Category: VulnServer

Fuzzing VulnServer with Peach

I followed this tutorial, however I had installation problems. I decided to write down the steps to set up the whole environment.   1, First I created a Window7 32 bit VMWare image. (I could not run it on Windows XP.) I disabled the Firewall. (Firewall is not a big problem, but if we let…


Vulnserver – KSTET command exploit with egghunter

After fuzzing, we created a PoC python script.   The value of EIP is 0x41414141. It is overwritten with our As. It is a simple buffer overflow exploit. (ESP points into the middle of the As buffer. See next picture.)   However only 90 A characters are in the memory. This place is too small…


Vulnserver – HTER command buffer overflow exploit

HTER command of VulnServer has a vulnerability. Let us try to create an exploit for this vulnerability.   The PoC python script: The script sends A characters. However the EIP is overwritten with 0xAAAAAAAA, instead of 0x41414141. It seems our buffer is somehow converted into hex byte array. Let us make a test, send a byte…


Vulnserver – GMON command SEH based overflow exploit

I run Vulnserver.exe on a Windows 7 machine. In one of my previous post I showed how Spike can be used to detect vulnerabilities. I also showed in a post the steps to create a buffer overflow exploit based on TRUN command vulnerability. GMON command has a vulnerability, too, however this vulnerability is SEH based. The proof of concept…


Vulnserver – TRUN command buffer overflow exploit

I run Vulnserver.exe on a Windows 7 machine. In my previous post I showed how Spike can be used to detect vulnerabilities. TRUN command has a vulnerability. The proof of concept python script:   1. Identify the position of EIP We sent 5050 “A” characters and EIP was overwritten with 41414141, which is the hex code…


Vulnserver – Fuzzing with Spike

Vulnserver is a program which intentionally contains vulnerabilities. After starting the program, it listens on the port 9999, however other port can be used if we pass the port number as the first argument. For example the following command starts the vulnserver on port 6666 vulnserver.exe 6666 Vulnserver can be downloaded from here.   Spike…