w01f Posted September 30, 2020 Share Posted September 30, 2020 Quote Vulnserver is a multithreaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of exploitable buffer overflows. This software is intended mainly as a tool for learning how to find and exploit buffer overflow bugs, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach to be taken when writing the exploit. https://github.com/stephenbradshaw/vulnserver In this tutorial, sh3llc0d3r created 5040 bytes data using Metasploit pattern_create.rb. http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/ /usr/share/metasploit-framework/tools/pattern_create.rb 5040 But in the following Python script, he/she using 5060 instead of 5040. buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * (5060 - 2003 - 4) What happens to the other additional 20 bytes of data? Where did it come from? Link to comment Share on other sites More sharing options...
digininja Posted September 30, 2020 Share Posted September 30, 2020 They initially sent 5050 bytes and hit the overflow. Then used the pattern to send 5040 bytes which found the overwrite of EIP at 2003 bytes in. If they had sent 2020 bytes or 6020, it wouldn't have mattered, the overflow of EIP was done at position 2003. I don't know why 5040-5060 was used, there is probably a good reason for it based on average length of shell code or the default size of the stack, something like that. Link to comment Share on other sites More sharing options...
w01f Posted September 30, 2020 Author Share Posted September 30, 2020 31 minutes ago, digininja said: They initially sent 5050 bytes and hit the overflow. Then used the pattern to send 5040 bytes which found the overwrite of EIP at 2003 bytes in. If they had sent 2020 bytes or 6020, it wouldn't have mattered, the overflow of EIP was done at position 2003. I don't know why 5040-5060 was used, there is probably a good reason for it based on average length of shell code or the default size of the stack, something like that. Ah, I got it now. Thanks for helping as always. It doesn't matter as that's the number of C char which if after the actual EIP address found. "C" * (5060 - 2003 - 4) Any number would do right? E.g. "C" * 8 buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * 8 Link to comment Share on other sites More sharing options...
digininja Posted September 30, 2020 Share Posted September 30, 2020 I think so. I'm not a buffer overflow expert so may be wrong on it, but that is the way I read it. You need to make sure that you overflow the buffer, replace EIP with your address of choice, and then have enough room for your shell code. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.