Lab 7: Writing shellcode

Lesson:

Why didn’t it work?

  • This – most likely – indicates either a problem with the shellcode buffer size (but you can test the buffer size, you’ll notice that this is not the issue), or we are faced with invalid characters in the shellcode

  • You can exclude invalid characters when building the shellcode with Metasploit, but you’ll have to know which characters are allowed and which aren’t

  • By default, null bytes (\x00) are restricted (because they will break the exploit for sure), but what are the other characters ?

  • The m3u file probably should contain filenames

  • So a good start would be to filter out all characters that are not allowed in filenames and filepaths

  • You could also restrict the character set altogether by using another decoder

    • We have used shikata_ga_nai, but perhaps alpha_upper will work better for filenames

    • Using another encoded will most likely increase the shellcode length, but we have already seen (or we can simulate) that size is not a big issue.

Let’s try it

  • Create the m3u file, open it in the application

  • Easy RM to MP3 now seems to hang

  • Let’s see if we got our call back

Low hanging fruit, go for it!

Assignment:

  • Step 1 – Writing shellcode

  • Step 2 – Replace the shellcode with the given output

  • Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

    • Did we get the expected result?

Answers:

  • View associated .txt file

PreviousLab 8: Changing encoding to get shellcodeNextLab 6: Locating op codes

Last updated

Was this helpful?