The metasploit framework has a handy little perl lib  to aid you in finding your offset. There is nothing really fancy about it and many may already know about it.  I figured for those who don’t, its useful enough to highlight. I did use this in my stack overflow example. 

At a very basic level lets say you got a seg fault by inserting 24 characters for input. With the Pex lib you can create a string 24 characters long all of unique dwords.

To create our pattern of  24 charcters we use pex like so.

perl -e ‘use Pex;print Pex::Text::PatternCreate(20)’

or below is a  little perl script that you can just  run with  24 as the input. Ya I’m that lazy!

#pex_pattern.pl
#!/usr/bin/perl

#path to Pex lib in metasploit

use lib “/home/kpan1c/framework-2.6/lib/”;
use Pex;

print Pex::Text::PatternCreate(@ARGV[0]). “\n”;

./pex_pattern.pl  24

Output will look like so
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7

Now you can just overflow the app with that string and then check EIP or whatever you wanted to overwrite. Once  you see what is in it you can pass that string  to patternoffset.pl located in the sdk dir of metasploit followed by the length of your pattern and bam you got an offset. Handy, and to think I use to create patterns like AAAABBBBCCCC……

./patternOffset.pl 0x35614134 24

References:
http://metasploit.com
http://www.syngress.com/catalog/?pid=3270