MSF and Windows SP3 (solved)

[security at vahle.de (Thomas Werth)]

Dear List,

so finally i've found the problem. All staged payloads fail.
Can someone give a hint why this can happen ?

Programm has a subfunc which recieves network traffic into a large 
buffer. Within that another subfunc is called which uses strcopy to copy 
  recieved string into smaller buffer. Now exploit overwrites very 
stable saved ebp and saved eip. 256 Bytes are present before theses 
8Bytes and 991 Bytes after that. When choosing staged payloads those one 
fail after connection. Other one work well. ESP is adjusted with add -3500.
I'd like to understand why staged one fail and i've i can patch exploit 
so those will work, too

Thx
Thomas

Thomas Werth schrieb:
> Dear List,
>
> one more pice of information. Target Program has been tested using 
> vs2003 with same exploit (ok other ret Adress is used ) and there it is 
> working. Seems i've done something terrible wrong or msf3 payloads have 
> problems exploitng msv2008 application .
>
> regards
> Thomas
>
>
>
> Thomas Werth schrieb:
> > Dear List,
> >
> > I've further inverstigated what's going on. So i checked program against 
> > xpsp2. Well same things occur here. Session is always created but 
> > program terminates in same second. So it seems not to be xpsp3 depended.
> > Windows Data Execution prevention is disabled.
> > What is new compared to previous test is that test program now is build 
> > with new visualc 2008 ( buffer checks are disabled) and it is using that 
> > crt dll's. Can this cause the problems ?
> >
> > greetings
> > Thomas
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework