5. Finding Bad Characters

Previous6. Getting Shell Next4. Overwrite EIP

Last updated 4 years ago

Was this helpful?

5. Finding Bad Characters

Finding Bad Characters

Generate a bytearray using mona, and exclude the null byte (\x00) by default. Note the location of the bytearray.bin file that is generated (if the working folder was set per the Mona Configuration section of this guide, then the location should be C:\mona\oscp\bytearray.bin).

!mona bytearray -b "\x00"

Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \x01 to \xff:

from __future__ import print_function

for x in range(1, 256):
    print("\\x" + "{:02x}".format(x), end='')
print()

Update your script and set the payload variable to the string of bad chars the script generates.

Restart oscp.exe in Immunity and run the modified script again. Make a note of the address to which the ESP register points and use it in the following mona command:

!mona compare -f C:\mona\oscp\bytearray.bin -a <address>

A popup window should appear labelled "mona Memory comparison results". If not, use the Window menu to switch to it. The window shows the results of the comparison, indicating any characters that are different in memory to what they are in the generated bytearray.bin file.

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

The first badchar in the list should be the null byte (\x00) since we already removed it from the file. Make a note of any others. Generate a new bytearray in mona, specifying these new badchars along with \x00. Then update the payload variable in your script and remove the new badchars as well.

Restart oscp.exe in Immunity and run the modified script again. Repeat the badchar comparison until the results status returns "Unmodified". This indicates that no more badchars exist.

Finding a Jump Point

With the oscp.exe either running or in a crashed state, run the following mona command, making sure to update the -cpb option with all the badchars you identified (including \x00):

!mona jmp -r esp -cpb "\x00"

This command finds all "jmp esp" (or equivalent) instructions with addresses that don't contain any of the badchars specified. The results should display in the "Log data" window (use the Window menu to switch to it if needed).

Previous6. Getting Shell Next4. Overwrite EIP

Last updated 4 years ago

Was this helpful?

Finding Bad Characters

!mona bytearray -b "\x00"

Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \x01 to \xff:

from __future__ import print_function

for x in range(1, 256):
    print("\\x" + "{:02x}".format(x), end='')
print()

Update your script and set the payload variable to the string of bad chars the script generates.

Restart oscp.exe in Immunity and run the modified script again. Make a note of the address to which the ESP register points and use it in the following mona command:

!mona compare -f C:\mona\oscp\bytearray.bin -a <address>

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

Restart oscp.exe in Immunity and run the modified script again. Repeat the badchar comparison until the results status returns "Unmodified". This indicates that no more badchars exist.

Finding a Jump Point

With the oscp.exe either running or in a crashed state, run the following mona command, making sure to update the -cpb option with all the badchars you identified (including \x00):

!mona jmp -r esp -cpb "\x00"

Choose an address and update your script, setting the "retn" variable to the address, written backwards (since the system is little endian). For example if the address is \x01\x02\x03\x04 in Immunity, write it as \x04\x03\x02\x01 in your exploit.