strange problem whith network enabled payloads

[arahzone-msf at yahoo.com (arahzone-msf at yahoo.com)]

Hi HD and Skape,
   
  Thank you very much for your help. As HD said it was the esp and the add esp, -3500
solved my problem.
   
   
   
  
H D Moore <hdm at metasploit.com> wrote:
  It sounds like your stack pointer is too close to EIP. Try prepending the 
following bytes before your payload:

"\x81\xc4\x54\xf2\xff\xff" (add esp, -3500)

-HD

On Monday 15 May 2006 13:27, arahzone-msf at yahoo.com wrote:
> I have created a simple program that listen on a socket and
> copy(strcpy) the received data to another buffer that is smaller than
> the buffer used in receive() . I am able to use payloads that dont use
> winsock such as "execute command" sucessfully but all payloads that use
> Winsocks crash. I have debugged the complete process the payload is
> copied correctly to the target buffer on the stack and the execution
> flow is redirected to the begining of the payload. The problem is just
> after the Loadlibrary(ws_32). this call return the correct address of
> ws_32.dll but the next call contain a ADD [DS:EAX],AL and I have an
> acess violation on this instruction. As the "execute command" 
> payload works correctly and I am redirecting the execution flow exactly
> at the begining of the payload I really dont know what is going wrong.
> Is there anyone who could tell me what the problem is? I should add
> that I am using msweb to generate and encode the payload but I use my
> own python script to send it to the vulnerable program. Is there any
> register initialization that should be done before executing these
> payloads? Last thing to say is that my own download and execute payload
> works.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060516/b1a58966/attachment.htm>