RE: Finding Bad Characters in Exploit Research?

[Peter Van Eeckhoutte <peter.ve () corelan be>]

If you write the array to a file as well as feeding it to the payload, you can use the !pvefindaddr compare 
functionality, which will automatically locate all instances of the array, and compare the one in memory with the 
(original) one in the file.

Pvefindaddr is a pycommand for immunity debugger, available for download at 
http://redmine.corelan.be:8800/projects/pvefindaddr

You can find an example on how to use the compare function here :
http://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/

More info on other features of pvefindaddr can be found here :
http://redmine.corelan.be:8800/projects/pvefindaddr/wiki/Pvefindaddr_usage

hope this helps



./showsignature
[+] Peter Van Eeckhoutte
    "corelanc0d3r"
    peter.ve () corelan be
[+] My Blog : http://www.corelan.be (IPv4 and IPv6)
[+] Projects : http://redmine.corelan.be:8800
[+] Twitter : https://twitter.com/corelanc0d3r
[+] RIPE Handle PVE50-RIPE


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Demetris Papapetrou
Sent: vrijdag 11 maart 2011 10:48
To: 'John Nash'; 'security-basics'
Subject: RE: Finding Bad Characters in Exploit Research?

Hi John,

I apologize for the delayed response.
I was hoping that someone more experienced in the field of buffer overflows
would answer your question. Since no one mentioned an easy way to detect bad
characters, I have decided to provide you with the one I use (manual work
required).

Let's say that the buffer you are trying to overflow has a size of 512 bytes
and when you successfully overflow it you have an extra space of 512 bytes
after it. Let's say that EIP is overwritten at bytes 514-517.

So in order to detect which characters may break your shellcode, you
overflow the buffer with 520 * A and then you insert into the extra space
the hex representation of all 256 ASCII characters.

Python extract
--------------
# Bad characters (hex representation of all 256 ascii characters)
#buffer = '\x41' * 520
#buffer +=
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x1
3\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x2
6\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x3
9\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4
c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5
f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x7
2\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x8
5\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x9
8\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xa
b\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xb
e\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd
1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe
4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf
7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

Now, when the buffer overflow happens and EIP is overwritten with AAAA,
Olly/Immunity debugger will through an exception and pause program
execution. At this point you need to observe the stack and find your sting
of As. After the long string of As you should find the sting of 256 ASCII
characters. If there is a bad character in it, the sting won't be 256
characters long. Its length will usually be one character less than the
position of the offending character.

For example, the characters \x0a and \x0d are usually marked as bad because
they are the Line Feed (LF) and carriage return (CR) characters and signify
the end of a command (e.g. the FTP USER command issued during the
authentication phase). So if we observer the stack of the FTP application
during the crash, the string of ASCII characters following the string of As
will be \x01\x02\x03\x04\x05\x06\x07\x08\x09, which means that the next
character in the sting (i.e. \x0a) is a bad one.

Please note that, following the identification of a bad character you need
to perform the same procedure again and again, but each time removing the
offending character from the ASCII string. Hence in our second attempt the
ASCII string that we will find in the stack will be
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c, which signifies that the next
bad character is \x0d. Note that in this string there is no \x0a because the
ASCII string sent to the program was 255 characters long instead of 256
(\x0a was removed from the string).

I hope I helped.


Regards,


Demetris Papapetrou

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of John Nash
Sent: Thursday, February 17, 2011 6:36 PM
To: security-basics
Subject: Finding Bad Characters in Exploit Research?

Hello All,

Just dived into exploit research and finding bad characters is killing me!

Can someone point me to a good document / methodology / automated way
to find bad characters?

Any help will be greatly appreciated!

Rgds,

JN

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


This transmission is intended only for use by the intended recipient(s).  If you are not an intended recipient you 
should not read, disclose, copy, circulate or in any other way use the information contained in this transmission.  The 
information contained in this transmission may be confidential and/or privileged.  If you have received this 
transmission in error, please notify the sender immediately and delete this transmission including any attachments.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------