RE: Finding Bad Characters in Exploit Research?

["Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>]

Hi John,

I apologize for the delayed response. 
I was hoping that someone more experienced in the field of buffer overflows
would answer your question. Since no one mentioned an easy way to detect bad
characters, I have decided to provide you with the one I use (manual work
required).

Let's say that the buffer you are trying to overflow has a size of 512 bytes
and when you successfully overflow it you have an extra space of 512 bytes
after it. Let's say that EIP is overwritten at bytes 514-517.

So in order to detect which characters may break your shellcode, you
overflow the buffer with 520 * A and then you insert into the extra space
the hex representation of all 256 ASCII characters.

Python extract
--------------
# Bad characters (hex representation of all 256 ascii characters) 
#buffer = '\x41' * 520
#buffer +=
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x1
3\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x2
6\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x3
9\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4
c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5
f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x7
2\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x8
5\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x9
8\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xa
b\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xb
e\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd
1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe
4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf
7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

Now, when the buffer overflow happens and EIP is overwritten with AAAA,
Olly/Immunity debugger will through an exception and pause program
execution. At this point you need to observe the stack and find your sting
of As. After the long string of As you should find the sting of 256 ASCII
characters. If there is a bad character in it, the sting won't be 256
characters long. Its length will usually be one character less than the
position of the offending character.

For example, the characters \x0a and \x0d are usually marked as bad because
they are the Line Feed (LF) and carriage return (CR) characters and signify
the end of a command (e.g. the FTP USER command issued during the
authentication phase). So if we observer the stack of the FTP application
during the crash, the string of ASCII characters following the string of As
will be \x01\x02\x03\x04\x05\x06\x07\x08\x09, which means that the next
character in the sting (i.e. \x0a) is a bad one. 

Please note that, following the identification of a bad character you need
to perform the same procedure again and again, but each time removing the
offending character from the ASCII string. Hence in our second attempt the
ASCII string that we will find in the stack will be
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c, which signifies that the next
bad character is \x0d. Note that in this string there is no \x0a because the
ASCII string sent to the program was 255 characters long instead of 256
(\x0a was removed from the string).   

I hope I helped.


Regards,


Demetris Papapetrou

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of John Nash
Sent: Thursday, February 17, 2011 6:36 PM
To: security-basics
Subject: Finding Bad Characters in Exploit Research?

Hello All,

Just dived into exploit research and finding bad characters is killing me!

Can someone point me to a good document / methodology / automated way
to find bad characters?

Any help will be greatly appreciated!

Rgds,

JN

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------