Metasploit mailing list archives

MSF and Windows SP3 (solved)

From: security at vahle.de (Thomas Werth)
Date: Wed, 04 Jun 2008 07:54:36 +0200

DEP and Firewalll are off. Target is Windows XP SP 2 German.

In this example i used windows/shell/bind_tcp

msf exploit(bf2v1) > rexploit
[*] Started bind handler
[*] Trying target Windows XP SP2 German jmpESP...Payload Size 1255
[*] Sending stage (501 bytes)
[*] Command shell session 1 opened ...

Debugger Error Msg is attached, EIP has 0012EC8C; ESP 0012EC84 .
Here is part of stack at Error :

Stack[00000F24]:0012EC84 db  84h ; ?  <---------- ESP
Stack[00000F24]:0012EC85 db 0ECh ; ?
Stack[00000F24]:0012EC86 db  12h
Stack[00000F24]:0012EC87 db    0
Stack[00000F24]:0012EC88 db  1Bh
Stack[00000F24]:0012EC89 db    0
Stack[00000F24]:0012EC8A db 0EEh ; ?
Stack[00000F24]:0012EC8B db    1
Stack[00000F24]:0012EC8C db    0  <--------- EIP
Stack[00000F24]:0012EC8D db    0
Stack[00000F24]:0012EC8E db    0
Stack[00000F24]:0012EC8F db    0
Stack[00000F24]:0012EC90 db  23h ; #
Stack[00000F24]:0012EC91 db    0
Stack[00000F24]:0012EC92 db 0FFh

EBP points to
ws2_32.dll:71A10000 ws2_32_dll segment byte public 'CONST' use32
ws2_32.dll:71A10000 assume cs:ws2_32_dll
ws2_32.dll:71A10000 ;org 71A10000h
ws2_32.dll:71A10000 saved_fp db  4Dh ; M


nestat -ano on target confirms established connection.

Just tell me if you need more specific debugger output.

greets
Thomas

mmiller at hick.org schrieb:

On Tue, Jun 03, 2008 at 08:38:26AM +0200, Thomas Werth wrote:

Dear List,

so finally i've found the problem. All staged payloads fail.
Can someone give a hint why this can happen ?


Staged payloads will be executed from the stack after being read in from
the network.  If DEP is enabled and the stack is non-executable, this
may lead to the problems you are seeing.  Can you provide output from a
debugger that describes the manner in which the stages are crashing
and/or failing?  This would help figure out exactly what is going on.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.png
Type: image/png
Size: 3804 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080604/a26aba4b/attachment.png>

Current thread:

MSF and Windows SP3 (Part 2) Thomas Werth (Jun 02)
- MSF and Windows SP3 (Part 2) Thomas Werth (Jun 02)
  - MSF and Windows SP3 (solved) Thomas Werth (Jun 02)
    - MSF and Windows SP3 (solved) mmiller at hick.org (Jun 03)
    - MSF and Windows SP3 (solved) Thomas Werth (Jun 03)
    - MSF and Windows SP3 (solved) H D Moore (Jun 04)
    - MSF and Windows SP3 (solved) Thomas Werth (Jun 04)
    - MSF and Windows SP3 (solved) H D Moore (Jun 04)
    - MSF and Windows SP3 (solved) mmiller at hick.org (Jun 04)
    - MSF and Windows SP3 (solved) Thomas Werth (Jun 04)
    - MSF and Windows SP3 (solved) mmiller at hick.org (Jun 05)
    - MSF and Windows SP3 (solved) Thomas Werth (Jun 05)
    - another payload execution failure Thomas Werth (Jun 11)
    - another payload execution failure H D Moore (Jun 11)
    - another payload execution failure Thomas Werth (Jun 11)

(Thread continues...)