Procedure
Finding the offset
Finding the exact value of the offset.
-q
: correspond to the value of the EIP when the application crashed.
-l
: corresponds to the length of the msf-pattern_create
Both methods are valid to find the offset
OR
-distance:
corresponds to the distance of the pattern msf-pattern_create.
Finding the badchars
Create a mona working repertory
Creating a mona bytearray string excluding the badcharacter \x00
which is a bad character by default.
Compare with !mona module
-a
: correspond to the ESP value when the application crashed.
Manual method
We expect to see all characters from \x01
to \xff
in sequential order.
Remove the \x51
character from the bad character strings from the exploit.py script. Resend the bad character string to the application, and redo the process until you do not encounter any anomaly in the sequence.
Finding the right module
This command will find all JMP address that does not contain any bad characters identified earlier.
Generating the payload
Last updated