Bad Character Analysis in Exploit Development

Automation is key to improving the efficiency and accuracy of your analysis.

i. Introduction

In an older post, we examined a stack-based buffer overflow in FreeFloat FTP Server. The step-by-step guide for beginners was to illustrate the process and technique of basic exploit development. However, I skipped the part where I was to explain how to determine which bytes or characters can break an exploit code. In this post, I’ll discuss how to hunt down bad characters in exploit development. If you are preparing for OSCE, you will find this post somehow useful.

ii. General approach

The fundamental principle of testing which bytes corrupt your exploit code is by utilising an array of all the bytes from “\x00” to “\xff” — byte array. The byte array is the shellcode in the exploit code. After executing the exploit code, we have to locate the byte array in the target’s memory application and examine for any missing bytes. The inference of the examination is anchored on the fact that if the shellcode found in the memory is not the same as the one used in the exploit code, there is a bad character. Once any bad character is identified, you generate the byte array again while eliminating the found bad character. The same examination is done repeatedly until all the bad characters are identified i.e. when bytes in exploit code are the same as in the memory of the exploited application.

iii. Slight Challenges

Sometimes, the memory buffer where you can fit your initial shellcode can be less than 256 bytes. For instance, you might get a buffer size of 24 bytes. You must start your analysis with just a byte array of 24 bytes, i.e. “\x00” to “\x18” and keep repeating the analysis with an iteration of the subsequent 24 bytes until all the 256 bytes are examined.

iv. My Deft Approach

Img. 1 — summary of my workflow
  1. A postmortem analysis script as the crash handler (BadChars.py)
CrashDbg.py — custom Python-based debugger that must use BadChars module for postmortem analysis
Img. 2 — CrashDbg.py on Windows 10 attached to FTPServer.exe
BadChars.py — automates the process of hunting bad characters in exploit development.
Img. 3 — CrashDbg in action (Windows 10, FTPServer)
  • The bad characters in the analysis are — \x00 and \x0a,
  • New check_bytes variable to be used in the BadChars.py (line 57) is generated,
  • New shellcode to be used in your exploit code is also generated,
  • Finally, update the size of bytes to be read to 254 (new size of shellcode used) in the CrashDbg.py (line 37).

v. Similar Approach and Resources

If you have used Immunity Debugger or Windbg (windbglib) you have probably come across mona.py by Corelanc0d3r (Peter Van Eeckhoutte). Mona is a Python-based script that provides a variety of options in exploit development. The script can be downloaded from https://github.com/corelan/mona

Conclusion

Bad character analysis in exploit development is essential and cannot be ignored. For a stable exploit, payload to be executed should not be mangled up while in the target’s memory application. CrashDbg is a nice tool to help you in crafting your exploit code. Other than the byte array, It can compare just about any length of data from a computer memory and identify any changed bytes.

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store