# Spiking

## Finding vuln parts

For example we have a program and we are looking to find some bugs or vulnerabilities in it. We need to interact with the program to notice errors or troubles.

So, in this example we are dealing with `vulserver.exe` (quick search and you found it), this is running on the **9999** port, so to interact with it, let's establish a connection:

```bash
nc 192.168.100.9 9999
```

And then, we receive an option to show HELP panel:

```bash
Welcome to Vulnerable Server! Enter HELP for help.
```

```bash
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT
```

We have a bunch of options to test and find vulnerable scopes, the idea is:

* Take **STATS** and interact with it, send a lot of characters trying to broke it.

There are several ways to do this, let's list one of them:

### SPIKE (generic\_send\_tcp)

With this tool we send a bunch of strings with symbols, numbers, characters, etc. This to find a possible bug with specific types of chars or length:

```bash
generic_send_tcp host port spike_script SKIPVAR SKIPSTR 
# generic_send_tcp 192.168.1.100 701 something.spk 0 0
```

We use an SPIKE file to set what we want to do in order to interact with vuln program and its functions.

To interact with `STATS` inside of **.spk** file we have:

```bash
s_readline();
s_string("STATS ");
s_string_variable("esteESelINDICADORdeDONDEdebeFUZZEARperoLITERALpuedeIResteTEXTO");
```

This will send a lot of requests with different size as payload, until (if we found it) something break.

```bash
generic_send_tcp 192.168.100.9 9999 spike_vulnserver.spk 0 0
```

```bash
...
Fuzzing Variable 0:906
Fuzzing Variable 0:907
line read=Welcome to Vulnerable Server! Enter HELP for help.
Fuzzing Variable 0:908
...
```

But if we doesn't found a vulnerable point, what we need to do? THAT'S IT! Move to the next option, in this case `RTIME`.

In this case when we use `TRUN` option, with Immunity we found a "Access Violation" when we hit the **EIP** register and fill it with `41414141` `(AAAA)` garbage content.

Immunity also show to us the payload executed to cause the crash:

<figure><img src="https://344105405-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFJ8sxzGfhnecDpAjrc%2Fuploads%2FCr8ISYhgpyd4wRSK6xAg%2Fimage.png?alt=media&#x26;token=e9e9f790-8b53-454d-aef2-e8e34355a823" alt=""><figcaption><p>TRUN /.:/AAAAAAAAAAAAA FIREEEE</p></figcaption></figure>

We know the exact payload to crash the program:

```bash
TRUN /.:/AAAAAAAAAAAAAAbutHOWmanyAs?
```

NICE! Now we know that this program is exploitable :P

But, now we need to know\... How many `A` we need?

Time of [fuzzing](https://lanzt.gitbook.io/cheatsheet-pentest/buffer-overflow/stack-based/introduction/fuzzing "mention") part.