304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Vulnserver Introduction – Binary Exploitation Series

I’m starting my series on Vulnserver soon, so I wanted to give a brief introduction to it.

Vulnserver – Introduction

First of all, I know this post came out a little late. That said, I’ve been quite busy, plus I was celebrating my upgrade to level 30!

If you’ve followed my Twitter, or read that earlier post, then you know I’ve been working on the OSCE. My lab time is now over, and I’ve got my exam on 10 January!

Vulnserver - OSCE Tweet

That said, I’m hoping to go through at least some of the vulnserver challenges before the exam. This should give me some more practice, as well as actual exploits to blog about.

For more information, or to download the binary, then visit the original post by Stephen Bradshaw.

You can also download the code from his GitHub repository

Additional Write-ups

If you want to check out some more write-ups or tutorials in the meantime, then definitely check out some of these.

Interacting with Vulnserver

Once you download the binary, you can run it by double-clicking on it. This will open up a command window displaying the current status. Note that it runs on port 9999 by default, but you can always change this if you want.

Vulnserver - Connection

To interact with the “server”, you can just connect to the socket using a script or netcat. After connecting, you can send commands over text, and interact with each individual “method”.

C:\netcat>nc.exe 9999
Welcome to Vulnerable Server! Enter HELP for help.
Valid Commands:
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]

Finding Vulnerabilities

I won’t go too in-depth in this post, but each of the methods in the binary is vulnerable and exploitable.

For example, here is a quick screenshot of my interaction with the TRUN method.

Vulnserver - EIP Control

As you can see, I have full control over EIP with my string of “A”s.

In this case, I’m sure it would be a fairly standard jump to my shellcode to obtain execution.

Vulnserver – Conclusion

I’m hoping to knock out most of the methods and exploits between now and my OSCE exam. That said, if I don’t, then I’ll likely finish it up over time.

If you have any specific methods or techniques that you’d like me to try, then please let me know!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.