ninp0/Buffer Overflow Notes

## Buffer Overflow Notes
1. Find Buffer Overflow Len
2. /opt/metasploiit-framework-dev/tools/exploit/pattern_create.rb -l <buffer_overflow_len>
3. Replace orig overflow contents w/ response from pattern_create.rb
4. Run debugger, find eip value within pattern generated above...then run:
5. /opt/metasploit-framework-dev/tools/exploit/pattern_offset.rb -l <buffer_overflow_len> -q <eip_value>
6. Find bad characters (e.g. \x00 \x0a \x0d etc)
7. Update malicious payload accordingly

Other misc notes:
nasm_shell
nasm > jmp esp
00000000 FFE4 jmp esp

Once control of EIP is achieved:
# Immunity Debugger:
!mona modules
# Find module w/ least amount of security enabled (e.g. aslr = false, etc)
!mona find -s "\xff\xe4" -m <module name to find JMP ESP>

# EDB
Plugins >> OpcodeSearcher >> Opcode Search >> <highlight start addr> >> <choose Jump equivalent (e.g. ESP -> EIP)>
	1. Find Buffer Overflow Len
	2. /opt/metasploiit-framework-dev/tools/exploit/pattern_create.rb -l <buffer_overflow_len>
	3. Replace orig overflow contents w/ response from pattern_create.rb
	4. Run debugger, find eip value within pattern generated above...then run:
	5. /opt/metasploit-framework-dev/tools/exploit/pattern_offset.rb -l <buffer_overflow_len> -q <eip_value>
	6. Find bad characters (e.g. \x00 \x0a \x0d etc)
	7. Update malicious payload accordingly

	Other misc notes:
	nasm_shell
	nasm > jmp esp
	00000000 FFE4 jmp esp

	Once control of EIP is achieved:
	# Immunity Debugger:
	!mona modules
	# Find module w/ least amount of security enabled (e.g. aslr = false, etc)
	!mona find -s "\xff\xe4" -m <module name to find JMP ESP>

	# EDB
	Plugins >> OpcodeSearcher >> Opcode Search >> <highlight start addr> >> <choose Jump equivalent (e.g. ESP -> EIP)>