[ExpDev] Vulnserver — Part 1

Vulnserver — Part 1 (Lab Setup)

Many people told me that just completing the official OSCE course would not be enough to pass the exam. So I decided to do some more extra-curricular activities to prep myself.

Until now, I have completed some of the public OSCE exploits such as weaponizing PE, Winamp 5.12 and HP NNM 7.5 to learn about code cave, SEH overwrite and Egghunter. Then, I wanted to build up my muscles around basic buffer-overflow more, so I’ve completed Exploit Exercise’s Stack0–7 and Format0–4. After that, I’ve completed the official OSCE course.

The other day, I found an AWESOME blog posts by @epi052 titled “OSCE Exam Practice.” He shows step-by-step exercises to how to setup lab environment and exploit various commands in Vulnserver. And he uses more modern exploit tools, such as boofuzz, WinDbg, mona, etc., so I thought it would be good exercise for me to go over this walkthrough to learn more about Windows-based exploitation.

DISCLAIMER: These Vulnserver blog posts will be mostly for my brain dump for the OSCE exam prep. All work and credits of the walkthrough belong to @epi052. If you want more clear explanations or detailed write-ups, you should read his blog posts here. (Thanks again @epi052 for permitting me to do brain dump my work flow in my blog. Thanks mate! :])

What is Vulnserver?

Vulnserver was created for learning software exploitation. It is a multi-threaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of buffer overflow exploiations. The source code can be found here.

Lab Setup

  • OS: Windows 7 (x86)
  • Debugger: WinDbg, OllyDbg
  • Fuzzer: boofuzz ([Optional] process_monitor.py)
  • Target: Vulnserver
  • Misc: Python, Microsoft Visual C++ Compiler, Ncat, mona.py, DB Browser for SQLite

1) Windows 7 (x86) Setup

If you don’t have a Windows 7 (x86) ISO or VM handy, you can go to the archive.org to search for older ISO/VM images.

Windows 7 (x86) ISO Download

I used the ISO image and installed it to my Mac using VMware Fusion 11.5.3. You can use any free other platforms like VirtualBox or VMware Player as well.

Windows 7 (x86) Spec

2) Debugger Setup (OllyDbg & WinDbg)

Since OSCE course uses OllyDbg for its debugger, I wanted to have it installed on my Win7 box. Additionally, I also wanted to expand my debugger selections for learning purposes, so I decided to install WinDbg too.

OllyDbg Download

It will download a zip file with all the necessary file as well as OllyDbg binary. You can simply run the binary to open the OllyDbg.

OllyDbg

To download WinDbg for earlier version of Windows like Windows 7, you need to do the following:

1) Go to Windows SDK Emulator Archive
2) Go to the Download Page by Clicking “INSTALL SDK >”
3) Save the Installer

Then, while installing process, select both “Debugging Tools for Windows” and “Debugging Tools.”

Debugging Tool Setup
WinDbg Installed

3) Fuzzer Setup (boofuzz)

Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Choice of the language for this fuzzer is python. With that being said, we need to install python 2.7.9 on your Windows box. (For python ≥ 2.7.9, pip comes with by default) Additionally, we also need to install the Microsoft C++ compiler to install boofuzz correctly.

Python 2.7.9 Download
Microsoft Visual C++ Compiler Download
  • Boofuzz Install

Boofuzz can be installed using pip.

c:\Python27\python.exe -m pip install --upgrade pip
c:\Python27\python.exe -m pip install boofuzz

[Optional] process_monitor.py Install

The process monitor is for automated crash detection and can restart the target binary automatically. And it is included with boofuzz, but requires additional libraries to run. The process monitor must run on the target machine itself. Detailed installation instructions can be found here.

c:\Python27\Scripts\pip.exe install 
pydbg Installation
c:\Users\bigb0ss\Desktop\libdasm-master\plasma> python setup.py build_extc:\Users\bigb0ss\Desktop\libdasm-master\pydasm> python setup.py install

Confirm if process_monitor.py is installed correctly.

c:\Users\bigb0ss\Desktop\scripts\python process_monitor.py --help
Process_monitor.py Installation

4) Vulnserver Setup

You can simply download the zip file from its github repository.

The program will open up a port 9999 to listen for connection by default. If you want to change the listening port, you can also specify a port for the argument as following:

Vulnserver Changing Port

5) Misc Setup

In order to interact with the vulnserver, we need netcat.

Additionally, We need to install and configure mona.py, a Windows exploit dev tool, with WinDbg for our exercises.

Mona.py Installation Instruction

Once configured, run the following commands to confirm if the mona.py is installed correctly.

.load pykd.pyd
!py mona

Finally, we also need to install the “DB Browser for SQLite.” This will be needed for analyzing the Boofuzz results. Boofuzz will automatically crash a log file with “DB File” format. And using the “DB Browser for SQLite,” we can search through the log file.

DB Browser for SQLite (32-bit) Download

Conclusion

We should be all set for the lab set up. Now, we will be continuing tackling various types of vulnerabilities in the vulnserver in my future write-ups. Thanks for reading!

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store