Metasploit mailing list archives
Metasploit vs ANI
From: security at vahle.de (security)
Date: Thu, 05 Apr 2007 11:06:21 +0200
Attack Machine ist bt2 final hd install, latest svn update msf3
additional addresses are grabbed like hd and Fab described.
Victim is win xp prof sp2 german
user32dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
userenv.dll is 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Payload tried reverse shell tcp.
Tried meterpreter reverse as shown in video (but browser not mail and
using userenv.dll 0x7665c81a )
debugger shows this
--------------
EAX 00000001
ECX 7FFDE000
EDX 00140608
EBX B0118980
ESP 0012DC2C
EBP 0012DC8C
ESI 00140000
EDI B0118978
EIP 7C97DF51 ntdll.7C97DF51 -> 7C97DF51 0FB707 MOVZX
EAX,WORD PTR DS:[EDI]
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00940094 00940094
ST1 empty -??? FFFF 00940094 00940094
ST2 empty -??? FFFF 00000084 0083007B
ST3 empty -??? FFFF 00000084 0083007B
ST4 empty -??? FFFF 6B84837B 6B84837B
ST5 empty -??? FFFF 00000084 0083007B
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
------------
after passing back to app once again olly dbg shows up
EAX A253ECC9
ECX 7C92056D ntdll.7C92056D
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 0012DF80
ESP 0012DEC8
EBP E8EDEDD7
ESI 0012DEFC ASCII "anih$"
EDI 0012DECC
EIP 024B7710 -> 024B7710 EB 0F JMP SHORT 024B7721
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOACCESS (000003E6)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00940094 00940094
ST1 empty -??? FFFF 00940094 00940094
ST2 empty -??? FFFF 00000084 0083007B
ST3 empty -??? FFFF 00000084 0083007B
ST4 empty -??? FFFF 6B84837B 6B84837B
ST5 empty -??? FFFF 00000084 0083007B
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
---
i've attached a sniffer and there is no attempt tp connect back to
attacker msf .
Jerome Athias schrieb:
Hi, what is your attack machine? It seems that the exploit works when it is launched from: MAC OSX, Gentoo, BackTrack... but has some problems when launched from Windows (Unicode...) what is your target system? (ie: Windows XP SP2 German, user32.dll version, userenv.dll version, IE6/7)? PS: muts did a nice video related to Metasploit/ANI/Backtrack: http://www.milw0rm.com/video/watch.php?id=62 (btw, did someone tested KCPentrix?) /JA security a ?crit :well i tried same , patched exploit using addresses gained from userenv.dll 0x7665c81a 0x766978ab but without any effect still no success . Thomas
Current thread:
- Metasploit vs ANI, (continued)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 03)
- Metasploit vs ANI Thomas Werth (Apr 03)
- Metasploit vs ANI mmiller at hick.org (Apr 04)
- Metasploit vs ANI Thomas Werth (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI H D Moore (Apr 04)
- Metasploit vs ANI Fabrice MOURRON (Apr 04)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 05)
- Metasploit vs ANI security (Apr 05)
- Metasploit vs ANI Thomas Werth (Apr 11)
- Metasploit vs ANI Donnie Werner (Apr 05)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Jerome Athias (Apr 04)
- Metasploit vs ANI Josh Caster (Apr 03)
- Metasploit vs ANI Nicolas RUFF (Apr 02)