{"id":18542604,"url":"https://github.com/loneicewolf/vulnserver-2022","last_synced_at":"2025-05-15T05:09:38.821Z","repository":{"id":138060032,"uuid":"517273493","full_name":"loneicewolf/vulnserver-2022","owner":"loneicewolf","description":"My (various and different) latest attempts on the VULNSERVER.","archived":false,"fork":false,"pushed_at":"2022-07-24T16:29:22.000Z","size":49,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-17T08:43:39.899Z","etag":null,"topics":["vulnserver"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/loneicewolf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-24T08:57:10.000Z","updated_at":"2023-09-08T09:52:58.000Z","dependencies_parsed_at":null,"dependency_job_id":"768ffa6f-4f98-4a3c-90e5-659505732deb","html_url":"https://github.com/loneicewolf/vulnserver-2022","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loneicewolf%2Fvulnserver-2022","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loneicewolf%2Fvulnserver-2022/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loneicewolf%2Fvulnserver-2022/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/loneicewolf%2Fvulnserver-2022/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/loneicewolf","download_url":"https://codeload.github.com/loneicewolf/vulnserver-2022/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254276462,"owners_count":22043868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["vulnserver"],"created_at":"2024-11-06T20:09:20.068Z","updated_at":"2025-05-15T05:09:33.812Z","avatar_url":"https://github.com/loneicewolf.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vulnserver-2022\n# note:\nthis is intended for beginners. I will leave the very deep details and write obvious comments.\nthis is also not done yet.\n\n\nMy (various and different) latest attempts on the VULNSERVER.\n\n- **attempt 1: just crashing it**\n  -  (choosing a random huge number, say `5000`)\n\n-  **attempt 2: overwriting EIP**\n  - (a bit less than `1`, say EIP overwrite control)\n\n- **attempt 3: predicting registers**\n  - (begin with small value, move up until it crashed, but not overwrote anything, now - predict by **first try** to overwrite EDI, EBP, then EIP)\n\n\n- **attempt 4 and onward**\n  - modifying the memory of other registers from the previous (now controlled) registers\n      - jump, call and go to's\n      - assembly\n      - shellcode\n\n- **Attempt 5(overkill for beginners)**\n  - using undocumented registers (see link eecg below for more info)\n  \n\n\n## Screenshots\n\n---\n\n#### EDI Control\n![image](https://user-images.githubusercontent.com/68499986/180654506-233bd0bb-06f2-47bd-8073-ae64e5be7932.png)\n\n##### EDI Call Stack\n![image](https://user-images.githubusercontent.com/68499986/180655525-6d1c2c68-667b-42e9-bf4d-c1954db69d77.png)\n\n\n#### EBP Control\n![image](https://user-images.githubusercontent.com/68499986/180654725-bb3f5b95-e034-451e-83bd-63a27fd9f46c.png)\n\n#### EIP Control\n![image](https://user-images.githubusercontent.com/68499986/180654860-337a0b86-b4ea-4b77-9ba8-e213300a42ab.png)\n\u003e `Note how I also overwrote EBP?`\n\u003e `let's change that shall we?`\n\n\n### Bonus: EBP+EIP control together\n![image](https://user-images.githubusercontent.com/68499986/180655178-0aa0729b-80e7-476c-bca2-2dfe3beb2f19.png)\n\n![image](https://user-images.githubusercontent.com/68499986/180656116-5052a3e5-fdea-4931-bc91-4f0a869d2027.png)\n\n---\n\nGiven one (assuming no ASLR,DEP,.. is present) registers Position(easy to predict given it's minimal overflowing value) (which, again is easy to predict by itself, given 1 reliable amount of A's' that crash the app\n\n\n\n## Coming soon:\n- Writeup (describing basics of my methodology)\n- Bibliography\n- More References\n- Finally the code and a Proof Of Concept (POC) not using Metasploit's msfvenom. and Not radare2 either :) (why not make shellcode from scratch? so you know what you really launch at your poor target..)\n\n\n### References\n- PY COD,E R2\n- vulnserver\n- https://www.eecg.utoronto.ca/~amza/www.mindsec.com/files/x86regs.html\n\n\n### Bibliography\n- coming soon\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floneicewolf%2Fvulnserver-2022","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Floneicewolf%2Fvulnserver-2022","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Floneicewolf%2Fvulnserver-2022/lists"}