Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Weird shellcode behavior

Re: Weird shellcode behavior

From: Jerome Athias <jerome.athias_at_free.fr>
Date: Mon, 07 May 2007 08:06:19 +0200

Hi,

gljuposti_at_gmail.com wrote :
> I am building an exploit (heap OF) and I am experiencing different shellcode behavior depending on the parametar I can in no way associate with this problem. For one parametar value the shellcode gets executed correctly, but for the other, there are problems.
>
> For example, the calc.exe shellcode creates a calc.exe process (I can see it in task manager), but its window is never displayed.
Exploiting NaviCOPA HTTP server provide a similar scenario.
Since there are 2 process running:
navicpt.exe (behind the shortcut on your desktop ;)
nacicpnt.exe (the targeted process)

Since in a real world you should not just to want to run calc on the
target, i assume it's ok :-)
> Some other shellcodes like the add user shellcode don't work at all. I use shellcodes from Metasploit.
>
> The shellcode gets called each time and it hasn't been changed in memory, it just doesn't behave like it should.
>
If you are sure that you correctly found the badchars, the reason could
be that your target is not an english one.
If you edit the shellcode's source code (single_adduser.asm), you will see:
db "cmd.exe /c net user metasploit x /ADD && net localgroup
Administrators metasploit /ADD"

For an italian target, for example, you should have to replace
"Administrators" with something like " Amministratori"
> Has anyone ever experienced something similar or has any idea why it could happen? This leaves me totaly confused.
>
> TIA
References:
https://www.securinfos.info/jerome/navicopa_get_overflow.rb
(dev version)
https://www.securinfos.info/old_softwares_vulnerable/_navicpa_old.exe
(vuln version)

PS: i'm thinking to add a list of the name of the Administrators group
in multiple languages in my MSF eXploit Builder tool to be able to
modify it on the fly based on the locale chosen
https://www.securinfos.info/metasploit/MSF_XB.php
So i invite people using a non-english Windows platform to send me the
Administrators' group name with the corresponding locale (language).
thanks in advance ;-)

Hope it helps
/JA
Received on May 07 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos