OSCP Notes
  • OSCP Cheatsheet
  • Sistema de ficheros del OS
    • File Transfers Linux
    • File Transfers Windows
  • Web Attacks
    • Web Enumeration
    • SQL Injection
    • CGI
    • CMS
  • DATABASES
    • MSSQL
    • MYSQL
  • Services Enumeration
    • Trucos Generales
    • POP3 - 110
    • SMB - (445-139)
    • DNS
    • NFS - 2049
    • SMTP - 25
    • TFTP - 69
    • SNMP - (161-162-10161-10162)
  • Privilege Escalation
    • Information Gathering - EscPriv
    • Windows Privilege Escalation
      • MANUAL - Windows PrivEsc
      • Bypass UAC
    • Linux Privilege Escalation
  • Password Attacks
    • Hash Identification
    • Brute Force
    • Pass in the Hash
    • Password Cracking
  • Port Redirection and Tunneling
    • Port Forwarding
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Remote Port Forwarding
      • SSH Dynamic Port Forwarding
  • Active Directory Attacks
    • AD Enumeration
    • AD Authentication
    • AD Lateral Movement
    • AD Vulnerabilidades actuales
    • Powershell Empire
  • Buffer Overflow
    • Linux
    • Windows
      • Spiking
      • Fuzzing
      • Finding the Offset
      • Overwriting The EIP
      • Finding the Bad Charaters
      • Finding The Right Module
      • Generating Shellcode and Gaining Shell
  • Client-Side Attacks
    • Windows Office Macros
  • Post-explotacion
    • Trucos Generales
      • Links Utiles
    • Windows
      • Mimikatz
      • Writeup Esc WinXP SP1 with services
      • POWERSHELL
  • CRTP
    • PowerView
    • Notas Generales
Con tecnología de GitBook
En esta página
  1. Buffer Overflow
  2. Windows

Spiking

Conectarse y listar funciones.... 

# nmap -sV -sC -p2233 192.168.240.10 -v
Nmap scan report for 192.168.240.10
Host is up (0.088s latency).
PORT     STATE SERVICE    VERSION
2233/tcp open  infocrypt?

# nc -nv 192.168.240.10 2233
Welcome to Vulnerable Server! Enter HELP for help.
HELP
Valid Commands:
HELP
STATS [stat_value]
RTIME [rtime_value]
LTIME [ltime_value]
SRUN [srun_value]
TRUN [trun_value]
GMON [gmon_value]
GDOG [gdog_value]
KSTET [kstet_value]
GTER [gter_value]
HTER [hter_value]
LTER [lter_value]
KSTAN [lstan_value]
EXIT

Probar cada una con Immunity Debugger para identificar la funcion vulnerable:

s_readline():
s_string("FUNCION ");
s_string_variable("0");
## Con este comando se busca que el serividor victima explote con la funcion 
generic_send_tcp 192.168.174.136 9999 func.spk 0 0
AnteriorWindowsSiguienteFuzzing

Última actualización hace 3 años