Most guides out there give a walkthrough on solving individual functions within vulnserver. However, when practising for OSCE, I do not want the solutions. Instead, I want to know the order of difficulty of the various functions so I can start from the easiest function and work my way towards the harder ones. In this article, I am first going to rank the functions in terms of difficulty, then I am going to give a rough explanation on the technique that needs to be used for each function. If you do not want spoilers, please stop reading after the first section.
1 - Ranking of difficulty of functions
From easiest to hardest:
- TRUN
- GMON
- GTER
- KSTET
- HTER
- LTER
Spoilers Ahead
Stop reading here if you do not want to know the technique used to solve each function
2 - Techniques required
- TRUN - Generic EIP override.
- GMON - Generic SEH override.
- GTER - SEH override with limited buffer space. May require egghunter.
- KSTET - SEH override with extremely limited buffer space. Will require egghunter.
- HTER - EIP override. Input is encoded in a very interesting way.
- LTER - 2 viable methods. EIP override with bad characters, which is the easier method to solve. SEH override with extremely limited buffer space and bad characters. May require ROP chain.
As far as I know, the rest of the functions (STATS RTIME LTIME GDOG KSTAN) cannot be exploited and are probably used to practice fuzzing.