Friday, April 18, 2014

Exploitation: Identifying Bad Characters in a Shellcode

Characters which breaks the execution of a Shell code might be considered as Bad Characters.

Before delving deep, we should understand what Shellcode is
http://en.wikipedia.org/wiki/Shellcode

To find out what are the bad characters for the specific application which we are trying to exploit, generate a byte array between 0x00 and 0xff which can be done using Immunity Debugger
!mona bytearray

Copy the generated Byte Array as part of the shell code i.e. after the NOP (\x90) sled. Exploit the Vulnerable application and at the time of crash see the alignment of the Byte Array. If there is an alignment issue at some byte or some missing byte between 0x00 and 0xff is the Bad Characters. Once we find the  Bad Character remove the character from the byte array and try to exploit the application with new shellcode. Repeat the step till 0xff is reached.

Common Bad Characters
0x00    NULL (\0)
0x09     Tab (\t)
0x0a     Line Feed (\n)
0x0d    Carriage Return (\r)
0xff      Form Feed (\f)

Wrote small program to generate Hex Numbers
******************************************
 root@kali-arpman:~# cat hex_numbers.c
#include //use stdio.h and stdlib.h, some html embedding issue
#include

void main()
{
    int x=0,i;

    printf("disects: Generate 0x00 to 0xff Hex Numbers\n");
    for(i = 0;i<=255; i++)
    {
        if(i%8 == 0 && i>=8)
            printf("\n");

        printf("%#.2x  ", i);
    }

    printf("\n");
}
root@kali-arpman:~# gcc hex_numbers.c -o hex_numbers
root@kali-arpman:~#
root@kali-arpman:~#
root@kali-arpman:~# ./hex_numbers
disects: Generate 0x00 to 0xff Hex Numbers
00  0x01  0x02  0x03  0x04  0x05  0x06  0x07
0x08  0x09  0x0a  0x0b  0x0c  0x0d  0x0e  0x0f
0x10  0x11  0x12  0x13  0x14  0x15  0x16  0x17
0x18  0x19  0x1a  0x1b  0x1c  0x1d  0x1e  0x1f
0x20  0x21  0x22  0x23  0x24  0x25  0x26  0x27
0x28  0x29  0x2a  0x2b  0x2c  0x2d  0x2e  0x2f
0x30  0x31  0x32  0x33  0x34  0x35  0x36  0x37
0x38  0x39  0x3a  0x3b  0x3c  0x3d  0x3e  0x3f
0x40  0x41  0x42  0x43  0x44  0x45  0x46  0x47
0x48  0x49  0x4a  0x4b  0x4c  0x4d  0x4e  0x4f
0x50  0x51  0x52  0x53  0x54  0x55  0x56  0x57
0x58  0x59  0x5a  0x5b  0x5c  0x5d  0x5e  0x5f
0x60  0x61  0x62  0x63  0x64  0x65  0x66  0x67
0x68  0x69  0x6a  0x6b  0x6c  0x6d  0x6e  0x6f
0x70  0x71  0x72  0x73  0x74  0x75  0x76  0x77
0x78  0x79  0x7a  0x7b  0x7c  0x7d  0x7e  0x7f
0x80  0x81  0x82  0x83  0x84  0x85  0x86  0x87
0x88  0x89  0x8a  0x8b  0x8c  0x8d  0x8e  0x8f
0x90  0x91  0x92  0x93  0x94  0x95  0x96  0x97
0x98  0x99  0x9a  0x9b  0x9c  0x9d  0x9e  0x9f
0xa0  0xa1  0xa2  0xa3  0xa4  0xa5  0xa6  0xa7
0xa8  0xa9  0xaa  0xab  0xac  0xad  0xae  0xaf
0xb0  0xb1  0xb2  0xb3  0xb4  0xb5  0xb6  0xb7
0xb8  0xb9  0xba  0xbb  0xbc  0xbd  0xbe  0xbf
0xc0  0xc1  0xc2  0xc3  0xc4  0xc5  0xc6  0xc7
0xc8  0xc9  0xca  0xcb  0xcc  0xcd  0xce  0xcf
0xd0  0xd1  0xd2  0xd3  0xd4  0xd5  0xd6  0xd7
0xd8  0xd9  0xda  0xdb  0xdc  0xdd  0xde  0xdf
0xe0  0xe1  0xe2  0xe3  0xe4  0xe5  0xe6  0xe7
0xe8  0xe9  0xea  0xeb  0xec  0xed  0xee  0xef
0xf0  0xf1  0xf2  0xf3  0xf4  0xf5  0xf6  0xf7
0xf8  0xf9  0xfa  0xfb  0xfc  0xfd  0xfe  0xff
root@kali-arpman:~#

******************************************

When testing an application append 0x01-0xff part of the buffer leading to crash, once the application crashes observe the characters
0:000> d 0013e0e0
0013e0e0  cc eb 10 90 71 47 01 10-01 02 03 04 05 06 07 08  ....qG..........
0013e0f0  09 0a 0b 0c 0d 0e 0f 10-11 12 13 14 15 16 17 18  ................
0013e100  19 1a 1b 1c 1d 1e 1f 20-21 22 23 24 25 26 27 28  ....... !"#$%&'(
0013e110  29 2a 2b 2c 2d 2e 2f 30-31 32 33 34 35 36 37 38  )*+,-./012345678
0013e120  39 3a 3b 3c 3d 3e 3f 40-41 42 43 44 45 46 47 48  9:;<=>?@ABCDEFGH
0013e130  49 4a 4b 4c 4d 4e 4f 50-51 52 53 54 55 56 57 58  IJKLMNOPQRSTUVWX
0013e140  59 5a 5b 5c 5d 5e 5f 60-61 62 63 64 65 66 67 68  YZ[\]^_`abcdefgh
0013e150  69 6a 6b 6c 6d 6e 6f 70-71 72 73 74 75 76 77 78  ijklmnopqrstuvwx
0013e160  79 7a 7b 7c 7d 7e 7f 3f-81 3f 3f 3f 3f 3f 3f 3f  yz{|}~.?.???????
0013e170  3f 3f 3f 3f 8d 3f 8f 90-3f 3f 3f 3f 3f 3f 3f 3f  ????.?..????????
0013e180  3f 3f 3f 3f 9d 3f 3f a0-a1 a2 a3 a4 a5 a6 a7 a8  ????.??.........
0013e190  a9 aa ab ac ad ae af b0-b1 b2 b3 b4 b5 b6 b7 b8  ................
0013e1a0  b9 ba bb bc bd be bf c0-c1 c2 c3 c4 c5 c6 c7 c8  ................
0013e1b0  c9 ca cb cc cd ce cf d0-d1 d2 d3 d4 d5 d6 d7 d8  ................
0013e1c0  d9 da db dc dd de df e0-e1 e2 e3 e4 e5 e6 e7 e8  ................
0013e1d0  e9 ea eb ec ed ee ef f0-f1 f2 f3 f4 f5 f6 f7 f8  ................
0013e1e0  f9 fa fb fc fd fe ff 90-90 90 90 90 90 90 90 90  ................
0013e1f0  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e200  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e210  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e220  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e230  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

If we observe carefully characters 0x80,0x82 to 0x8e, 0x91 to 0x9c, 0x9e and 0x9f are probable bad characters. One of the exploit I wrote didn't work if the shellcode has above charactsrs.
http://blog.disects.com/2015/03/webgate-edvr-manager.html

Other References
http://seclists.org/basics/2011/Mar/77
http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Other interesting posts on the blog
http://blog.disects.com/2014/04/hacking-android-devices-using.html
http://blog.disects.com/2014/04/nmap-scripting-engine-auditing-mysql.html