background image


Chapter 14

evil = lead + payload.encoded + near + nseh + [target.ret].pack("A3")

        print_status("Sending payload")
        sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"

As you can see in this listing, the initial string of 


s we used earlier is 

replaced by NOPs minus the length of the shellcode that Metasploit generates 
at  . Notice that the buffer length, initially 10,356 bytes, has been decreased 
by five bytes to 10,351 to account for the near jump instructions at  . Finally, 
the malicious string is built using all of the exploit’s components at  .

Now we can select a real payload and execute the module to see what 

happens. Surprisingly, the exploit completes but no session is created. The 
exploit module connects and sends its payload, but no shell is returned to us, 
as shown next:

msf exploit(surgemail_book) > 

set payload windows/shell_bind_tcp

payload => windows/shell_bind_tcp

msf exploit(surgemail_book) > 


[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >

Bad Characters and Remote Code Execution

Well, that certainly wasn’t expected: The exploit completes but no session 
is created. If you check your debugger, you’ll see that the application didn’t 
even crash—so what happened? Welcome to the sometimes challenging and 
nearly always frustrating world of 

bad characters

. Some characters, when sent 

as part of an exploit buffer, get mangled while being read by the application. 
The unfortunate result is that bad characters render your shellcode, and 
sometimes the entire exploit, unusable.

When writing a Metasploit module, you should always be sure to identify 

all the bad characters, because the shellcode that Metasploit generates differs 
each time an exploit is launched, and any rogue bad characters will greatly 
reduce a module’s reliability. In many cases, if you fail to find all the bad 
characters, the application will crash without running the shellcode. In the 
preceding example, SurgeMail didn’t even crash. The exploit appears to 
succeed, but we don’t get a session.

There are many ways to identify bad characters, including replacing the 

dynamically created shellcode with a string of sequential characters (



…), and checking the debugger to see where the first character gets