Lab 7: Writing shellcode

Lesson:

This – most likely – indicates either a problem with the shellcode buffer size (but you can test the buffer size, you’ll notice that this is not the issue), or we are faced with invalid characters in the shellcode
You can exclude invalid characters when building the shellcode with Metasploit, but you’ll have to know which characters are allowed and which aren’t
By default, null bytes (\x00) are restricted (because they will break the exploit for sure), but what are the other characters ?
The m3u file probably should contain filenames
So a good start would be to filter out all characters that are not allowed in filenames and filepaths
You could also restrict the character set altogether by using another decoder
- We have used shikata_ga_nai, but perhaps alpha_upper will work better for filenames
- Using another encoded will most likely increase the shellcode length, but we have already seen (or we can simulate) that size is not a big issue.

Step 1 – Writing shellcode
Step 2 – Replace the shellcode with the given output
Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
- Did we get the expected result?

Last updated 4 years ago

Was this helpful?

This – most likely – indicates either a problem with the shellcode buffer size (but you can test the buffer size, you’ll notice that this is not the issue), or we are faced with invalid characters in the shellcode
You can exclude invalid characters when building the shellcode with Metasploit, but you’ll have to know which characters are allowed and which aren’t
By default, null bytes (\x00) are restricted (because they will break the exploit for sure), but what are the other characters ?
The m3u file probably should contain filenames
So a good start would be to filter out all characters that are not allowed in filenames and filepaths
You could also restrict the character set altogether by using another decoder
- We have used shikata_ga_nai, but perhaps alpha_upper will work better for filenames
- Using another encoded will most likely increase the shellcode length, but we have already seen (or we can simulate) that size is not a big issue.

Step 1 – Writing shellcode
Step 2 – Replace the shellcode with the given output
Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
- Did we get the expected result?

Last updated 4 years ago

Was this helpful?