Encoding parts of a payload

This topic contains 15 replies, has 5 voices, and was last updated by  caissyd 6 years, 8 months ago.

  • Author
    Posts
  • #8204
     caissyd 
    Participant

    Hi everyone,

    When I use msfpayload to generate my payload (let’s say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (x00) or any other characters (usually x0a and xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

    But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

    I haven’t hit this problem yet, I was just “meditating” on the issue and couldn’t get a good answer from Google.

    Thanks

  • #51892
     UNIX 
    Participant

    Breaking the shellcode into several parts should work, but you have to verify where you separate it. If your first staged buffer is very limited in space you could also utilize an egg hunter to get eventually your shellcode executed.

  • #51893
     caissyd 
    Participant

    Yes, I guess it’s better to search harder to find a bigger place in memory where you wouldn’t have to break the payload.

    But just for the sake of it, have you ever encode parts of your payload?

  • #51894
     cd1zz 
    Participant

    I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html

    Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure…

  • #51895
     dynamik 
    Participant

    @cd1zz wrote:

    I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html

    Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure…

    How in the world do you have time for bug hunting? ๐Ÿ˜ฎ

    Also, is that a standard fuzzing template? My coworker is currently playing around with Ability in the OSCP labs. He sent me his fuzzer for review, and it looked almost identical to yours, but with FTP commands.

    @H1t M0nk3y wrote:

    Hi everyone,

    When I use msfpayload to generate my payload (let’s say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (x00) or any other characters (usually x0a and xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

    But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

    I haven’t hit this problem yet, I was just “meditating” on the issue and couldn’t get a good answer from Google.

    Thanks

    Yea, that’s going to be a pain because you’re going to have to do a lot of that manually. As you noted, you can’t just cut it in half and add a jump to the next portion. Not only will you need to encode each portion separately, you’d also need to correct any jumps and other offsets in the original shellcode. I’d try to get the exploit working without encoding first by binary pasting the shellcode into the appropriate places in a debugger, and then go back and dealing with encoding once the shellcode was functional. Just break it out into as many baby steps as you can.

    It also depends on how big the gap is. There was a cool example in the Corelan course where the shellcode was broken by a double word, so a few instructions were added to the beginning of the shellcode to correct those four bytes. Something like that would certainly be a less involved solution, if possible.

  • #51896
     caissyd 
    Participant

    However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse.

    That’s a very good point. I just read your blog and I found it very well explained and easy to follow. Good job cd1zz!!

    How in the world do you have time for bug hunting?

    Did you guys know that cd1zz (Craig Freyman) has 19 exploits to his name in exploit-db? ย That’s insane!!! ๐Ÿ˜ฎ
    http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=Craig+Freyman&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

  • #51897
     cd1zz 
    Participant

    @ajohnson I’ve had it for so long, I completely forgot where it came from. This is it: http://www.redteamsecure.com/labs/post/18/build-your-own-ftp-fuzzer

    Editing the post now to reflect that!

  • #51898
     UNIX 
    Participant

    Nice write-up on the ActFax exploitation, cd1zz. ๐Ÿ˜‰

  • #51899
     dynamik 
    Participant

    @H1t M0nk3y wrote:

    Did you guys know that cd1zz (Craig Freyman) has 19 exploits to his name in exploit-db? ย That’s insane!!! ๐Ÿ˜ฎ
    http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=Craig+Freyman&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

    Oh, I’m well aware of his… *wait for it* …many exploits.

    Sorry, I couldn’t resist an awful pun ;D

    Seriously though, he was one of the few that was consistently finishing ahead of me in the Corelan course. He’s a frustratingly sharp guy 8)

  • #51900
     caissyd 
    Participant

    cd1zz and ajohnson: Have you taken the Corelan course before or after OSCE?

    It looks good, but 80% of the class seemed to be covered by the Cracking the Perimeter course…

    Am I right?

  • #51901
     cd1zz 
    Participant

    There is a lot of overlap and in many cases they compliment each other. We had a thread on here somewhere where we got into the nitty gritty. For example, OSCE covers no ROP exploitation but Corelan does. Corelan is 110% exploit dev. OSCE is 90%. If possible, do them both!!

    ajohnson just knocked out OSCE and recently did Corelan, he might have a fresher perspective…

  • #51902
     caissyd 
    Participant

    OSCE is my goal right now, but I will keep a good eye on Corelan’s tutorials at https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/

    Thanks to your blog cd1zz, I now know about these things.

  • #51903
     dynamik 
    Participant

    I intend to do full write-ups on both, but my schedule’s not going to clear up for the next few weeks.

    In the interim, I think it’s apples and oranges. Sure, they both cover exploit development, but there are huge differences in the tools, techniques, and approaches. As usual, OffSec focuses on doing everything manually and uses OllyDbg. The Corelan boot camp might as well be called “Exploit Development using Mona.py.” You spend nearly the entire course in Immunity and working with Mona, from basic stack-based buffer overflows to egg hunters to ROP exploitation. The amount of annoying, tedious tasks that can be performed effortlessly with Mona is nothing short of amazing.

    I think the Corelan course more accurately depicts how people who perform exploit development day-to-day go about their work. However, it’s still important to understand what’s going on behind-the-scenes and not rely on Mona as this magical tool that just works. Both courses compliment each other well, and I recommend doing both. Also, Peter is great to interact with, and being able to ask questions and bounce ideas around with him is a fantastic experience. He’s going to work with you and not just tell you to try harder.

    I actually took the Corelan course a couple of weeks before my OSCE exam, and one thing that did surprise me is that it really didn’t help much, if at all, with the exam. I thought I would crush it for sure, but it ended up being the usual miserable experience with a miraculous pass in the last few hours. In fact, I actually ended up using a technique that wasn’t covered in either course. I can’t say more without spoiling it, but I posted my solution in the OffSec OSCE-only forums ๐Ÿ˜‰

    Also be sure to check out the SecurityTube assembly and exploit development videos, as well as the tutorials over at The Grey Corner (thanks to UNIX for showing me those).

  • #51904
     caissyd 
    Participant

    My list of things to read/review/do is getting longer and longer every day!!
    Will I ever be able to challenge this exam?ย  ๐Ÿ˜›

    Thanks ajohnson, very useful, as usual!

  • #51905
     Dark_Knight 
    Participant

    @cd1zz wrote:

    I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html

    Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure…

    I decided to throw my hat in the ring as well. Of course cd1zz has already done the heavy lifting and its not as sexy ๐Ÿ™‚

    http://sector876.blogspot.com/2013/02/hacking-actfax-raw-server.html

  • #51906
     caissyd 
    Participant

    Nice Dark_Knight! Now I feel like I have to add to it too!ย  ๐Ÿ˜€

    But these days, I’ve got a new problem preventing me from studying much: a new girlfriend!! A guy needs to set his priorities… ;D

You must be logged in to reply to this topic.

Copyright ยฉ2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?