Metasploit vs ANI

[thomas.werth at vahle.de (Thomas Werth)]

In Process Mem 0x769FC81A  is a MOV ECX,DWORD PTR SS:[EBP-1D8]
user32.dll has no adress of 0x769fc81a, it is starting with 0x77 ...
Machine is semi patched ( even less then more , how should i test on
this machine when being patched ) .

How can i use msfpescan to find an ebx+4 in user32.dll ?
./msfpescan -j ebx+4 /path/to/user32.dll
raises ( no surprise) syntax error,

./msfpescan -j ebx /path/to/user32.dll
just lists ebx calls-


mmiller at hick.org schrieb:
> Yeah, your machine has an older version of user32.dll.  With that said,
> if you're using the Automatic target, it should also try to trigger the
> vulnerability using a complete overwrite of the return address with
> 0x769fc81a.  What do you get when you disassemble this address?  If it's
> something other than a call [ebx+4], then that will explain why it's
> failing to hit in both cases.  Is the machine you're testing against
> using the latest patches (aside from the latest ANI patch)?
>
> On Wed, Apr 04, 2007 at 08:59:46AM +0200, Thomas Werth wrote:
> > user32.dll is version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
> >
> > instruction in user32.dll around 0x77d525ba looks like this
> >
> > 77D525B3                 mov     ebx, [esi+0DCh]
> > 77D525B9                 test    ebx, ebx
> > 77D525BB                 mov     [ebp+arg_0], eax
> >
> > seems like this user32.dll doesn't find to what metasploit opcode db
> > prints out .
> >
> >
> > mmiller at hick.org schrieb:
> > > What version of user32.dll do you have?  What is the instruction at
> > > 77d525ba?  The partial overwrite is succeeding, but it appears you have
> > > something other than a call [ebx+4] at this location.
> > >
> > > On Wed, Apr 04, 2007 at 08:26:44AM +0200, Thomas Werth wrote:
> > > > ok here are details
> > > >
> > > > msf 3 latested updates running on bt2 hd install. Using
> > > > win/shell/bind_tcp payload
> > > > Test vmware windows xp sp2 german no ani patch installed, running as admin .
> > > > Using ollydgb on ie .
> > > > WinXp connects to given msf random uri as soon as msf shows ready signals.
> > > >
> > > > Ollydg is catching on error :
> > > > EAX ED40601B
> > > > ECX 7C92056D ntdll.7C92056D
> > > > EDX 00000000
> > > > EBX 0012DF80
> > > > ESP 0012DECC
> > > > EBP FED47515
> > > > ESI 0012DEFC ASCII "anih$"
> > > > EDI 0012DECC
> > > > EIP 77D525BA USER32.77D525BA
> > > > C 0  ES 0023 32bit 0(FFFFFFFF)
> > > > P 1  CS 001B 32bit 0(FFFFFFFF)
> > > > A 0  SS 0023 32bit 0(FFFFFFFF)
> > > > Z 1  DS 0023 32bit 0(FFFFFFFF)
> > > > S 0  FS 003B 32bit 7FFDF000(FFF)
> > > > T 0  GS 0000 NULL
> > > > D 0
> > > > O 0  LastErr ERROR_INVALID_PARAMETER (00000057)
> > > > EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
> > > > ST0 empty -??? FFFF 0084837B 6B84837B
> > > > ST1 empty -??? FFFF 00000000 6B000000
> > > > ST2 empty -??? FFFF 00000084 0083007B
> > > > ST3 empty -??? FFFF 00000084 0083007B
> > > > ST4 empty -??? FFFF 6B84837B 6B84837B
> > > > ST5 empty -??? FFFF 00000084 0083007B
> > > > ST6 empty 1.0000000000000000000
> > > > ST7 empty 1.0000000000000000000
> > > >                3 2 1 0      E S P U O Z D I
> > > > FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
> > > > FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
> > --