Metasploit vs ANI

[thomas.werth at vahle.de (Thomas Werth)]

ok here are details

msf 3 latested updates running on bt2 hd install. Using
win/shell/bind_tcp payload
Test vmware windows xp sp2 german no ani patch installed, running as admin .
Using ollydgb on ie .
WinXp connects to given msf random uri as soon as msf shows ready signals.

Ollydg is catching on error :
EAX ED40601B
ECX 7C92056D ntdll.7C92056D
EDX 00000000
EBX 0012DF80
ESP 0012DECC
EBP FED47515
ESI 0012DEFC ASCII "anih$"
EDI 0012DECC
EIP 77D525BA USER32.77D525BA
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 0084837B 6B84837B
ST1 empty -??? FFFF 00000000 6B000000
ST2 empty -??? FFFF 00000084 0083007B
ST3 empty -??? FFFF 00000084 0083007B
ST4 empty -??? FFFF 6B84837B 6B84837B
ST5 empty -??? FFFF 00000084 0083007B
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

passing execution to application finishes loading of url and throws
another error :

EAX 05D54948
ECX 7C92056D ntdll.7C92056D
EDX 00000000
EBX 0012DF80
ESP 0012DECC
EBP 24D7F687
ESI 0012DEFC ASCII "anih$"
EDI 0012DECC
EIP 71BD0205
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 0084837B 6B84837B
ST1 empty -??? FFFF 00000000 6B000000
ST2 empty -??? FFFF 00000084 0083007B
ST3 empty -??? FFFF 00000084 0083007B
ST4 empty -??? FFFF 6B84837B 6B84837B
ST5 empty -??? FFFF 00000084 0083007B
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


that's it no notification to msf payload handler occurs.


mmiller at hick.org schrieb:
> It's expected that you'll see bogus characters in the browser.  Is there
> any chance that you could try attaching a debugger to the process to see
> where it's crashing?  That would provide additional insight into what's
> going on.
>
> AFAIK the patch for this issue is out now, so be sure that the machine
> you're testing against didn't apply the patch last night.
>
> On Tue, Apr 03, 2007 at 11:54:52AM +0200, Thomas Werth wrote:
> > I'm using bt2 final and can confirm bogus chars in IE 6/7 on win xp .
> >
> > Giorgio Casali schrieb:
> > > I'm using Backtrack installed on my HD and as payload
> > > windows/meterpreter/reverse_tcp, but still no luck...
> > > Explorer 7 and firefox are showing ASCII chars when directed to my
> > > crafted page.
> > >
> > > Giorgio.
> > >
> > >
> > >
> > > 2007/4/2, H D Moore <hdm at metasploit.com>:
> > > > Aviv Raff confirmed this patch, merged into dev/stable. Running these
> > > > exploits *from* Windows seems to be buggy still, but using something like
> > > > BackTrack 2.0 or a non-Linux system to run the exploits seems fine.
> > > >
> > > > -HD
> > > >
> > > > On Monday 02 April 2007 15:40, mmiller at hick.org wrote:
> > > > > Thanks for the report, Nicolas.  I think you're right (although it's
> > > > > pretty weird that this worked in my test environment).
> > > > >
> > > > > I'm not in a place to test this, but can you try this patch out and see
> > > > > if it fixes the problem for you: