[framework] strange problem whith network enabled payloads
arahzone-msf at yahoo.com
arahzone-msf at yahoo.com
Mon May 15 13:54:38 CDT 2006
Thank you very much, I think that its the solution,I have played with esp and ebp a little bit in olly and the programs goes a little further. I will test it and let you know.
Thanks
H D Moore <hdm at metasploit.com> wrote:
It sounds like your stack pointer is too close to EIP. Try prepending the
following bytes before your payload:
"\x81\xc4\x54\xf2\xff\xff" (add esp, -3500)
-HD
On Monday 15 May 2006 13:27, arahzone-msf at yahoo.com wrote:
> I have created a simple program that listen on a socket and
> copy(strcpy) the received data to another buffer that is smaller than
> the buffer used in receive() . I am able to use payloads that dont use
> winsock such as "execute command" sucessfully but all payloads that use
> Winsocks crash. I have debugged the complete process the payload is
> copied correctly to the target buffer on the stack and the execution
> flow is redirected to the begining of the payload. The problem is just
> after the Loadlibrary(ws_32). this call return the correct address of
> ws_32.dll but the next call contain a ADD [DS:EAX],AL and I have an
> acess violation on this instruction. As the "execute command"
> payload works correctly and I am redirecting the execution flow exactly
> at the begining of the payload I really dont know what is going wrong.
> Is there anyone who could tell me what the problem is? I should add
> that I am using msweb to generate and encode the payload but I use my
> own python script to send it to the vulnerable program. Is there any
> register initialization that should be done before executing these
> payloads? Last thing to say is that my own download and execute payload
> works.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20060515/15972fc7/attachment.htm
More information about the framework
mailing list