[framework] Metasploit vs ANI

mmiller at hick.org mmiller at hick.org
Wed Apr 4 02:10:47 CDT 2007 

Yeah, your machine has an older version of user32.dll.  With that said,
if you're using the Automatic target, it should also try to trigger the
vulnerability using a complete overwrite of the return address with
0x769fc81a.  What do you get when you disassemble this address?  If it's
something other than a call [ebx+4], then that will explain why it's
failing to hit in both cases.  Is the machine you're testing against
using the latest patches (aside from the latest ANI patch)?

On Wed, Apr 04, 2007 at 08:59:46AM +0200, Thomas Werth wrote:
> user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
> 
> instruction in user32.dll around 0x77d525ba looks like this
> 
> 77D525B3                 mov     ebx, [esi+0DCh]
> 77D525B9                 test    ebx, ebx
> 77D525BB                 mov     [ebp+arg_0], eax
> 
> seems like this user32.dll doesn't find to what metasploit opcode db
> prints out .
> 
> 
> mmiller at hick.org schrieb:
> > What version of user32.dll do you have?  What is the instruction at
> > 77d525ba?  The partial overwrite is succeeding, but it appears you have
> > something other than a call [ebx+4] at this location.
> > 
> > On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:
> >> ok here are details
> >>
> >> msf 3 latested updates running on bt2 hd install. Using
> >> win/shell/bind_tcp payload
> >> Test vmware windows xp sp2 german no ani patch installed, running as admin .
> >> Using ollydgb on ie .
> >> WinXp connects to given msf random uri as soon as msf shows ready signals.
> >>
> >> Ollydg is catching on error :
> >> EAX ED40601B
> >> ECX 7C92056D ntdll.7C92056D
> >> EDX 00000000
> >> EBX 0012DF80
> >> ESP 0012DECC
> >> EBP FED47515
> >> ESI 0012DEFC ASCII "anih$"
> >> EDI 0012DECC
> >> EIP 77D525BA USER32.77D525BA
> >> C 0  ES 0023 32bit 0(FFFFFFFF)
> >> P 1  CS 001B 32bit 0(FFFFFFFF)
> >> A 0  SS 0023 32bit 0(FFFFFFFF)
> >> Z 1  DS 0023 32bit 0(FFFFFFFF)
> >> S 0  FS 003B 32bit 7FFDF000(FFF)
> >> T 0  GS 0000 NULL
> >> D 0
> >> O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
> >> EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
> >> ST0 empty -??? FFFF 0084837B 6B84837B
> >> ST1 empty -??? FFFF 00000000 6B000000
> >> ST2 empty -??? FFFF 00000084 0083007B
> >> ST3 empty -??? FFFF 00000084 0083007B
> >> ST4 empty -??? FFFF 6B84837B 6B84837B
> >> ST5 empty -??? FFFF 00000084 0083007B
> >> ST6 empty 1.0000000000000000000
> >> ST7 empty 1.0000000000000000000
> >>                3 2 1 0      E S P U O Z D I
> >> FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
> >> FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
> 
> -- 
> 
> 
> ------------------------------------------------------------------------
> *Paul Vahle GmbH & Co. KG
> Westicker Strasse 52
> 
> D-59174 Kamen
> 
> www.vahle.de*
> 	     	Dipl. Informatiker
> Thomas Werth
> Abteilung TDV
> 
> Fon 0 23 07 / 7 04- 366
> Fax 0 23 07 / 7 04- 444
> thomas.werth at vahle.de
> 
> 
> 
> Geschäftsführer: Josef Hötte, Dipl.-Kfm. Dirk Korn, Dipl.-Ing. Michael
> Pavlidis
> Sitz der Gesellschaft: Kamen - Amtsgericht Hamm - HRA 2586
> ------------------------------------------------------------------------

More information about the framework mailing list