So I am working with a vulnerability and trying to get it to work. It is a client-side activeX vulnerability. So right now I have it in a .wsf file and am working on just getting it to work using cscript.exe before moving it over to Internet Explorer and dealing with its permanent DEP.

It is a SEH overwrite. Where I am at currently is I am able to pivot the stack to where my shellcode is so that ESP points to a JMP ESP and is followed by a NOP slide into my shellcode. I've watched in the debugger and can see that my shellcode begins to execute properly, but along the way I get an exception for an Access Violation because it manipulates one of the registers to a invalid memory location.

This particular application has many bad characters that I had to work around when generating the shellcode. Because of this, I don't have many encoding options that work, but the few that do work copy over correctly onto the stack.

Now, obviously I am not expecting specific help regarding why the particular shellcode or exploit I am working with isn't working because I haven't given you enough information to help me in that respect. However, if it is possible, I'd like maybe a few possibilities on why the shellcode wouldn't work. Bad characters have been accounted for. I generated the shellcode and encoded it with the latest Metasploit version. The shellcode begins to execute properly as I can see it executing in the debugger. I am executing it in a .wsf file using cscript.exe on a Windows XP SP3 box with no software DEP on that process.

I've really just been soaking up as much info as possible and I've made a ton of progress lately, but can't figure this out. Any help would be appreciated.