Metasploit mailing list archives
Metasploit vs ANI
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 4 Apr 2007 00:10:47 -0700
Yeah, your machine has an older version of user32.dll. With that said, if you're using the Automatic target, it should also try to trigger the vulnerability using a complete overwrite of the return address with 0x769fc81a. What do you get when you disassemble this address? If it's something other than a call [ebx+4], then that will explain why it's failing to hit in both cases. Is the machine you're testing against using the latest patches (aside from the latest ANI patch)? On Wed, Apr 04, 2007 at 08:59:46AM +0200, Thomas Werth wrote:
user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) instruction in user32.dll around 0x77d525ba looks like this 77D525B3 mov ebx, [esi+0DCh] 77D525B9 test ebx, ebx 77D525BB mov [ebp+arg_0], eax seems like this user32.dll doesn't find to what metasploit opcode db prints out . mmiller at hick.org schrieb:What version of user32.dll do you have? What is the instruction at 77d525ba? The partial overwrite is succeeding, but it appears you have something other than a call [ebx+4] at this location. On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:ok here are details msf 3 latested updates running on bt2 hd install. Using win/shell/bind_tcp payload Test vmware windows xp sp2 german no ani patch installed, running as admin . Using ollydgb on ie . WinXp connects to given msf random uri as soon as msf shows ready signals. Ollydg is catching on error : EAX ED40601B ECX 7C92056D ntdll.7C92056D EDX 00000000 EBX 0012DF80 ESP 0012DECC EBP FED47515 ESI 0012DEFC ASCII "anih$" EDI 0012DECC EIP 77D525BA USER32.77D525BA C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_INVALID_PARAMETER (00000057) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 0084837B 6B84837B ST1 empty -??? FFFF 00000000 6B000000 ST2 empty -??? FFFF 00000084 0083007B ST3 empty -??? FFFF 00000084 0083007B ST4 empty -??? FFFF 6B84837B 6B84837B ST5 empty -??? FFFF 00000084 0083007B ST6 empty 1.0000000000000000000 ST7 empty 1.0000000000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1-- ------------------------------------------------------------------------ *Paul Vahle GmbH & Co. KG Westicker Strasse 52 D-59174 Kamen www.vahle.de* Dipl. Informatiker Thomas Werth Abteilung TDV Fon 0 23 07 / 7 04- 366 Fax 0 23 07 / 7 04- 444 thomas.werth at vahle.de Gesch?ftsf?hrer: Josef H?tte, Dipl.-Kfm. Dirk Korn, Dipl.-Ing. Michael Pavlidis Sitz der Gesellschaft: Kamen - Amtsgericht Hamm - HRA 2586 ------------------------------------------------------------------------
Current thread:
- Metasploit vs ANI, (continued)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Nicolas RUFF (Apr 02)
- Metasploit vs ANI mmiller at hick.org (Apr 02)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Giorgio Casali (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 04)
- Metasploit vs ANI Thomas Werth (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI Fabrice MOURRON (Apr 04)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 05)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Thomas Werth (Apr 11)
- Metasploit vs ANI Donnie Werner (Apr 05)
- Metasploit vs ANI H D Moore (Apr 02)
- Metasploit vs ANI Jerome Athias (Apr 04)