Vulnserver Introduction – Binary Exploitation Series

I'm starting my series on Vulnserver soon, so I wanted to give a brief introduction to it.

Vulnserver - Introduction

First of all, I know this post came out a little late. That said, I've been quite busy, plus I was celebrating my upgrade to level 30!

If you've followed my Twitter, or read that earlier post, then you know I've been working on the OSCE. My lab time is now over, and I've got my exam on 10 January!

Vulnserver - OSCE Tweet

That said, I'm hoping to go through at least some of the vulnserver challenges before the exam. This should give me some more practice, as well as actual exploits to blog about.

For more information, or to download the binary, then visit the original post by Stephen Bradshaw.

You can also download the code from his GitHub repository

Additional Write-ups

If you want to check out some more write-ups or tutorials in the meantime, then definitely check out some of these.

Interacting with Vulnserver

Once you download the binary, you can run it by double-clicking on it. This will open up a command window displaying the current status. Note that it runs on port 9999 by default, but you can always change this if you want.

Vulnserver - Connection

To interact with the "server", you can just connect to the socket using a script or netcat. After connecting, you can send commands over text, and interact with each individual "method".

C:\netcat>nc.exe 127.0.0.1 9999
Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT
EXIT
GOODBYE

Finding Vulnerabilities

I won't go too in-depth in this post, but each of the methods in the binary is vulnerable and exploitable.

For example, here is a quick screenshot of my interaction with the TRUN method.

Vulnserver - EIP Control

As you can see, I have full control over EIP with my string of "A"s.

In this case, I'm sure it would be a fairly standard jump to my shellcode to obtain execution.

Vulnserver - Conclusion

I'm hoping to knock out most of the methods and exploits between now and my OSCE exam. That said, if I don't, then I'll likely finish it up over time.

If you have any specific methods or techniques that you'd like me to try, then please let me know!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.