Hi,

I have an odd problem when trying to write my own exploit. I am doing the "extra mile" exercises for Win32 the Buffer-Overflow in the PWB course. So everything I am doing is legal here. Everything goes very well but one little thing.

I understand that injecting a null byte (\x00) will cause problems during the execution. But I have discovered that when I try to inject bytes ranging from \x0A to \x0F, I get a similar problem. Here is an example:

Let's say I want to inject the following code:
\x41\x42\x43\x44\x45\x0A\x46\x47\x48\x49

The debugger will show that the end result is something like:
\x41\x42\x43\x44\x45\x5A\x6B\x31\x5C\x61

But if I remove this \x0A character, I get the full message copied at the proper location: \x41\x42\x43\x44\x45\x46\x47\x48\x49

Basically, it seems I successfully copy my code, but starting at one of the mentioned characters, I only get garbage...

Any REAL experts? 

I forgot to say I am using a VPN. I first thought my firewall could be blocking these characters, but I soon woke up and realize the VPN encrypts everything. So it isn't my firewall.

Could it be an encoding problem of some sort?

Thanks mambru, I will read it tonight.

Also, I will post my solution.

I know now that I can encode my shellcode using the msfencode or something similar. So that is fine now.

BUT, my problem is the my ESP register needs to get the value \x0A\xAF\xD8\x77 but I have a problem with \x0A... Can I encode a value in EIP?

I will check right now!

It is not meant to fit in EIP... That is your encoded shellcode, if you are looking for a valid return address i.e. start of your shellcode, it should not contain what can be considered bad characters - \x0d\x00\x0a.

Ensure EIP points to a NOP sled to your shellcode or directly into your shellcode. If you have correctly aligned your offsets, attempt to fill EIP with \xCC\xCC\xCC\xCC to get your debugger to break and show you whats going on.

Happy to take a look for you, but if it is course material, I doubt is allowed.

I think I just solved my problem.

I found another JMP ESP instruction in users32.dll which doesn't contain any infamous characters. I am now able to reach the beginning of my shell code...

I can feel it, i is so close!!!

No problem M0nk3y, I'm glad I was helpful in some way and you did it, I was on the same road a while ago (PWB course)

NP and congrats. I'm going over a lot of advanced shellcoding tutorials and videos right now as well. My goal is repeatability across the board. Dino Zovi and Alex Sotirov have a class I'm waiting to attend called Assured Exploits. (http://trailofbits.com/2010/02/25/assured-exploitation-training/)

For example... Right now I have quite a few POC's and exploits for a variety of applications (I focus on the big boys, Oracle, IBM, etc. for obvious reasons ) Sometimes I submit work to CERT (they take forever even to get me my VRU's), sometimes I go to ZDI, sometimes IDefense, etc... Anyhow, I hate having something proven exploitable on say Windows 2003 Advanced Server, but not on say Win2008, Win7, etc.

I've been banging my head in reading especially for Win7 right now. E.g., I have one application, completely 'ownable' on everything EXCEPT Win7. I almost always get Access Violations on ? no matter what I do. A huge majority of things I find on say XP, I can replicate after a while on Vista, but on Win7 the same exploit almost always goes to kernelbase.dll so I've been trying to figure out why. It's a fun and sometimes frustrating experience.

n1p's document is definitely worth reading and again n1p if you read this, WinDBG rocks! So if you get one of those going let me know maybe I can learn more or even assist. H1t M0nk3y, I almost never suggest that anyone stray from what works for them however... I do have to state that WinDBG for debugging to me is more powerful. Not to mention the byakugan module would have found the right addresses for you:


WinDBG rocks... Immunity's Debugger (as does Canvas) for those who use then has some cool stuff in it as well. I need to update Canvas :| The only time I fire up olly nowadays is for mapping :|