Vulnserver — Part 1 (Lab Setup)
Many people told me that just completing the official OSCE course would not be enough to pass the exam. So I decided to do some more extra-curricular activities to prep myself.
Until now, I have completed some of the public OSCE exploits such as weaponizing PE, Winamp 5.12 and HP NNM 7.5 to learn about code cave, SEH overwrite and Egghunter. Then, I wanted to build up my muscles around basic buffer-overflow more, so I’ve completed Exploit Exercise’s Stack0–7 and Format0–4. After that, I’ve completed the official OSCE course.
The other day, I found an AWESOME blog posts by @epi052 titled “OSCE Exam Practice.” He shows step-by-step exercises to how to setup lab environment and exploit various commands in Vulnserver. And he uses more modern exploit tools, such as boofuzz, WinDbg, mona, etc., so I thought it would be good exercise for me to go over this walkthrough to learn more about Windows-based exploitation.
DISCLAIMER: These Vulnserver blog posts will be mostly for my brain dump for the OSCE exam prep. All work and credits of the walkthrough belong to @epi052. If you want more clear explanations or detailed write-ups, you should read his blog posts here. (Thanks again @epi052 for permitting me to do brain dump my work flow in my blog. Thanks mate! :])
What is Vulnserver?
Vulnserver was created for learning software exploitation. It is a multi-threaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of buffer overflow exploiations. The source code can be found here.
Lab Setup
- OS: Windows 7 (x86)
- Debugger: WinDbg, OllyDbg
- Fuzzer: boofuzz ([Optional]
process_monitor.py) - Target: Vulnserver
- Misc: Python, Microsoft Visual C++ Compiler, Ncat, mona.py, DB Browser for SQLite
1) Windows 7 (x86) Setup
If you don’t have a Windows 7 (x86) ISO or VM handy, you can go to the archive.org to search for older ISO/VM images.
- Windows 7 (x86) Home Premium SP1 — https://archive.org/details/windows7homepremiumsp132bit
I used the ISO image and installed it to my Mac using VMware Fusion 11.5.3. You can use any free other platforms like VirtualBox or VMware Player as well.
2) Debugger Setup (OllyDbg & WinDbg)
Since OSCE course uses OllyDbg for its debugger, I wanted to have it installed on my Win7 box. Additionally, I also wanted to expand my debugger selections for learning purposes, so I decided to install WinDbg too.
- OllyDbg — http://www.ollydbg.de/download.htm
It will download a zip file with all the necessary file as well as OllyDbg binary. You can simply run the binary to open the OllyDbg.
To download WinDbg for earlier version of Windows like Windows 7, you need to do the following:
Then, while installing process, select both “Debugging Tools for Windows” and “Debugging Tools.”
3) Fuzzer Setup (boofuzz)
Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Choice of the language for this fuzzer is python. With that being said, we need to install python 2.7.9 on your Windows box. (For python ≥ 2.7.9, pip comes with by default) Additionally, we also need to install the Microsoft C++ compiler to install boofuzz correctly.
- Python 2.7.9 — https://www.python.org/downloads/windows/
- Microsoft Visual C++ Compiler — https://www.microsoft.com/en-us/download/details.aspx?id=44266
- Boofuzz Install
Boofuzz can be installed using pip.
c:\Python27\python.exe -m pip install --upgrade pip
c:\Python27\python.exe -m pip install boofuzz
[Optional] process_monitor.py Install
The process monitor is for automated crash detection and can restart the target binary automatically. And it is included with boofuzz, but requires additional libraries to run. The process monitor must run on the target machine itself. Detailed installation instructions can be found here.
- pydbg — https://github.com/Fitblip/pydbg
c:\Python27\Scripts\pip.exe install 
- pydasm — https://github.com/jtpereyda/libdasm
c:\Users\bigb0ss\Desktop\libdasm-master\plasma> python setup.py build_extc:\Users\bigb0ss\Desktop\libdasm-master\pydasm> python setup.py install
Confirm if process_monitor.py is installed correctly.
c:\Users\bigb0ss\Desktop\scripts\python process_monitor.py --help
4) Vulnserver Setup
You can simply download the zip file from its github repository.
- Vulnserver — https://github.com/stephenbradshaw/vulnserver
The program will open up a port 9999 to listen for connection by default. If you want to change the listening port, you can also specify a port for the argument as following:
5) Misc Setup
In order to interact with the vulnserver, we need netcat.
Additionally, We need to install and configure mona.py, a Windows exploit dev tool, with WinDbg for our exercises.
Once configured, run the following commands to confirm if the mona.py is installed correctly.
.load pykd.pyd
!py mona
- DB Browser for SQLite — https://sqlitebrowser.org/dl/
Finally, we also need to install the “DB Browser for SQLite.” This will be needed for analyzing the Boofuzz results. Boofuzz will automatically crash a log file with “DB File” format. And using the “DB Browser for SQLite,” we can search through the log file.
Conclusion
We should be all set for the lab set up. Now, we will be continuing tackling various types of vulnerabilities in the vulnserver in my future write-ups. Thanks for reading!
