Hi everyone,

When I use msfpayload to generate my payload (let's say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (\x00) or any other characters (usually \x0a and \xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

I haven't hit this problem yet, I was just "meditating" on the issue and couldn't get a good answer from Google.

Thanks

Yes, I guess it's better to search harder to find a bigger place in memory where you wouldn't have to break the payload.

But just for the sake of it, have you ever encode parts of your payload?

How in the world do you have time for bug hunting?

Also, is that a standard fuzzing template? My coworker is currently playing around with Ability in the OSCP labs. He sent me his fuzzer for review, and it looked almost identical to yours, but with FTP commands.


Yea, that's going to be a pain because you're going to have to do a lot of that manually. As you noted, you can't just cut it in half and add a jump to the next portion. Not only will you need to encode each portion separately, you'd also need to correct any jumps and other offsets in the original shellcode. I'd try to get the exploit working without encoding first by binary pasting the shellcode into the appropriate places in a debugger, and then go back and dealing with encoding once the shellcode was functional. Just break it out into as many baby steps as you can.

It also depends on how big the gap is. There was a cool example in the Corelan course where the shellcode was broken by a double word, so a few instructions were added to the beginning of the shellcode to correct those four bytes. Something like that would certainly be a less involved solution, if possible.

@ajohnson I've had it for so long, I completely forgot where it came from. This is it: http://www.redteamsecure.com/labs/post/18/build-your-own-ftp-fuzzer

Editing the post now to reflect that!

Oh, I'm well aware of his... *wait for it* ...many exploits.

Sorry, I couldn't resist an awful pun

Seriously though, he was one of the few that was consistently finishing ahead of me in the Corelan course. He's a frustratingly sharp guy

There is a lot of overlap and in many cases they compliment each other. We had a thread on here somewhere where we got into the nitty gritty. For example, OSCE covers no ROP exploitation but Corelan does. Corelan is 110% exploit dev. OSCE is 90%. If possible, do them both!!

ajohnson just knocked out OSCE and recently did Corelan, he might have a fresher perspective...

I intend to do full write-ups on both, but my schedule's not going to clear up for the next few weeks.

In the interim, I think it's apples and oranges. Sure, they both cover exploit development, but there are huge differences in the tools, techniques, and approaches. As usual, OffSec focuses on doing everything manually and uses OllyDbg. The Corelan boot camp might as well be called "Exploit Development using Mona.py." You spend nearly the entire course in Immunity and working with Mona, from basic stack-based buffer overflows to egg hunters to ROP exploitation. The amount of annoying, tedious tasks that can be performed effortlessly with Mona is nothing short of amazing.

I think the Corelan course more accurately depicts how people who perform exploit development day-to-day go about their work. However, it's still important to understand what's going on behind-the-scenes and not rely on Mona as this magical tool that just works. Both courses compliment each other well, and I recommend doing both. Also, Peter is great to interact with, and being able to ask questions and bounce ideas around with him is a fantastic experience. He's going to work with you and not just tell you to try harder.

I actually took the Corelan course a couple of weeks before my OSCE exam, and one thing that did surprise me is that it really didn't help much, if at all, with the exam. I thought I would crush it for sure, but it ended up being the usual miserable experience with a miraculous pass in the last few hours. In fact, I actually ended up using a technique that wasn't covered in either course. I can't say more without spoiling it, but I posted my solution in the OffSec OSCE-only forums

Also be sure to check out the SecurityTube assembly and exploit development videos, as well as the tutorials over at The Grey Corner (thanks to UNIX for showing me those).

I decided to throw my hat in the ring as well. Of course cd1zz has already done the heavy lifting and its not as sexy

http://sector876.blogspot.com/2013/02/hacking-actfax-raw-server.html