[framework] Metasploit vs ANI

Thomas Werth thomas.werth at vahle.de
Wed Apr 4 01:59:46 CDT 2007 

user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

instruction in user32.dll around 0x77d525ba looks like this

77D525B3                 mov     ebx, [esi+0DCh]
77D525B9                 test    ebx, ebx
77D525BB                 mov     [ebp+arg_0], eax

seems like this user32.dll doesn't find to what metasploit opcode db
prints out .


mmiller at hick.org schrieb:
> What version of user32.dll do you have?  What is the instruction at
> 77d525ba?  The partial overwrite is succeeding, but it appears you have
> something other than a call [ebx+4] at this location.
> 
> On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:
>> ok here are details
>>
>> msf 3 latested updates running on bt2 hd install. Using
>> win/shell/bind_tcp payload
>> Test vmware windows xp sp2 german no ani patch installed, running as admin .
>> Using ollydgb on ie .
>> WinXp connects to given msf random uri as soon as msf shows ready signals.
>>
>> Ollydg is catching on error :
>> EAX ED40601B
>> ECX 7C92056D ntdll.7C92056D
>> EDX 00000000
>> EBX 0012DF80
>> ESP 0012DECC
>> EBP FED47515
>> ESI 0012DEFC ASCII "anih$"
>> EDI 0012DECC
>> EIP 77D525BA USER32.77D525BA
>> C 0  ES 0023 32bit 0(FFFFFFFF)
>> P 1  CS 001B 32bit 0(FFFFFFFF)
>> A 0  SS 0023 32bit 0(FFFFFFFF)
>> Z 1  DS 0023 32bit 0(FFFFFFFF)
>> S 0  FS 003B 32bit 7FFDF000(FFF)
>> T 0  GS 0000 NULL
>> D 0
>> O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
>> EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
>> ST0 empty -??? FFFF 0084837B 6B84837B
>> ST1 empty -??? FFFF 00000000 6B000000
>> ST2 empty -??? FFFF 00000084 0083007B
>> ST3 empty -??? FFFF 00000084 0083007B
>> ST4 empty -??? FFFF 6B84837B 6B84837B
>> ST5 empty -??? FFFF 00000084 0083007B
>> ST6 empty 1.0000000000000000000
>> ST7 empty 1.0000000000000000000
>>                3 2 1 0      E S P U O Z D I
>> FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
>> FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

-- 


------------------------------------------------------------------------
*Paul Vahle GmbH & Co. KG
Westicker Strasse 52

D-59174 Kamen

www.vahle.de*
	     	Dipl. Informatiker
Thomas Werth
Abteilung TDV

Fon 0 23 07 / 7 04- 366
Fax 0 23 07 / 7 04- 444
thomas.werth at vahle.de



Geschäftsführer: Josef Hötte, Dipl.-Kfm. Dirk Korn, Dipl.-Ing. Michael
Pavlidis
Sitz der Gesellschaft: Kamen - Amtsgericht Hamm - HRA 2586
------------------------------------------------------------------------

More information about the framework mailing list