strange problem whith network enabled payloads

[arahzone-msf at yahoo.com (arahzone-msf at yahoo.com)]

Hi,
   
  Yes I have specified 0x00 as bad character. Although the payload passes only inside a strcpy() and 0x00 should 
be(logically) the only bad charcter I have also checked the payload in olly just before executing the ret to be sure 
that it has been copied correctly. Everything looks fine. Is there anything else that I should check? the strage thing 
is that the call that goes to the acess violating intruction lands in the middle of an instrunction. I mean olly has 
aligned the code differently and the call lands in the middle of an instruction.
   
  Thanks
   
      

mmiller at hick.org wrote:
  On Mon, May 15, 2006 at 11:27:30AM -0700, arahzone-msf at yahoo.com wrote:
> Hi,
>
> I have created a simple program that listen on a socket and
> copy(strcpy) the received data to another buffer that is smaller than
> the buffer used in receive() . I am able to use payloads that dont use
> winsock such as "execute command" sucessfully but all payloads that use
> Winsocks crash. I have debugged the complete process the payload is
> copied correctly to the target buffer on the stack and the execution
> flow is redirected to the begining of the payload. The problem is just
> after the Loadlibrary(ws_32). this call return the correct address of
> ws_32.dll but the next call contain a ADD [DS:EAX],AL and I have an
> acess violation on this instruction. As the "execute command" payload
> works correctly and I am redirecting the execution flow exactly at the
> begining of the payload I really dont know what is going wrong. 

This sounds like a payload truncation issue. This could be related to
bad characters. Did you specify 0x00 as being a bad character for the
exploit you're working with?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060515/95ef00d4/attachment.htm>