32BitFTP bad chars

, ,


I set up a windows 7 box and a windows 10 box with some protections disabled. I’m attempting to perform a buffer overflow for this application but the bad characters are quite horrendous. The first 9 are correct and then the rest of the characters are nearly all bad characters. I didn’t even bother counting how many there actually are due to this reason.

Did anyone else have this issue or am I the only one. I placed my bad chars, taken straight from bulb security, right after my EIP so if I just right click on the ESP and choose “Follow in dump”, I’m taken right to my bad char set.

I’ve performed other BOF’s a couple months ago and my method always worked. There were all done on my win10 box. Perhaps I’ve forgotten something though? Idk.

Any input would be appreciated thanks.

Original post by CDog

It only looks like that. There are actually only 2 bad characters in addition to the null byte. However, the way I was successful was to replace them one at a time. Replace the first bad char that you found with a known good (I like to just reuse \x09 …i.e. replace the \x0a with \x09). Then resend the badchars and examine them in the dump again to find the NEXT one.

Original reply by dcardin14

dcardin14 - It seems that is indeed the case. The BOFS I had done previously were always a one go type of thing. Wasn’t aware that you had to fix one and the rest would change. Makes sense though.

I’m also trying to use the cyber mentor’s method of finding a module’s jump to esp address spaces using “!mona find” with the op code for JMP ESP as FFE4. All my result addresses are showing as {PAGE_READONLY} and setting a breakpoint on the address in immunity gives an error regarding the location being outside of the code selection. This was for 32bitftp.exe since it was the only module with all protections set to false. Did you also happen to receive this error too?

EDIT: Actually, you probably cannot use a module that is a part of the actual application you are performing the BOF on.

wow i wish i read this before spending the last two hours making a list of about 100 bad characters lol!

Original reply by m1ck3yb33