Identifying Bad Characters
There are certain characters that will prevent our shellcode from being executed; these characters
are commonly known as bad characters. An example of a bad character is the null byte, which is
a universally known bad character. To identify bad characters we send a string containing all the
ASCII characters, both printable and nonprintable, and from the debugger we see what charac-
ters have been modified or are breaking the execution. This is a tedious process if done manually.
Therefore, we use a tool called mona; the tool was created by the coleran.be team, and it is an
exploit developer’s best friend. For mona to work you would need to save it inside the Py com-
mands folder inside of the immunity debugger.
To run mona from within the immunity debugger, we need to type !mona inside the field at
the bottom and press “Enter” to execute it; this would display all the options inside of the mona
followed by its usage.
Windows Exploit Development Basics
◾
281
For !mona to work, we first need to set up a working folder, where mona will store everything.
You can set it up by issuing the following command:
!mona config -set workingfolder C:\mona\%p
Figuring Out Bad Characters with Mona
To figure out bad characters with mona we first need to generate a byte array. We will exclude the
\x00 and \x0a from it with the –b parameter as they are known bad characters which might not
allow our exploit to function properly. The command looks as follows:
!mona bytearray –b '\x00\x0a'
This will generate a byte array of all the printable and nonprintable ASCII characters excluding
the \x00 and x0a.
282
◾
Ethical Hacking and Penetration Testing Guide
We would now send this code to the application and then we would use mona to compare the
contents of the file with the contents of the memory. We will compare the bytearray.bin file, which
is located under
c:\mona\no _ name\bytearray.bin.
Command
:
!mona compare –f c:\mona\no_name\bytearray.bin
Upon execution, a file named compare.txt is created. Press Ctrl+F and look for the keyword
“bad chars”; it tells us that 0d is the bad character. So we need to filter 0d from our shellcode for
our exploit to work.
Windows Exploit Development Basics
◾
Dostları ilə paylaş: |