Metasploit vs ANI

[security at vahle.de (Thomas Werth)]

After further investigations it seems german version works quite
different. I replaced payload with large block of "A", so i might find
it in register/stack. Well it is stored in esp and is then quickly
overwritten. (tested this while keeping msf ret addresses).

In next investigation step ret address was set to 41414141 to see how
stack looks like when eip overwriting occurs.
No single register points towards large block of "A" when eip shows
41414141 . Large block of "A" is found at different pos each time
exploit is run.

Can anybody confirm ?

> Attack Machine ist bt2 final hd install, latest svn update msf3
> additional addresses are grabbed like hd and Fab described.
>
> Victim is win xp prof sp2 german
> user32dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
> userenv.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
>
>
> Payload tried reverse shell tcp.
>
> Tried meterpreter reverse as shown in video (but browser not mail and
> using userenv.dll 0x7665c81a )
> debugger shows this
> --------------
> EAX 00000001
> ECX 7FFDE000
> EDX 00140608
> EBX B0118980
> ESP 0012DC2C
> EBP 0012DC8C
> ESI 00140000
> EDI B0118978
> EIP 7C97DF51 ntdll.7C97DF51     -> 7C97DF51   0FB707           MOVZX
> EAX,WORD PTR DS:[EDI]
>
>
> C 0  ES 0023 32bit 0(FFFFFFFF)
> P 1  CS 001B 32bit 0(FFFFFFFF)
> A 0  SS 0023 32bit 0(FFFFFFFF)
> Z 1  DS 0023 32bit 0(FFFFFFFF)
> S 0  FS 003B 32bit 7FFDE000(FFF)
> T 0  GS 0000 NULL
> D 0
> O 0  LastErr ERROR_SUCCESS (00000000)
> EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
> ST0 empty -??? FFFF 00940094 00940094
> ST1 empty -??? FFFF 00940094 00940094
> ST2 empty -??? FFFF 00000084 0083007B
> ST3 empty -??? FFFF 00000084 0083007B
> ST4 empty -??? FFFF 6B84837B 6B84837B
> ST5 empty -??? FFFF 00000084 0083007B
> ST6 empty 1.0000000000000000000
> ST7 empty 1.0000000000000000000
>                3 2 1 0      E S P U O Z D I
> FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
> FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
> ------------
> after passing back to app once again olly dbg shows up
>
> EAX A253ECC9
> ECX 7C92056D ntdll.7C92056D
> EDX 7C91EB94 ntdll.KiFastSystemCallRet
> EBX 0012DF80
> ESP 0012DEC8
> EBP E8EDEDD7
> ESI 0012DEFC ASCII "anih$"
> EDI 0012DECC
> EIP 024B7710 -> 024B7710   EB 0F            JMP SHORT 024B7721
> C 0  ES 0023 32bit 0(FFFFFFFF)
> P 1  CS 001B 32bit 0(FFFFFFFF)
> A 0  SS 0023 32bit 0(FFFFFFFF)
> Z 1  DS 0023 32bit 0(FFFFFFFF)
> S 0  FS 003B 32bit 7FFDE000(FFF)
> T 0  GS 0000 NULL
> D 0
> O 0  LastErr ERROR_NOACCESS (000003E6)
> EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
> ST0 empty -??? FFFF 00940094 00940094
> ST1 empty -??? FFFF 00940094 00940094
> ST2 empty -??? FFFF 00000084 0083007B
> ST3 empty -??? FFFF 00000084 0083007B
> ST4 empty -??? FFFF 6B84837B 6B84837B
> ST5 empty -??? FFFF 00000084 0083007B
> ST6 empty 1.0000000000000000000
> ST7 empty 1.0000000000000000000
>                3 2 1 0      E S P U O Z D I
> FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
> FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
>
>
> ---
>
> i've attached a sniffer and there is no attempt tp connect back to
> attacker msf .
>
> Jerome Athias schrieb:
> > Hi,
> >
> > what is your attack machine?
> > It seems that the exploit works when it is launched from: MAC OSX,
> > Gentoo, BackTrack... but has some problems when launched from Windows
> > (Unicode...)
> >
> > what is your target system? (ie: Windows XP SP2 German, user32.dll
> > version, userenv.dll version, IE6/7)?
> >
> > PS: muts did a nice video related to Metasploit/ANI/Backtrack:
> > http://www.milw0rm.com/video/watch.php?id=62
> >
> > (btw, did someone tested KCPentrix?)
> >
> > /JA
> >
> > security a ?crit :
> > > well i tried same , patched exploit using addresses gained from
> > > userenv.dll
> > > 0x7665c81a
> > > 0x766978ab
> > >
> > > but without any effect still no success .
> > >
> > > Thomas