Jump to content

buffer overflow exploit: vulnserver with additional 20 bytes of data?


w01f
 Share

Recommended Posts

Quote

 

Vulnserver is a multithreaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of exploitable buffer overflows.

This software is intended mainly as a tool for learning how to find and exploit buffer overflow bugs, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach to be taken when writing the exploit.

 

https://github.com/stephenbradshaw/vulnserver

In this tutorial, sh3llc0d3r created 5040 bytes data using Metasploit pattern_create.rb.

http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/

/usr/share/metasploit-framework/tools/pattern_create.rb 5040

But in the following Python script, he/she using 5060 instead of 5040.

buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * (5060 - 2003 - 4)

What happens to the other additional 20 bytes of data?

Where did it come from?

Link to comment
Share on other sites

They initially sent 5050 bytes and hit the overflow.

Then used the pattern to send 5040 bytes which found the overwrite of EIP at 2003 bytes in. If they had sent 2020 bytes or 6020, it wouldn't have mattered, the overflow of EIP was done at position 2003.

I don't know why 5040-5060 was used, there is probably a good reason for it based on average length of shell code or the default size of the stack, something like that.

  • Like 1
Link to comment
Share on other sites

31 minutes ago, digininja said:

They initially sent 5050 bytes and hit the overflow.

Then used the pattern to send 5040 bytes which found the overwrite of EIP at 2003 bytes in. If they had sent 2020 bytes or 6020, it wouldn't have mattered, the overflow of EIP was done at position 2003.

I don't know why 5040-5060 was used, there is probably a good reason for it based on average length of shell code or the default size of the stack, something like that.

Ah, I got it now. Thanks for helping as always. It doesn't matter as that's the number of C char which if after the actual EIP address found.

"C" * (5060 - 2003 - 4)

Any number would do right?

E.g.

"C" * 8

 

buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * 8
Edited by w01f
Link to comment
Share on other sites

I think so. I'm not a buffer overflow expert so may be wrong on it, but that is the way I read it.

You need to make sure that you overflow the buffer, replace EIP with your address of choice, and then have enough room for your shell code.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...