gmon_Vulnserver GMON攻击

gmon

In this post, we will be exploiting the GMON command of Vulnerver using SEH based buffer overflow. If you are not acquainted with SEH based buffer overflows you can refer to the Exploit Research Megaprimer on Security Tube or Corelan’s tutorials on buffer overflows. If you want to read about vanilla buffer overflows you can read my post here. This post is a writeup for vulnserver and not for understanding how SEH is exploited.

在本文中，我们将使用基于SEH的缓冲区溢出来利用Vulnerver的GMON命令。 如果您不熟悉基于SEH的缓冲区溢出，可以参考Security Tube上的Exploit Research Megaprimer或有关缓冲区溢出的Corelan教程。 如果您想阅读有关香草缓冲区溢出的信息，可以在这里阅读我的文章。 这篇文章是为vulnserver写的，而不是为了了解如何利用SEH。

We are running the Vulnserver on a Windows 7 x86 VM without any patches. Keep in mind that your exploit may not work if Windows has updated itself. Always turn off automatic updates. We are also using Immunity and mona.py for debugging and boofuzz for fuzzing.

我们正在Windows 7 x86 VM上运行Vulnserver，没有任何补丁。 请记住，如果Windows已自我更新，则您的利用可能无法正常工作。 始终关闭自动更新。 我们还使用Immunity和mona.py进行调试，使用boofuzz进行模糊测试。

导致程序崩溃！ (Crashing the program!)

For fuzzing the program we will be using the following script template. This script keeps on fuzzing the server as long as it responds with the banner.

为了使程序模糊，我们将使用以下脚本模板。 只要脚本以横幅形式响应，该脚本就会继续对服务器进行模糊测试。

from boofuzz import *
import timedef get_banner(target, my_logger, session, *args, **kwargs):
    banner_template = b"Welcome to Vulnerable Server! Enter HELP for help."
    try:
        banner = target.recv(10000)
    except:
        print("Unable to connect. Target is down. Exiting.")
        exit(1)my_logger.log_check('Receiving banner..')
    if banner_template in banner:
        my_logger.log_pass('banner received')
    else:
        my_logger.log_fail('No banner received')
        print("No banner received, exiting..")
        exit(1)def main():session = Session(
        target=Target(
            connection=SocketConnection("192.168.0.109", 9999, proto='tcp')
        ),sleep_time=0.5,
    )# Setup
    s_initialize(name="Request")
    with s_block("Host-Line"):
        s_static("GMON", name='command name')
        s_delim(" ", fuzzable=False)
        s_string("FUZZ")
        s_delim("\r\n")# Fuzzing
    session.connect(s_get("Request"), callback=get_banner)
    session.fuzz()if __name__ == "__main__":
 main()

Few seconds after running the program we can see that the application has crashed.

运行该程序几秒钟后，我们可以看到该应用程序已崩溃。