Metasploit mailing list archives
MSF and Windows SP3 (solved)
From: security at vahle.de (Thomas Werth)
Date: Wed, 04 Jun 2008 07:54:36 +0200
DEP and Firewalll are off. Target is Windows XP SP 2 German. In this example i used windows/shell/bind_tcp msf exploit(bf2v1) > rexploit [*] Started bind handler [*] Trying target Windows XP SP2 German jmpESP...Payload Size 1255 [*] Sending stage (501 bytes) [*] Command shell session 1 opened ... Debugger Error Msg is attached, EIP has 0012EC8C; ESP 0012EC84 . Here is part of stack at Error : Stack[00000F24]:0012EC84 db 84h ; ? <---------- ESP Stack[00000F24]:0012EC85 db 0ECh ; ? Stack[00000F24]:0012EC86 db 12h Stack[00000F24]:0012EC87 db 0 Stack[00000F24]:0012EC88 db 1Bh Stack[00000F24]:0012EC89 db 0 Stack[00000F24]:0012EC8A db 0EEh ; ? Stack[00000F24]:0012EC8B db 1 Stack[00000F24]:0012EC8C db 0 <--------- EIP Stack[00000F24]:0012EC8D db 0 Stack[00000F24]:0012EC8E db 0 Stack[00000F24]:0012EC8F db 0 Stack[00000F24]:0012EC90 db 23h ; # Stack[00000F24]:0012EC91 db 0 Stack[00000F24]:0012EC92 db 0FFh EBP points to ws2_32.dll:71A10000 ws2_32_dll segment byte public 'CONST' use32 ws2_32.dll:71A10000 assume cs:ws2_32_dll ws2_32.dll:71A10000 ;org 71A10000h ws2_32.dll:71A10000 saved_fp db 4Dh ; M nestat -ano on target confirms established connection. Just tell me if you need more specific debugger output. greets Thomas mmiller at hick.org schrieb:
On Tue, Jun 03, 2008 at 08:38:26AM +0200, Thomas Werth wrote:Dear List, so finally i've found the problem. All staged payloads fail. Can someone give a hint why this can happen ?Staged payloads will be executed from the stack after being read in from the network. If DEP is enabled and the stack is non-executable, this may lead to the problems you are seeing. Can you provide output from a debugger that describes the manner in which the stages are crashing and/or failing? This would help figure out exactly what is going on.
-------------- next part -------------- A non-text attachment was scrubbed... Name: error.png Type: image/png Size: 3804 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080604/a26aba4b/attachment.png>
Current thread:
- MSF and Windows SP3 (Part 2) Thomas Werth (Jun 02)
- MSF and Windows SP3 (Part 2) Thomas Werth (Jun 02)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 02)
- MSF and Windows SP3 (solved) mmiller at hick.org (Jun 03)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 03)
- MSF and Windows SP3 (solved) H D Moore (Jun 04)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 04)
- MSF and Windows SP3 (solved) H D Moore (Jun 04)
- MSF and Windows SP3 (solved) mmiller at hick.org (Jun 04)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 04)
- MSF and Windows SP3 (solved) mmiller at hick.org (Jun 05)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 05)
- another payload execution failure Thomas Werth (Jun 11)
- another payload execution failure H D Moore (Jun 11)
- another payload execution failure Thomas Werth (Jun 11)
- MSF and Windows SP3 (solved) Thomas Werth (Jun 02)
- MSF and Windows SP3 (Part 2) Thomas Werth (Jun 02)