[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: Re: [framework] Encoding Payloads
From: Tommy Elliott <t.ellio.09 () gmail ! com>
Date: 2010-11-10 17:54:49
Message-ID: AANLkTimcGsgP0oLwzKWrkdEnr3MRsc_H7n0PZ4cShi6c () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Great article and input! I think this information will help me out
enormously.
Thanks again,
Tommy
On Wed, Nov 10, 2010 at 10:40 AM, Joshua J. Drake <jdrake@metasploit.com>wrote:
> On Wed, Nov 10, 2010 at 09:32:04AM -0600, Tommy Elliott wrote:
> > Got a quick question that hopefully I can get some guidance with. Below
> is
> > an excerpt from the Metasploit Free Ebook download about *msfencode*:
> >
> > What Are Bad Characters?
> > Many applications perform some sort of ???ltering on the input they
> receive.
> > For
> > instance, a Web server might preprocess Unicode characters before they
> are
> > sent on
> > to the vulnerable piece of code. As a result, the payload might get
> modi???ed
> > and may
> > not function as expected. Some characters also end up terminating
> strings,
> > such as the
> > NULL (0x00) byte. These must also be avoided.
> >
> > To determine what characters are being pre-processed, a whole array of
> all
> > pos-
> > sible characters could be sent, and it could then be determined which
> ones
> > were mod-
> > i???ed. Another way to do this would be to make assumptions about the
> > characters that
> > that type of an application typically modi???es and avoid using those.
> >
> > My first question is with the first sentence. When it is stated you pass
> a
> > whole array of all possible characters that can be sent, *how* is it that
> > you determine which ones were modified after the application has received
> > them.
>
> Short answer, with some precise debugging.
>
> > My second question is, believe it or not!, with the second sentence. Is
> > there some kind of master list or more expedited way of making an
> assumption
> > about what characters certain applications most like modify/avoid? I
> > understand that '0x00' is a NULL character but what other assumptions
> would
> > normally be made?
>
> A bunch of other assumptions can be made by considering the transport,
> or other technologies employed. For example, "\n" is a bad character
> for many protocols since they use it to delimit commands.
>
> > If these questions involve lengthy answers that you think I may need more
> > guidance than a single reply then please feel free to simply point me in
> the
> > right direction! ;)
>
> Check out the section on Illegal Characterse in the ExploitModuleDev
> wiki entry -
>
>
> http://www.metasploit.com/redmine/projects/framework/wiki/ExploitModuleDev#Illegal-Characters
>
> --
> Joshua J. Drake
>
[Attachment #5 (text/html)]
Great article and input! I think this information will help me out \
enormously.<br><br>Thanks again,<br><br>Tommy<br><br><div class="gmail_quote">On Wed, \
Nov 10, 2010 at 10:40 AM, Joshua J. Drake <span dir="ltr"><<a \
href="mailto:jdrake@metasploit.com">jdrake@metasploit.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px \
solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">On Wed, Nov 10, 2010 at \
09:32:04AM -0600, Tommy Elliott wrote:<br> > Got a quick question that hopefully I \
can get some guidance with. Below is<br> > an excerpt from the Metasploit Free \
Ebook download about *msfencode*:<br> ><br>
> What Are Bad Characters?<br>
</div>> Many applications perform some sort of ???ltering on the input they \
receive.<br> <div class="im">> For<br>
> instance, a Web server might preprocess Unicode characters before they are<br>
> sent on<br>
</div>> to the vulnerable piece of code. As a result, the payload might get \
modi???ed<br> <div class="im">> and may<br>
> not function as expected. Some characters also end up terminating strings,<br>
> such as the<br>
> NULL (0x00) byte. These must also be avoided.<br>
><br>
> To determine what characters are being pre-processed, a whole array of all<br>
> pos-<br>
> sible characters could be sent, and it could then be determined which ones<br>
> were mod-<br>
</div>> i???ed. Another way to do this would be to make assumptions about the<br>
> characters that<br>
> that type of an application typically modi???es and avoid using those.<br>
<div class="im">><br>
> My first question is with the first sentence. When it is stated you pass a<br>
> whole array of all possible characters that can be sent, *how* is it that<br>
> you determine which ones were modified after the application has received<br>
> them.<br>
<br>
</div>Short answer, with some precise debugging.<br>
<div class="im"><br>
> My second question is, believe it or not!, with the second sentence. Is<br>
> there some kind of master list or more expedited way of making an assumption<br>
> about what characters certain applications most like modify/avoid? I<br>
> understand that '0x00' is a NULL character but what other assumptions \
would<br> > normally be made?<br>
<br>
</div>A bunch of other assumptions can be made by considering the transport,<br>
or other technologies employed. For example, "\n" is a bad character<br>
for many protocols since they use it to delimit commands.<br>
<div class="im"><br>
> If these questions involve lengthy answers that you think I may need more<br>
> guidance than a single reply then please feel free to simply point me in the<br>
> right direction! ;)<br>
<br>
</div>Check out the section on Illegal Characterse in the ExploitModuleDev<br>
wiki entry -<br>
<br>
<a href="http://www.metasploit.com/redmine/projects/framework/wiki/ExploitModuleDev#Illegal-Characters" \
target="_blank">http://www.metasploit.com/redmine/projects/framework/wiki/ExploitModuleDev#Illegal-Characters</a><br>
<br>
--<br>
<font color="#888888">Joshua J. Drake<br>
</font></blockquote></div><br>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic