Metasploit mailing list archives
Metasploit vs ANI
From: security at vahle.de (Thomas Werth)
Date: Wed, 11 Apr 2007 14:12:13 +0200
After further investigations it seems german version works quite different. I replaced payload with large block of "A", so i might find it in register/stack. Well it is stored in esp and is then quickly overwritten. (tested this while keeping msf ret addresses). In next investigation step ret address was set to 41414141 to see how stack looks like when eip overwriting occurs. No single register points towards large block of "A" when eip shows 41414141 . Large block of "A" is found at different pos each time exploit is run. Can anybody confirm ?
Attack Machine ist bt2 final hd install, latest svn update msf3 additional addresses are grabbed like hd and Fab described. Victim is win xp prof sp2 german user32dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) userenv.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Payload tried reverse shell tcp. Tried meterpreter reverse as shown in video (but browser not mail and using userenv.dll 0x7665c81a ) debugger shows this -------------- EAX 00000001 ECX 7FFDE000 EDX 00140608 EBX B0118980 ESP 0012DC2C EBP 0012DC8C ESI 00140000 EDI B0118978 EIP 7C97DF51 ntdll.7C97DF51 -> 7C97DF51 0FB707 MOVZX EAX,WORD PTR DS:[EDI] C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 00940094 00940094 ST1 empty -??? FFFF 00940094 00940094 ST2 empty -??? FFFF 00000084 0083007B ST3 empty -??? FFFF 00000084 0083007B ST4 empty -??? FFFF 6B84837B 6B84837B ST5 empty -??? FFFF 00000084 0083007B ST6 empty 1.0000000000000000000 ST7 empty 1.0000000000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 ------------ after passing back to app once again olly dbg shows up EAX A253ECC9 ECX 7C92056D ntdll.7C92056D EDX 7C91EB94 ntdll.KiFastSystemCallRet EBX 0012DF80 ESP 0012DEC8 EBP E8EDEDD7 ESI 0012DEFC ASCII "anih$" EDI 0012DECC EIP 024B7710 -> 024B7710 EB 0F JMP SHORT 024B7721 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NOACCESS (000003E6) EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 00940094 00940094 ST1 empty -??? FFFF 00940094 00940094 ST2 empty -??? FFFF 00000084 0083007B ST3 empty -??? FFFF 00000084 0083007B ST4 empty -??? FFFF 6B84837B 6B84837B ST5 empty -??? FFFF 00000084 0083007B ST6 empty 1.0000000000000000000 ST7 empty 1.0000000000000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 --- i've attached a sniffer and there is no attempt tp connect back to attacker msf . Jerome Athias schrieb:Hi, what is your attack machine? It seems that the exploit works when it is launched from: MAC OSX, Gentoo, BackTrack... but has some problems when launched from Windows (Unicode...) what is your target system? (ie: Windows XP SP2 German, user32.dll version, userenv.dll version, IE6/7)? PS: muts did a nice video related to Metasploit/ANI/Backtrack: http://www.milw0rm.com/video/watch.php?id=62 (btw, did someone tested KCPentrix?) /JA security a ?crit :well i tried same , patched exploit using addresses gained from userenv.dll 0x7665c81a 0x766978ab but without any effect still no success . Thomas
Current thread:
- Metasploit vs ANI, (continued)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 04)
- Metasploit vs ANI Thomas Werth (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI Fabrice MOURRON (Apr 04)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 05)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Thomas Werth (Apr 11)
- Metasploit vs ANI Donnie Werner (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Josh Caster (Apr 03)
- Metasploit vs ANI Nicolas RUFF (Apr 02)