a metasploit tool which generates a unique pattern. If we send it instead of “A” characters, then we can find out the offset with another metasploit module. Generate the unique pattern:

/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l 5040

Random Character Script

Start the Vulnserver and OllyDbg. Attach the debugger to Vulnserver and press the triangle, so that the application is not blocked. Execute the PoC script with the pattern. The EIP is overwritten with a different value.

Buffer Overwrite With Chars

Execute the another metasploit tool with this value:

/usr/share/metasploit-framework/tools/exploits/pattern_offset.rb -l 386f4337

The output will be:

[*] Exact match at offset 2003

Update the PoC script the following way: First send 2003 A character, then send 4 B, then C characters.

EIP Overwrite By B’s

Find address for EIP

In this step we have to check the registers and the stack. We have to find a way to jump to our buffer to execute our code. ESP points to the beginning of the C part of our buffer. We have to find a JMP ESP or CALL ESP instruction. Do not forget, that the address must not contain bad characters!

Open the executable modules list in OllyDbg (press the E letter on the toolbar). Select a module, for example the ntdll.dll. (Vulnserv would not be a good choice as its address contains zero!)

ntdll.dll Base value

See you in Next Part :)