OS: Windows 7 SP1 version 6.1 (32 bits). All of them work (TRUN and GTER socket reuse scripts must be updated).
GMON
- Vanilla Buffer Overflow
GTER
-
Egghunter
-
Socket reuse (buf variable must be updated, check notes)
HTER
- Hexadecimal encoding Buffer Overflow
KSTET
-
Egghunter
-
Socket reuse
LTER
- SEH (bypassing ASLR)
TRUN
-
Vanilla Buffer Overflow
-
Socket reuse (buf variable must be updated, check notes)
- Start Peach
C:\> peach.exe -a tcp
- Run the "vulnserver.xml" Peach file and test the command you want:
C:\> peach.exe vulnserver.xml TestKSTET
- Run the "vulnserver_boofuzz.py" Boofuzz file and test the command you want:
python vulnserver_boofuzz.py 192.168.112.145 9999 TRUN
- Attach the process to OllyDbg to check when and how it crashes
Vulnserver:
- Download Vulnserver from https://github.com/stephenbradshaw/vulnserver
Ollydbg:
- Download OllyDbg from http://www.ollydbg.de/odbg110.zip
Peach (optional):
-
Download and install .NET 4 from https://www.microsoft.com/en-us/download/details.aspx?id=17851
-
Download and install Windows SDK from https://www.microsoft.com/en-us/download/details.aspx?id=8279
-
Download Peach from https://sourceforge.net/projects/peachfuzz/
Boofuzz (optional)([docs]):
- pip install boofuzz
Fuzzing with Peach:
http://www.rockfishsec.com/2014/01/fuzzing-vulnserver-with-peach-3.html
https://sh3llc0d3r.com/fuzzing-vulnserver-with-peach/
KSTET Socket reuse
https://deceiveyour.team/2018/10/15/vulnserver-kstet-ws2_32-recv-function-re-use/
https://rastating.github.io/using-socket-reuse-to-exploit-vulnserver/
GTER Socket reuse