[framework] Metasploit vs ANI

Thomas Werth thomas.werth at vahle.de
Wed Apr 4 02:35:10 CDT 2007 

In Process Mem 0x769FC81A  is a MOV ECX,DWORD PTR SS:[EBP-1D8]
user32.dll has no adress of 0x769fc81a, it is starting with 0x77 ...
Machine is semi patched ( even less then more , how should i test on
this machine when being patched ) .

How can i use msfpescan to find an ebx+4 in user32.dll ?
./msfpescan -j ebx+4 /path/to/user32.dll
raises ( no surprise) syntax error,

./msfpescan -j ebx /path/to/user32.dll
just lists ebx calls-


mmiller at hick.org schrieb:
> Yeah, your machine has an older version of user32.dll.  With that said,
> if you're using the Automatic target, it should also try to trigger the
> vulnerability using a complete overwrite of the return address with
> 0x769fc81a.  What do you get when you disassemble this address?  If it's
> something other than a call [ebx+4], then that will explain why it's
> failing to hit in both cases.  Is the machine you're testing against
> using the latest patches (aside from the latest ANI patch)?
> 
> On Wed, Apr 04, 2007 at 08:59:46AM +0200, Thomas Werth wrote:
>> user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
>>
>> instruction in user32.dll around 0x77d525ba looks like this
>>
>> 77D525B3                 mov     ebx, [esi+0DCh]
>> 77D525B9                 test    ebx, ebx
>> 77D525BB                 mov     [ebp+arg_0], eax
>>
>> seems like this user32.dll doesn't find to what metasploit opcode db
>> prints out .
>>
>>
>> mmiller at hick.org schrieb:
>>> What version of user32.dll do you have?  What is the instruction at
>>> 77d525ba?  The partial overwrite is succeeding, but it appears you have
>>> something other than a call [ebx+4] at this location.
>>>
>>> On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:
>>>> ok here are details
>>>>
>>>> msf 3 latested updates running on bt2 hd install. Using
>>>> win/shell/bind_tcp payload
>>>> Test vmware windows xp sp2 german no ani patch installed, running as admin .
>>>> Using ollydgb on ie .
>>>> WinXp connects to given msf random uri as soon as msf shows ready signals.
>>>>
>>>> Ollydg is catching on error :
>>>> EAX ED40601B
>>>> ECX 7C92056D ntdll.7C92056D
>>>> EDX 00000000
>>>> EBX 0012DF80
>>>> ESP 0012DECC
>>>> EBP FED47515
>>>> ESI 0012DEFC ASCII "anih$"
>>>> EDI 0012DECC
>>>> EIP 77D525BA USER32.77D525BA
>>>> C 0  ES 0023 32bit 0(FFFFFFFF)
>>>> P 1  CS 001B 32bit 0(FFFFFFFF)
>>>> A 0  SS 0023 32bit 0(FFFFFFFF)
>>>> Z 1  DS 0023 32bit 0(FFFFFFFF)
>>>> S 0  FS 003B 32bit 7FFDF000(FFF)
>>>> T 0  GS 0000 NULL
>>>> D 0
>>>> O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
>>>> EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
>>>> ST0 empty -??? FFFF 0084837B 6B84837B
>>>> ST1 empty -??? FFFF 00000000 6B000000
>>>> ST2 empty -??? FFFF 00000084 0083007B
>>>> ST3 empty -??? FFFF 00000084 0083007B
>>>> ST4 empty -??? FFFF 6B84837B 6B84837B
>>>> ST5 empty -??? FFFF 00000084 0083007B
>>>> ST6 empty 1.0000000000000000000
>>>> ST7 empty 1.0000000000000000000
>>>>                3 2 1 0      E S P U O Z D I
>>>> FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
>>>> FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
>> --

More information about the framework mailing list