Finding EIP Position

The EIP is one of the crucial parts of the register and it is important to gain control of this register. A fuzzer tool can be used for fuzzing the fields, however finding the exact number of characters to get hold of this register using trial and error method can be exhausting. Instead we can create a unique pattern of strings, use it to fuzz the application and then note the characters that land in the EIP. Since we created an unique patter of strings the position of the strings found in the EIP will give us the exact number of characters required to fuzz the application and take control of the EIP.

The following command can be used to create the unique string of 800 characters,

msf-pattern_create -l 800

The output can then be used in the fuzzer to identify the section of the string that lands in the EIP.

Then we can take this section of strings and use it in the command below to identify the exact character count,

msf-pattern_offset -l 800 -q 41347310

PreviousImportant Scripts & Links NextEliminating Bad Characters

Last updated 1 year ago