Untitled

Line of code that causes breakage:
https://github.com/rapid7/meterpreter/blob/master/source/extensions/stdapi/server/net/config/interface.c#L215

    prefixes[prefixes_cnt] = htonl(pPrefix->PrefixLength);

Dereferencing pPrefix causes the problem. Here's the memory properties at the time of call for 3 diff scenarios:


ms08-067 (Broken):
[940] [INTERFACE] pPrefix: 0x0069006D
[940] [INTERFACE][pPrefix] BaseAddress: 00690000
[940] [INTERFACE][pPrefix] AllocationBase: 00680000
[940] [INTERFACE][pPrefix] AllocationProtect: 4
[940] [INTERFACE] Protection Flag: PAGE_READWRITE
[940] [INTERFACE][pPrefix] RegionSize: 176128
[940] [INTERFACE][pPrefix] State: 8192
[940] [INTERFACE][pPrefix] State Flag: MEM_RESERVE
[940] [INTERFACE][pPrefix] Protect: 0
[940] [INTERFACE][pPrefix] Type: 131072
[940] [INTERFACE][pPrefix] Type Flag: MEM_PRIVATE


msfpayload generated exe (works fine):
[888] [INTERFACE] pPrefix: 0x0069006D
[888] [INTERFACE][pPrefix] BaseAddress: 00690000
[888] [INTERFACE][pPrefix] AllocationBase: 00680000
[888] [INTERFACE][pPrefix] AllocationProtect: 2
[888] [INTERFACE] Protection Flag: PAGE_READONLY
[888] [INTERFACE][pPrefix] RegionSize: 995328
[888] [INTERFACE][pPrefix] State: 4096
[888] [INTERFACE][pPrefix] State Flag: MEM_COMMIT
[888] [INTERFACE][pPrefix] Protect: 2
[888] [INTERFACE] Protection Flag: PAGE_READONLY
[888] [INTERFACE][pPrefix] Type: 262144
[888] [INTERFACE][pPrefix] Type Flag: MEM_MAPPED

ms03-026 (works fine):
[840] [INTERFACE] pPrefix: 0x0069006D
[840] [INTERFACE][pPrefix] BaseAddress: 00690000
[840] [INTERFACE][pPrefix] AllocationBase: 00690000
[840] [INTERFACE][pPrefix] AllocationProtect: 4
[840] [INTERFACE] Protection Flag: PAGE_READWRITE
[840] [INTERFACE][pPrefix] RegionSize: 4096
[840] [INTERFACE][pPrefix] State: 4096
[840] [INTERFACE][pPrefix] State Flag: MEM_COMMIT
[840] [INTERFACE][pPrefix] Protect: 4
[840] [INTERFACE] Protection Flag: PAGE_READWRITE
[840] [INTERFACE][pPrefix] Type: 262144
[840] [INTERFACE][pPrefix] Type Flag: MEM_MAPPED