Created
October 4, 2015 16:19
-
-
Save mrexcessive/11ecc80397a7bd46ad5a to your computer and use it in GitHub Desktop.
ROP gadgets found in DCTFU CTF 2015 exploit 300 challenge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| See article on https://whitehatters.academy/ | |
| ROP gadgets are: | |
| 0x0000000000000aeb : add bl, ch ; add eax, 0xb8 ; add cl, cl ; ret | |
| 0x0000000000000b6f : add bl, dh ; ret | |
| 0x0000000000000b6d : add byte ptr [rax], al ; add bl, dh ; ret | |
| 0x0000000000000b6b : add byte ptr [rax], al ; add byte ptr [rax], al ; add bl, dh ; ret | |
| 0x0000000000000aef : add byte ptr [rax], al ; add byte ptr [rax], al ; leave ; ret | |
| 0x0000000000000b6c : add byte ptr [rax], al ; add byte ptr [rax], al ; ret | |
| 0x0000000000000af0 : add byte ptr [rax], al ; add cl, cl ; ret | |
| 0x00000000000007db : add byte ptr [rax], al ; add rsp, 8 ; ret | |
| 0x0000000000000899 : add byte ptr [rax], al ; jmp 0x7f9 | |
| 0x0000000000000af1 : add byte ptr [rax], al ; leave ; ret | |
| 0x0000000000000b6e : add byte ptr [rax], al ; ret | |
| 0x000000000000098e : add byte ptr [rcx], al ; ret | |
| 0x0000000000000af2 : add cl, cl ; ret | |
| 0x000000000000098a : add eax, 0x2006f8 ; add ebx, esi ; ret | |
| 0x0000000000000aed : add eax, 0xb8 ; add cl, cl ; ret | |
| 0x0000000000000941 : add eax, edx ; sar rax, 1 ; jne 0x952 ; pop rbp ; ret | |
| 0x000000000000098f : add ebx, esi ; ret | |
| 0x0000000000000938 : add ecx, dword ptr [rax - 0x77] ; ret 0xc148 | |
| 0x00000000000007de : add esp, 8 ; ret | |
| 0x0000000000000940 : add rax, rdx ; sar rax, 1 ; jne 0x953 ; pop rbp ; ret | |
| 0x00000000000007dd : add rsp, 8 ; ret | |
| 0x000000000000098d : and byte ptr [rax], al ; add ebx, esi ; ret | |
| 0x00000000000009bc : and byte ptr [rax], al ; mov rbp, rsp ; call rax | |
| 0x0000000000000912 : and byte ptr [rax], al ; test rax, rax ; je 0x913 ; pop rbp ; jmp rax | |
| 0x0000000000000b49 : call qword ptr [r12 + rbx*8] | |
| 0x0000000000000b4a : call qword ptr [rsp + rbx*8] | |
| 0x00000000000009c1 : call rax | |
| 0x0000000000000937 : clc ; add ecx, dword ptr [rax - 0x77] ; ret 0xc148 | |
| 0x0000000000000945 : clc ; jne 0x94e ; pop rbp ; ret | |
| 0x00000000000009b9 : cmp eax, 0x200442 ; mov rbp, rsp ; call rax | |
| 0x0000000000000906 : cmp eax, 0xe ; ja 0x913 ; pop rbp ; ret | |
| 0x0000000000000905 : cmp rax, 0xe ; ja 0x914 ; pop rbp ; ret | |
| 0x0000000000000a0f : dec dword ptr [rax - 0x77] ; ret 0x8b48 | |
| 0x0000000000000a2b : dec ecx ; ret | |
| 0x0000000000000b4c : fmul qword ptr [rax - 0x7d] ; ret | |
| 0x0000000000000904 : in eax, 0x48 ; cmp eax, 0xe ; ja 0x915 ; pop rbp ; ret | |
| 0x0000000000000909 : ja 0x910 ; pop rbp ; ret | |
| 0x00000000000007d9 : jae 0x7e3 ; add byte ptr [rax], al ; add rsp, 8 ; ret | |
| 0x0000000000000917 : je 0x90e ; pop rbp ; jmp rax | |
| 0x0000000000000954 : je 0x94e ; pop rbp ; mov rsi, rax ; jmp rdx | |
| 0x000000000000089b : jmp 0x7f7 | |
| 0x000000000000091a : jmp rax | |
| 0x000000000000095a : jmp rdx | |
| 0x0000000000000946 : jne 0x94d ; pop rbp ; ret | |
| 0x00000000000009b8 : lea edi, dword ptr [rip + 0x200442] ; mov rbp, rsp ; call rax | |
| 0x0000000000000a2c : leave ; ret | |
| 0x0000000000000989 : mov byte ptr [rip + 0x2006f8], 1 ; ret | |
| 0x0000000000000aee : mov eax, 0 ; leave ; ret | |
| 0x00000000000009bf : mov ebp, esp ; call rax | |
| 0x0000000000000903 : mov ebp, esp ; cmp rax, 0xe ; ja 0x916 ; pop rbp ; ret | |
| 0x0000000000000b47 : mov edi, edi ; call qword ptr [r12 + rbx*8] | |
| 0x0000000000000b46 : mov edi, r15d ; call qword ptr [r12 + rbx*8] | |
| 0x0000000000000958 : mov esi, eax ; jmp rdx | |
| 0x00000000000009be : mov rbp, rsp ; call rax | |
| 0x0000000000000957 : mov rsi, rax ; jmp rdx | |
| 0x0000000000000b68 : nop dword ptr [rax + rax] ; ret | |
| 0x0000000000000b5c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret | |
| 0x0000000000000b5e : pop r13 ; pop r14 ; pop r15 ; ret | |
| 0x0000000000000b60 : pop r14 ; pop r15 ; ret | |
| 0x0000000000000b62 : pop r15 ; ret | |
| 0x0000000000000919 : pop rbp ; jmp rax | |
| 0x0000000000000988 : pop rbp ; mov byte ptr [rip + 0x2006f8], 1 ; ret | |
| 0x0000000000000956 : pop rbp ; mov rsi, rax ; jmp rdx | |
| 0x0000000000000b5b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret | |
| 0x0000000000000b5f : pop rbp ; pop r14 ; pop r15 ; ret | |
| 0x000000000000090b : pop rbp ; ret | |
| 0x0000000000000b63 : pop rdi ; ret | |
| 0x0000000000000b61 : pop rsi ; pop r15 ; ret | |
| 0x0000000000000b5d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret | |
| 0x00000000000007e1 : ret | |
| 0x00000000000008a2 : ret 0x2007 | |
| 0x0000000000000ce2 : ret 0x70c | |
| 0x0000000000000a12 : ret 0x8b48 | |
| 0x000000000000093b : ret 0xc148 | |
| 0x0000000000000a6d : ret 0xd089 | |
| 0x0000000000000942 : ror byte ptr [rax - 0x2f], 1 ; clc ; jne 0x951 ; pop rbp ; ret | |
| 0x0000000000000953 : sal byte ptr [rdx + rsi*8 + 0x5d], cl ; mov rsi, rax ; jmp rdx | |
| 0x0000000000000944 : sar eax, 1 ; jne 0x94f ; pop rbp ; ret | |
| 0x0000000000000943 : sar rax, 1 ; jne 0x950 ; pop rbp ; ret | |
| 0x0000000000000b75 : sub esp, 8 ; add rsp, 8 ; ret | |
| 0x0000000000000b74 : sub rsp, 8 ; add rsp, 8 ; ret | |
| 0x0000000000000b6a : test byte ptr [rax], al ; add byte ptr [rax], al ; add byte ptr [rax], al ; ret | |
| 0x0000000000000915 : test eax, eax ; je 0x910 ; pop rbp ; jmp rax | |
| 0x0000000000000952 : test edx, edx ; je 0x950 ; pop rbp ; mov rsi, rax ; jmp rdx | |
| 0x0000000000000914 : test rax, rax ; je 0x911 ; pop rbp ; jmp rax | |
| 0x0000000000000951 : test rdx, rdx ; je 0x951 ; pop rbp ; mov rsi, rax ; jmp rdx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment