Awesome

Vulnserver: Fuzzing and Exploits

OS: Windows 7 SP1 version 6.1 (32 bits). All of them work (TRUN and GTER socket reuse scripts must be updated).

Exploits

GMON

• Vanilla Buffer Overflow

GTER

• Egghunter

• Socket reuse (buf variable must be updated, check notes)

HTER

• Hexadecimal encoding Buffer Overflow

KSTET

• Egghunter

• Socket reuse

LTER

• SEH (bypassing ASLR)

TRUN

• Vanilla Buffer Overflow

• Socket reuse (buf variable must be updated, check notes)

Fuzzing with Peach

1. Start Peach

C:\> peach.exe -a tcp

2. Run the "vulnserver.xml" Peach file and test the command you want:

C:\> peach.exe vulnserver.xml TestKSTET

Fuzzing with Boofuzz

1. Run the "vulnserver_boofuzz.py" Boofuzz file and test the command you want:

python vulnserver_boofuzz.py 192.168.112.145 9999 TRUN

2. Attach the process to OllyDbg to check when and how it crashes

Installation

Vulnserver:

• Download Vulnserver from https://github.com/stephenbradshaw/vulnserver

Ollydbg:

• Download OllyDbg from http://www.ollydbg.de/odbg110.zip

Peach (optional):

• Download and install .NET 4 from https://www.microsoft.com/en-us/download/details.aspx?id=17851

• Download and install Windows SDK from https://www.microsoft.com/en-us/download/details.aspx?id=8279

• Download Peach from https://sourceforge.net/projects/peachfuzz/

Boofuzz (optional)([docs]):

• pip install boofuzz

References

Fuzzing with Peach:

http://www.rockfishsec.com/2014/01/fuzzing-vulnserver-with-peach-3.html

https://sh3llc0d3r.com/fuzzing-vulnserver-with-peach/

KSTET Socket reuse

https://deceiveyour.team/2018/10/15/vulnserver-kstet-ws2_32-recv-function-re-use/

https://rastating.github.io/using-socket-reuse-to-exploit-vulnserver/

GTER Socket reuse

https://www.absolomb.com/2018-07-24-VulnServer-GTER/