bad char issue

[hdm at metasploit.com (H D Moore)]

The only known case of this happening is users of the msfweb interface who 
are not running the latest version. In all other instances, Metasploit 
does not change the data you send via the sock.put() and other calls. If 
by payload, you mean the actual shellcode, one way to verify this is to 
modify the exploit module in question to do a hex-dump of the encoded 
shellcode:

print_line Rex::Text.to_hex_dump(payload.encoded)

More than likely, it is the application that is breaking or modifying your 
code. Another possibility is that the ESP register is too close to your 
data, so stack operations (push, etc) done by the nop sled results in 
corruption of your payload. If this is the case (are you using a jmp 
esp?), make sure you pass a 'StackAdjustment' => -3500 block in the 
Payload info hash element of your module (many modules do this).

-HD

On Thursday 25 October 2007, Muhaimin Dzulfakar wrote:
> I found the metasploit itself change one of the character in my
> payload not the vulnerable application.
> I confirmed this by sniffing the packet.The changed character was \xb2
> which had been changed to \x44. I dont think I've to add that
> character under BadChar as It's not the application which change my
> payload but my exploit code.How that could happen ?