VNC payload problems

[hdm at metasploit.com (H D Moore)]

Cross-referencing that with the source:
http://metasploit.com/svn/framework3/trunk/external/source/vncdll/winvnc/winvnc/winvnc.cpp

We see that SetWindowPos() is the last call we do that relates to the 
Metasploit modifications to the VNC server. IOW, I have no idea, but it 
looks like something is wrong with the process heap or the transferred 
DLLs content.

-HD

On Tuesday 25 September 2007 21:47, Andres Riancho wrote:
> 885 932 724 NtDelayExecution (0, {-10000000, -1}, ... ) == 0x0
> 886 932 724 NtUserFindWindowEx (0, 0, 0x0, "Metasploit Courtesy Shell
> (TM)", 0, ... ) == 0xbc013a 887 932 724 NtUserSetWindowPos (12321082,
> -1, 0, 0, 0, 0, 3, ... ) == 0x1 888 932 724 NtRequestWaitReplyPort (36,
> {24, 48, new_msg, 0, 452608, 1853182464, 1735289198, 2011287552}
> "\0\0\0\0\14\0\1\00\350\6\0#\1\1\0\0\1\0\0\0\0\0\0" ... {24, 48, reply,
> 0, 932, 724, 43030, 0}
> "\0\0\0\0\14\0\1\0\0\0\0\0#\1\1\0\0\1\0\0\0\0\0\0" ) == 0x0 889 932 724
> NtCreateSemaphore (0x1f0003, 0x0, 0, 2147483647, ... 124, ) == 0x0 890
> 932 724 NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) ==
> STATUS_INVALID_PARAMETER_4 891 932 724 NtRaiseException (452544,
> 451800, 1, ...
>
> And there it dies with an exception that ain't handled. As I said in my
> first email, the first stage is successfully connecting back,
> downloading the second stage and executing it(at least some sections of
> it), but it seems that one of the last syscalls ( the
> NtAllocateVirtualMemory just after starting the "Metasploit Courtesy
> Shell (TM)" ) is raising an exception. Do you guys know what the
> problem might be ?