Metasploit mailing list archives
strange problem whith network enabled payloads
From: arahzone-msf at yahoo.com (arahzone-msf at yahoo.com)
Date: Mon, 15 May 2006 12:11:02 -0700 (PDT)
Hi, Yes I have specified 0x00 as bad character. Although the payload passes only inside a strcpy() and 0x00 should be(logically) the only bad charcter I have also checked the payload in olly just before executing the ret to be sure that it has been copied correctly. Everything looks fine. Is there anything else that I should check? the strage thing is that the call that goes to the acess violating intruction lands in the middle of an instrunction. I mean olly has aligned the code differently and the call lands in the middle of an instruction. Thanks mmiller at hick.org wrote: On Mon, May 15, 2006 at 11:27:30AM -0700, arahzone-msf at yahoo.com wrote:
Hi, I have created a simple program that listen on a socket and copy(strcpy) the received data to another buffer that is smaller than the buffer used in receive() . I am able to use payloads that dont use winsock such as "execute command" sucessfully but all payloads that use Winsocks crash. I have debugged the complete process the payload is copied correctly to the target buffer on the stack and the execution flow is redirected to the begining of the payload. The problem is just after the Loadlibrary(ws_32). this call return the correct address of ws_32.dll but the next call contain a ADD [DS:EAX],AL and I have an acess violation on this instruction. As the "execute command" payload works correctly and I am redirecting the execution flow exactly at the begining of the payload I really dont know what is going wrong.
This sounds like a payload truncation issue. This could be related to bad characters. Did you specify 0x00 as being a bad character for the exploit you're working with? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060515/95ef00d4/attachment.htm>
Current thread:
- strange problem whith network enabled payloads arahzone-msf at yahoo.com (May 15)
- strange problem whith network enabled payloads H D Moore (May 15)
- strange problem whith network enabled payloads arahzone-msf at yahoo.com (May 15)
- strange problem whith network enabled payloads arahzone-msf at yahoo.com (May 16)
- strange problem whith network enabled payloads mmiller at hick.org (May 15)
- strange problem whith network enabled payloads arahzone-msf at yahoo.com (May 15)
- strange problem whith network enabled payloads H D Moore (May 15)