The metasploit framework has a handy little perl lib to aid you in finding your offset. There is nothing really fancy about it and many may already know about it. I figured for those who don’t, its useful enough to highlight. I did use this in my stack overflow example.
At a very basic level lets say you got a seg fault by inserting 24 characters for input. With the Pex lib you can create a string 24 characters long all of unique dwords.
To create our pattern of 24 charcters we use pex like so.
perl -e ‘use Pex;print Pex::Text::PatternCreate(20)’
or below is a little perl script that you can just run with 24 as the input. Ya I’m that lazy!
#path to Pex lib in metasploit
use lib “/home/kpan1c/framework-2.6/lib/”;
print Pex::Text::PatternCreate(@ARGV). “\n”;
Output will look like so
Now you can just overflow the app with that string and then check EIP or whatever you wanted to overwrite. Once you see what is in it you can pass that string to patternoffset.pl located in the sdk dir of metasploit followed by the length of your pattern and bam you got an offset. Handy, and to think I use to create patterns like AAAABBBBCCCC……
./patternOffset.pl 0x35614134 24